[lxc-devel] [lxd/master] doc: add note about ignoring mount options
brauner on Github
lxc-bot at linuxcontainers.org
Thu Aug 16 10:04:31 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180816/51e891cf/attachment.bin>
-------------- next part --------------
From aeefdf6d9e1f41a34442c3986e44b1a521bb540b Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 16 Aug 2018 12:03:29 +0200
Subject: [PATCH] doc: add note about ignoring mount options
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
doc/storage.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/doc/storage.md b/doc/storage.md
index 2fb04b83f5..e355ea9693 100644
--- a/doc/storage.md
+++ b/doc/storage.md
@@ -81,6 +81,19 @@ Similarly, the directory backend is to be considered as a last resort option.
It does support all main LXD features, but is terribly slow and inefficient as it can't perform
instant copies or snapshots and so needs to copy the entirety of the container's filesystem every time.
+## Security Considerations
+
+Currently, the Linux Kernel may not apply mount options and silently ignore
+them when a block-based filesystem (e.g. `ext4`) is already mounted with
+different options. This means when dedicated disk devices are shared between
+different storage pools with different mount options set, the second mount may
+not have the expected mount options. This becomes security relevant, when e.g.
+one storage pool is supposed to provide `acl` support and the second one is
+supposed to not provide `acl` support. For this reason it is currently
+recommended to either have dedicated disk devices per storage pool or ensure
+that all storage pools that share the same dedicated disk device use the same
+mount options.
+
## Optimized image storage
All backends but the directory backend have some kind of optimized image storage format.
This is used by LXD to make container creation near instantaneous by simply cloning a pre-made
More information about the lxc-devel
mailing list