[Lxc-users] (no subject)

C Anthony Risinger anthony at extof.me
Wed Sep 15 23:40:04 UTC 2010


On Wed, Sep 15, 2010 at 6:25 PM, Serge E. Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting Daniel Lezcano (daniel.lezcano at free.fr):
>> However, I am curious to understand why a remount as read-only is
>> propagated in all the system as we are running in our own mount
>> namespace. I will ask to the kernel mailing list ...
>
> I haven't closely followed this thread, but I'd guess that his
> root is mnt_shared.  Can confirm by doing 'grep shared /proc/self/mountinfo'
> Private mount namespace doesn't stop that.  So if it doesn't already, lxc
> should probably (optionally?) do a
>
>        mount --make-rslave $lxc_root
>
> after creating it's tmpfs rootfs or pivot_rooting.
>
> (Or, I could be completely wrong :)

that sounds like a really good guess at least :-)

i would agree, LXC should probably recursively mark all mounts as
slaves when binding the host's /, and maybe have an option to _not_ do
this, but imo it should be default, to protect the host.  mount
propagation is very useful in LXC environments (udev mounts/shared
mounts/etc.), and in general; seems to be a relatively unknown option.

C Anthony




More information about the lxc-users mailing list