[Lxc-users] Jumping out of a read-only bind mount container
Matto Fransen
matto at matto.nl
Tue Feb 8 06:43:20 UTC 2011
Hi,
On Tue, Feb 08, 2011 at 11:19:20AM +1100, Trent W. Buck wrote:
> Matto Fransen <matto at matto.nl> writes:
> > This is a problem with the sshd bind readonly containers, because
> > lxc-init mounts /proc, /dev/shm and /dev/mqueue.
> > With lxc.cap.drop=sys_admin it is therefor not possible to use
> > lxc-init.
> >
> > Would this mean that lxc_setup_fs() should be removed from
> > lxc_init.c and the mounting should be done through the config-file?
>
> I'm not sure what you mean there, but I do mounting with lxc.mount (or
> lxc.mount.entry), i.e. within the lxc .conf file.
When you create a sshd read only container with
lxc-create -t sshd -n <containername> then this container
gets a init that is mountend to lxc-init.
lxc-init does mount /proc, /dev/shm and /dev/mqueue
But with lxc.cap.drop=sys_admin it is not possible to
mount, and therefor lxc-init returns an error and the container is
stopped.
Cheers,
Matto
More information about the lxc-users
mailing list