[Lxc-users] [PATCH] Re: read only rootfs

Serge E. Hallyn serge at hallyn.com
Mon Jul 18 18:58:03 UTC 2011


(sorry, just realized postfix has been messing up my email)

Quoting Michael H. Warfield (mhw at WittsEnd.com):
> Unfortunately, I also still find that if there's a -o remount,ro in the
> halt/reboot script, it still sets /dev/pts to ro and that still
> propagates to the host and to the other containers triggering random

Wow.

Did a quick grep;  is there any reason why lxc-start doesn't turn on
MS_SLAVE for the client's root?  Something like:

>From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Mon, 18 Jul 2011 07:29:57 -0500
Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/conf.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2eb598b..d36fe47 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
 		return -1;
 	}
 
+	if (mount(rootfs->path, rootfs->path, "none", MS_SLAVE, 0)) {
+		ERROR("failed to turn child rootfs into slave");
+		return -1;
+	}
+
 	DEBUG("mounted '%s' on '%s'", rootfs->path, rootfs->mount);
 
 	return 0;
-- 
1.7.4.1

> The kernel should also prohibit, totally, the propagation of remount

The kernel doesn't know about containers, so it's up to userspace :)

-serge




More information about the lxc-users mailing list