[Lxc-users] read only rootfs

Michael H. Warfield mhw at WittsEnd.com
Mon Jun 27 17:06:25 UTC 2011 

On Mon, 2011-06-27 at 17:20 +0100, Justin Cormack wrote: 
> On Mon, 2011-06-27 at 18:05 +0200, Samuel Maftoul wrote:
> 
> > 
> > I tried several ways to have the rootfs mounted RO.
> > First I removed the lxc.rootfs from my config file and the tried:
> > 
> > 
> > - lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s
> > "lxc.mount.entry=/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0"
> > 
> > 
> > Then I tried:
> > 
> > 
> > - echo "/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0"
> > > /var/lib/lxc/vm0/fstab ;
> >   lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s "lxc.mount
> > = /var/lib/lxc/vm0/fstab"
> >  
> > Finally I tried to boot with lxc.rootfs pointing to the same content,
> > but on it's block device, mounted read-only
> > The system starts, I have a console, but in the logs I get:
> >       lxc_conf - ignoring mount point '/var/lib/lxc/vm0/rootfs/lib'
> >       lxc_conf - ignoring mount point
> > '/var/lib/lxc/vm0/rootfs/usr/lib'
> > 
> > 
> > and of course, If I ls these directories, I have nothing inside.

> Bind mounting the root fs is fine, but it will not bind mount file
> systems under this, so you will need to add these to your fstab too. It
> looks like you have /lib and /usr/lib mounted on separate file systems
> and need to bind mount these too?

Bind mounts work but, iirc, there was (in the past) a problem that if
the container did a remount, the remount would propagate to the parent
device.  That caused all sorts of headaches (and I know, I was suppose
to retest that scenario ages ago and I haven't) like when a container
remounted its rootfs ro during a shutdown it made partitions ro to the
host.  Very bad.  This was also at the heart of the problem with
shutdowns causing ptty failures for any subsequent connections an
container starts (it made that fs ro).  If you try to do this, you may
have to prohibit mounts inside the containers to prohibit the remount
problems.  It would probably be a good idea to test it and see if the
container can remount an ro mount point as rw and what the impact would
be.

> Justin

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110627/7b6a0852/attachment.pgp>

More information about the lxc-users mailing list