[lxc-devel] [lxd/master] Workaround kernel overmounting protection

[stgraber on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 701 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160308/e96fec0f/attachment.bin>
-------------- next part --------------
From bdffb0e8bcfe57e8ab7d8afb71e810ee55b37ffe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 7 Mar 2016 22:00:26 -0500
Subject: [PATCH] Workaround kernel overmounting protection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The kernel prevents us from bind-mounting filesystems which have entries
hidden by overmounting.

This currently prevents startup of some containers when
/sys/kernel/debug/tracing, an auto-mounted path has been accessed on the
host.

Fix this by simply recursively bind-mounting things into the container.

Reported by: cmars & stokachu
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index d61ba14..9cd2f32 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -324,7 +324,7 @@ func (c *containerLXC) initLXC() error {
 	}
 
 	for _, mnt := range []string{"/proc/sys/fs/binfmt_misc", "/sys/firmware/efi/efivars", "/sys/fs/fuse/connections", "/sys/fs/pstore", "/sys/kernel/debug", "/sys/kernel/security"} {
-		err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s %s none bind,optional", mnt, strings.TrimPrefix(mnt, "/")))
+		err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s %s none rbind,optional", mnt, strings.TrimPrefix(mnt, "/")))
 		if err != nil {
 			return err
 		}