[Lxc-users] (no subject)
C Anthony Risinger
anthony at extof.me
Wed Sep 15 23:40:04 UTC 2010
On Wed, Sep 15, 2010 at 6:25 PM, Serge E. Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting Daniel Lezcano (daniel.lezcano at free.fr):
>> However, I am curious to understand why a remount as read-only is
>> propagated in all the system as we are running in our own mount
>> namespace. I will ask to the kernel mailing list ...
>
> I haven't closely followed this thread, but I'd guess that his
> root is mnt_shared. Can confirm by doing 'grep shared /proc/self/mountinfo'
> Private mount namespace doesn't stop that. So if it doesn't already, lxc
> should probably (optionally?) do a
>
> mount --make-rslave $lxc_root
>
> after creating it's tmpfs rootfs or pivot_rooting.
>
> (Or, I could be completely wrong :)
that sounds like a really good guess at least :-)
i would agree, LXC should probably recursively mark all mounts as
slaves when binding the host's /, and maybe have an option to _not_ do
this, but imo it should be default, to protect the host. mount
propagation is very useful in LXC environments (udev mounts/shared
mounts/etc.), and in general; seems to be a relatively unknown option.
C Anthony
More information about the lxc-users
mailing list