[Lxc-users] read only rootfs
Michael H. Warfield
mhw at WittsEnd.com
Tue Jul 19 20:55:40 UTC 2011
On Tue, 2011-07-19 at 16:50 -0400, Michael H. Warfield wrote:
> On Tue, 2011-07-19 at 15:32 -0500, Serge E. Hallyn wrote:
> > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > On Tue, 2011-07-19 at 13:34 -0500, Serge E. Hallyn wrote:
> > > > Quoting C Anthony Risinger (anthony at xtfx.me):
> > > > > there it would seem. however, while i could *maybe* see the rootfs
> > > > > being an unconditional slave, i would NOT want to see any lxc
> > > > > default/enforcement preventing container -> host propagation on a
> > > > > globally recursive scale. im of the opinion that the implementor
> > > > > should decide the best tactic ... especially in light of the fact the
> > > > > one distro may not even have the same problems as say
> > > > > ubutnu/fedora/etc because they keep mount points private by default.
> > >
> > > > Good point. (I don't see it on ubuntu either fwiw) Perhaps there
> > > > should be a toggle in the per-container config file?
> > >
> > > Quick question.
> > >
> > > Is there any way to test for these flags (SHARED, PRIVATE, SLAVE)? I
> > > don't see them showing up anywhere from mount, in proc mounts or
> > > mountstats. How do you check to see if they are set?
>
> > /proc/self/mountinfo is supposed to tell that. i.e. if you do
> > a --make-shared on /mnt, it'll show 'shared' next to the /mnt entry.
> > (I say 'is supposed to' bc --make-rslave just shows nothing, but
> > maybe that's bc the way i did it it wasn't a slave to anything,
> > so it was actually private)
>
> Ok... This may be telling us something. What?
Oh, meant to include the info on / on each, sorry...
> On the host Forest:
22 1 8:5 / / rw,relatime - ext4 /dev/sda5 rw,barrier=1,data=ordered
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> [root at forest ~]# mount --make-shared /export
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime shared:1 - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> [root at forest ~]# mount --make-slave /export
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> [root at forest ~]# mount --make-private /export
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> So, shared looks like it worked and the other two didn't? Does
> something have to be done to enable them?
> You say "maybe that's bc the way i did it it wasn't a slave to anything"
> meaning we're missing a step. What's the missing step.
> On the guest Alcove (with your patch to add MS_REC | MS_SLAVE):
105 55 8:17 /lxc/private/Alcove / rw,relatime - ext4 /dev/sdb1 rw,barrier=1,data=ordered
> [root at alcove mhw]# cat /proc/self/mountinfo | grep devpts
> 107 105 0:10 /6 /dev/console rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 108 105 0:10 /0 /dev/tty1 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 109 105 0:10 /1 /dev/tty2 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 110 105 0:10 /2 /dev/tty3 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 111 105 0:10 /3 /dev/tty4 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 112 105 0:10 /4 /dev/tty5 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 113 105 0:10 /5 /dev/tty6 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 56 105 0:44 / /dev/pts rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 64 56 0:10 / /dev/pts rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> I'd say that's not good.
>
> Regards,
> Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110719/e0d5db06/attachment.pgp>
More information about the lxc-users
mailing list