[lxc-devel] [PATCH] Update absolute paths for overlay and aufs mounts

Christian Brauner christianvanbrauner at gmail.com
Sun Oct 11 17:25:08 UTC 2015 

We actually need to update both lxc_conf->mount_list and
lxc_conf->unexpanded_config to ensure that both are synchronized when we
clone a container... Expanded patch will follow tonight or tomorrow...

On Oct 9, 2015 14:50, "Christian Brauner" <christianvanbrauner at gmail.com>
wrote:
>
> When using overlay and aufs mounts with lxc.mount.entry users have to
specify
> absolute paths for upperdir and workdir which will then get created
> automatically by mount_entry_create_overlay_dirs() and
> mount_entry_create_aufs_dirs() in conf.c. When we clone a container with
> overlay or aufs lxc.mount.entry entries we need to update these absolute
paths.
> In order to do this we add the function update_union_mount_entry_paths()
in
> lxccontainer.c. The function operates on c->lxc_conf->unexpanded_config
instead
> of the intuitively plausible c->lxc_conf->mount_list because the latter
also
> contains mounts from other files as well as generic mounts.
>
> NOTE: This function does not sanitize paths apart from removing trailing
> slashes. (So when a user specifies //home//someone/// it will be cleaned
to
> //home//someone. This is the minimal path cleansing which is also done by
> lxc_container_new().) But the mount_entry_create_overlay_dirs() and
> mount_entry_create_aufs_dirs() functions both try to be extremely strict
about
> when to create upperdirs and workdirs. They will only accept sanitized
paths,
> i.e. they require /home/someone. I think this is a (safety) virtue and we
> should consider sanitizing paths in general. In short:
> update_union_mount_entry_paths() does update all absolute paths to the new
> container but mount_entry_create_overlay_dirs() and
> mount_entry_create_aufs_dirs() will still refuse to create upperdir and
workdir
> when the updated path is unclean. This happens easily when e.g. a user
calls
> lxc-clone -o OLD -n NEW -P //home//chb///.
>

<snip>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20151011/ac408ced/attachment.html>

More information about the lxc-devel mailing list