[lxc-devel] [RFC lxc 0/2] lxc.start.unshare
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Nov 20 09:18:25 UTC 2015
The first patch should be quite obvious and I wanted to ask about that
sooner but apparently forgot to hit send ;-)
lxc-start is allowed to:
mount options=(rw, make-slave) -> **,
So I think it makes sense to also include:
mount options=(rw, make-rslave) -> **,
I needed it for the second patch and since the first rule uses '**' to
be recursive, allowing to manually recurse through mountpoints, it
seemed to make sense to include an 'rslave' rule.
I'm not sure if there was a reason for this to not be included, other
than maybe some bugs with older apparmor tools (eg. with 2.9 `slave`
and `rslave` seem to be parsed fine but apparently don't work while
`make-slave` and `make-rslave` do.)
As for patch 2:
As I mentioned in the pre-mount hook namespace thread on the user list
we'd like to prepare mounts for containers - even when they're
unprivileged ones which we still prepare as root user - but we don't
want to clobber the host namespace. Serge replied that LXD does this
at the cost of an MS_SLAVE mount per container and we haven't found a
better alternative to this. However we were wondering if it makes
sense to include a flag to perform this unshare within lxc-start.
Mostly we just like the idea of a raw `lxc-start` command to behave
the same as when using our management tool (since until now that's all
it actually had to do aside from preparing the config file).
The 2nd patch needs the 1st one. I split it in two because I think the
first one definitely makes sense to include, but I'm unsure whether
you'd like the 2nd one upstream, too. I'm open to suggestens.
Wolfgang Bumiller (2):
AppArmor: add make-rslave to usr.bin.lxc-start
Added lxc.start.unshare
config/apparmor/abstractions/start-container | 1 +
doc/lxc.container.conf.sgml.in | 12 ++++++++++++
src/lxc/conf.h | 1 +
src/lxc/confile.c | 7 +++++++
src/lxc/lxccontainer.c | 12 ++++++++++++
5 files changed, 33 insertions(+)
--
2.1.4
More information about the lxc-devel
mailing list