[Lxc-users] patch for read-only bind-mount
John Brendler
brendlerjg at gmail.com
Tue Jun 22 05:25:39 UTC 2010
lxc fails to make read-only bind mounts as documented. Read-only bind
mounts are important to many use cases.
A simple patch has been submitted to the lxc-devel mailing list (by
Ciprian Dorin), but when I last checked, it was not clear if any action
had been taken on it. It is clear, however, that the bug still
exists in release 0.7.0.
I have tested the patch, and it fixes the problem in both 0.6.5 and
0.7.0. I have been using it for a couple months.
This is where the patch was submitted to the lxc-devel list.-
http://sourceforge.net/mailarchive/forum.php?thread_name=4B9E0AE0.9000100%40free.fr&forum_name=lxc-devel
I think this patch should be implemented (when it is convenient
to do so). This is a significant loss of functionality that effects the
security of a security-oriented application.
So I am posting so that others know the patch exists and also to see
what should be done to get this included in the next release.
Details: -------------------------------------------------------------
In short, a line like this in a container's configuration file should
have the effect of bind-mounting the file (e.g. /sbin directory below)
within the container and making it *read-only*:
lxc.mount.entry = /sbin /lxc/container07/sbin none ro,bind 0 0
Or in a fstab-formatted file referred to by a "lxc.mount" entry in the
config file, it would simply be:
/sbin /lxc/container07/sbin none ro,bind 0 0
Unfortunately, it doesn't work. It bind-mounts, but gives a little
warning that it "appears to mounted read-write". This is easily
confirmed by writing and deleting files in the filesystems that should
have been mounted read-only.
This is unforunate, considering the whole point of these tools is secure
compartmentalization.
Normally, a read-only bind mount requires two steps:
mount -o bind /sbin /lxc/container07/sbin
mount -o remount,ro /lxc/container07/sbin
So, one may work around this bug by executing a script (after starting
the container) to carry out that second step, remounting the appropriate
things in read-only mode. But this shouldn't be necessary, since
handling read-only bind-mounts are an intended feature of the lxc tools.
The patch is very simple and does seem to fix the problem nicely.
Barring regressions I may not be aware of, I, for one, would like to see
it implemented.
I am using it as a means to re-use the host operating system's files, in
read-only bind-mounts, with exceptions overlaid on top of them (rather
than having to maintain an additional and separate "guest operating
system" filesystem). With the patch, this seems to work quite well.
-----------------------------------------------------------------------
More information about the lxc-users
mailing list