[Lxc-users] read only rootfs
Samuel Maftoul
samuel.maftoul at gmail.com
Tue Jul 5 11:59:13 UTC 2011
Hi,
Thanks all of you, I managed to make it work !
I understand there are some security concerns, and Matto, you're pointing to
a very interesting detail, dropping capability is really what I want !
Thanks
--
Samuel
On Mon, Jul 4, 2011 at 10:16 PM, Matto Fransen <matto at matto.nl> wrote:
> Hi,
>
> On Mon, Jun 27, 2011 at 06:05:13PM +0200, Samuel Maftoul wrote:
>
> > I'm searching for a solution to have a read only rootfs inside an LXC
> > container.
>
> I have a webserver running this way :)
>
> > I created a container with the busybox template, this container works.
> > As soon as I try to mount it read only I have this message in the logs:
>
> Create a rootfs outside the container.
> In the config of your container you add lines like:
> lxc.mount.entry=/path/to/rootfs/lib /var/lib/lxc/<container>/rootfs/lib
> none ro,bind 0 0
> and so on for all the dir's you want to mount readonly
>
> Also create some system directories:
> # system mounts
> lxc.mount.entry=proc /var/lib/lxc/<container>/rootfs/proc proc none
> defaults 0 0
> lxc.mount.entry=shmfs /var/lib/lxc/<container>/rootfs/dev/shm tmpfs
> mode=0644 0 0
> lxc.mount.entry=sysfs /var/lib/lxc/<container>/rootfs/sys sysfs defaults 0
> 0
>
> And add the following line to the config of your container:
> lxc.cap.drop=sys_admin
>
> This last line prevents that one can jumo out of the readonly bind mounts
> from
> inside the container :)
>
> Cheers,
>
> Matto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110705/dd97d3b6/attachment.html>
More information about the lxc-users
mailing list