[Lxc-users] read only rootfs
Matto Fransen
matto at matto.nl
Mon Jul 4 20:16:58 UTC 2011
Hi,
On Mon, Jun 27, 2011 at 06:05:13PM +0200, Samuel Maftoul wrote:
> I'm searching for a solution to have a read only rootfs inside an LXC
> container.
I have a webserver running this way :)
> I created a container with the busybox template, this container works.
> As soon as I try to mount it read only I have this message in the logs:
Create a rootfs outside the container.
In the config of your container you add lines like:
lxc.mount.entry=/path/to/rootfs/lib /var/lib/lxc/<container>/rootfs/lib none ro,bind 0 0
and so on for all the dir's you want to mount readonly
Also create some system directories:
# system mounts
lxc.mount.entry=proc /var/lib/lxc/<container>/rootfs/proc proc none defaults 0 0
lxc.mount.entry=shmfs /var/lib/lxc/<container>/rootfs/dev/shm tmpfs mode=0644 0 0
lxc.mount.entry=sysfs /var/lib/lxc/<container>/rootfs/sys sysfs defaults 0 0
And add the following line to the config of your container:
lxc.cap.drop=sys_admin
This last line prevents that one can jumo out of the readonly bind mounts from
inside the container :)
Cheers,
Matto
More information about the lxc-users
mailing list