[Lxc-users] [PATCH] Re: read only rootfs
Serge E. Hallyn
serge at hallyn.com
Mon Jul 18 18:58:03 UTC 2011
(sorry, just realized postfix has been messing up my email)
Quoting Michael H. Warfield (mhw at WittsEnd.com):
> Unfortunately, I also still find that if there's a -o remount,ro in the
> halt/reboot script, it still sets /dev/pts to ro and that still
> propagates to the host and to the other containers triggering random
Wow.
Did a quick grep; is there any reason why lxc-start doesn't turn on
MS_SLAVE for the client's root? Something like:
>From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: Mon, 18 Jul 2011 07:29:57 -0500
Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/conf.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2eb598b..d36fe47 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
return -1;
}
+ if (mount(rootfs->path, rootfs->path, "none", MS_SLAVE, 0)) {
+ ERROR("failed to turn child rootfs into slave");
+ return -1;
+ }
+
DEBUG("mounted '%s' on '%s'", rootfs->path, rootfs->mount);
return 0;
--
1.7.4.1
> The kernel should also prohibit, totally, the propagation of remount
The kernel doesn't know about containers, so it's up to userspace :)
-serge
More information about the lxc-users
mailing list