[Lxc-users] read only rootfs

Michael H. Warfield mhw at WittsEnd.com
Mon Jun 27 17:45:32 UTC 2011 

On Mon, 2011-06-27 at 12:33 -0500, C Anthony Risinger wrote: 
> On Mon, Jun 27, 2011 at 12:06 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> > On Mon, 2011-06-27 at 17:20 +0100, Justin Cormack wrote:
> >> On Mon, 2011-06-27 at 18:05 +0200, Samuel Maftoul wrote:
> >>
> >> >
> >> > I tried several ways to have the rootfs mounted RO.
> >> > First I removed the lxc.rootfs from my config file and the tried:
> >> >
> >> >
> >> > - lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s
> >> > "lxc.mount.entry=/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0"
> >> >
> >> >
> >> > Then I tried:
> >> >
> >> >
> >> > - echo "/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0"
> >> > > /var/lib/lxc/vm0/fstab ;
> >> >   lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s "lxc.mount
> >> > = /var/lib/lxc/vm0/fstab"
> >> >
> >> > Finally I tried to boot with lxc.rootfs pointing to the same content,
> >> > but on it's block device, mounted read-only
> >> > The system starts, I have a console, but in the logs I get:
> >> >       lxc_conf - ignoring mount point '/var/lib/lxc/vm0/rootfs/lib'
> >> >       lxc_conf - ignoring mount point
> >> > '/var/lib/lxc/vm0/rootfs/usr/lib'
> >> >
> >> >
> >> > and of course, If I ls these directories, I have nothing inside.
> >
> >> Bind mounting the root fs is fine, but it will not bind mount file
> >> systems under this, so you will need to add these to your fstab too. It
> >> looks like you have /lib and /usr/lib mounted on separate file systems
> >> and need to bind mount these too?
> >
> > Bind mounts work but, iirc, there was (in the past) a problem that if
> > the container did a remount, the remount would propagate to the parent
> > device.  That caused all sorts of headaches (and I know, I was suppose
> > to retest that scenario ages ago and I haven't) like when a container
> > remounted its rootfs ro during a shutdown it made partitions ro to the
> > host.  Very bad.  This was also at the heart of the problem with
> > shutdowns causing ptty failures for any subsequent connections an
> > container starts (it made that fs ro).  If you try to do this, you may
> > have to prohibit mounts inside the containers to prohibit the remount
> > problems.  It would probably be a good idea to test it and see if the
> > container can remount an ro mount point as rw and what the impact would
> > be.

> does this happen when the container rootfs is marked as a
> slave/private mount?  slaves et al should not propagate changes to the
> master/host.

That's exactly the thing that needs to be tested.  I don't know at this
point but I do know at one point it did not work properly and it did
propagate.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110627/086abe92/attachment.pgp>

More information about the lxc-users mailing list