[Lxc-users] read only rootfs
David Serrano
dserrano5 at gmail.com
Wed Jul 13 14:47:16 UTC 2011
On Mon, Jul 4, 2011 at 22:16, Matto Fransen <matto at matto.nl> wrote:
>
> lxc.mount.entry=/path/to/rootfs/lib /var/lib/lxc/<container>/rootfs/lib none ro,bind 0 0
>
> # system mounts
> lxc.mount.entry=proc /var/lib/lxc/<container>/rootfs/proc proc none defaults 0 0
> lxc.mount.entry=shmfs /var/lib/lxc/<container>/rootfs/dev/shm tmpfs mode=0644 0 0
> lxc.mount.entry=sysfs /var/lib/lxc/<container>/rootfs/sys sysfs defaults 0 0
>
> lxc.cap.drop=sys_admin
>
> This last line prevents that one can jumo out of the readonly bind mounts from
> inside the container :)
I'm successfully using LXC with this setup too.
--
David Serrano
More information about the lxc-users
mailing list