[Lxc-users] read only rootfs

Michael H. Warfield mhw at WittsEnd.com
Tue Jul 19 20:55:40 UTC 2011 

On Tue, 2011-07-19 at 16:50 -0400, Michael H. Warfield wrote: 
> On Tue, 2011-07-19 at 15:32 -0500, Serge E. Hallyn wrote: 
> > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > On Tue, 2011-07-19 at 13:34 -0500, Serge E. Hallyn wrote: 
> > > > Quoting C Anthony Risinger (anthony at xtfx.me):
> > > > > there it would seem.  however, while i could *maybe* see the rootfs
> > > > > being an unconditional slave, i would NOT want to see any lxc
> > > > > default/enforcement preventing container -> host propagation on a
> > > > > globally recursive scale.  im of the opinion that the implementor
> > > > > should decide the best tactic ... especially in light of the fact the
> > > > > one distro may not even have the same problems as say
> > > > > ubutnu/fedora/etc because they keep mount points private by default.
> > > 
> > > > Good point.  (I don't see it on ubuntu either fwiw)  Perhaps there
> > > > should be a toggle in the per-container config file?
> > > 
> > > Quick question.
> > > 
> > > Is there any way to test for these flags (SHARED, PRIVATE, SLAVE)?  I
> > > don't see them showing up anywhere from mount, in proc mounts or
> > > mountstats.  How do you check to see if they are set?
> 
> > /proc/self/mountinfo is supposed to tell that.  i.e. if you do
> > a --make-shared on /mnt, it'll show 'shared' next to the /mnt entry.
> > (I say 'is supposed to' bc --make-rslave just shows nothing, but
> > maybe that's bc the way i did it it wasn't a slave to anything,
> > so it was actually private)
> 
> Ok...  This may be telling us something.  What?

Oh, meant to include the info on / on each, sorry...

> On the host Forest:

22 1 8:5 / / rw,relatime - ext4 /dev/sda5 rw,barrier=1,data=ordered

> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> [root at forest ~]# mount --make-shared /export
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime shared:1 - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> [root at forest ~]# mount --make-slave /export
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime - ext4 /dev/sdb2 rw,barrier=1,data=ordered
> [root at forest ~]# mount --make-private /export
> [root at forest ~]# cat /proc/self/mountinfo | grep export
> 50 22 8:18 / /export rw,relatime - ext4 /dev/sdb2 rw,barrier=1,data=ordered


> So, shared looks like it worked and the other two didn't?  Does
> something have to be done to enable them?

> You say "maybe that's bc the way i did it it wasn't a slave to anything"
> meaning we're missing a step.  What's the missing step.

> On the guest Alcove (with your patch to add MS_REC | MS_SLAVE):

105 55 8:17 /lxc/private/Alcove / rw,relatime - ext4 /dev/sdb1 rw,barrier=1,data=ordered

> [root at alcove mhw]# cat /proc/self/mountinfo | grep devpts
> 107 105 0:10 /6 /dev/console rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 108 105 0:10 /0 /dev/tty1 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 109 105 0:10 /1 /dev/tty2 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 110 105 0:10 /2 /dev/tty3 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 111 105 0:10 /3 /dev/tty4 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 112 105 0:10 /4 /dev/tty5 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 113 105 0:10 /5 /dev/tty6 rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 56 105 0:44 / /dev/pts rw,relatime - devpts devpts rw,mode=600,ptmxmode=666
> 64 56 0:10 / /dev/pts rw,relatime - devpts devpts rw,mode=600,ptmxmode=666

> I'd say that's not good.
> 
> Regards,
> Mike

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110719/e0d5db06/attachment.pgp>

More information about the lxc-users mailing list