[Lxc-users] read only rootfs

C Anthony Risinger anthony at xtfx.me
Mon Jun 27 17:33:04 UTC 2011


On Mon, Jun 27, 2011 at 12:06 PM, Michael H. Warfield <mhw at wittsend.com> wrote:
> On Mon, 2011-06-27 at 17:20 +0100, Justin Cormack wrote:
>> On Mon, 2011-06-27 at 18:05 +0200, Samuel Maftoul wrote:
>>
>> >
>> > I tried several ways to have the rootfs mounted RO.
>> > First I removed the lxc.rootfs from my config file and the tried:
>> >
>> >
>> > - lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s
>> > "lxc.mount.entry=/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0"
>> >
>> >
>> > Then I tried:
>> >
>> >
>> > - echo "/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0"
>> > > /var/lib/lxc/vm0/fstab ;
>> >   lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s "lxc.mount
>> > = /var/lib/lxc/vm0/fstab"
>> >
>> > Finally I tried to boot with lxc.rootfs pointing to the same content,
>> > but on it's block device, mounted read-only
>> > The system starts, I have a console, but in the logs I get:
>> >       lxc_conf - ignoring mount point '/var/lib/lxc/vm0/rootfs/lib'
>> >       lxc_conf - ignoring mount point
>> > '/var/lib/lxc/vm0/rootfs/usr/lib'
>> >
>> >
>> > and of course, If I ls these directories, I have nothing inside.
>
>> Bind mounting the root fs is fine, but it will not bind mount file
>> systems under this, so you will need to add these to your fstab too. It
>> looks like you have /lib and /usr/lib mounted on separate file systems
>> and need to bind mount these too?
>
> Bind mounts work but, iirc, there was (in the past) a problem that if
> the container did a remount, the remount would propagate to the parent
> device.  That caused all sorts of headaches (and I know, I was suppose
> to retest that scenario ages ago and I haven't) like when a container
> remounted its rootfs ro during a shutdown it made partitions ro to the
> host.  Very bad.  This was also at the heart of the problem with
> shutdowns causing ptty failures for any subsequent connections an
> container starts (it made that fs ro).  If you try to do this, you may
> have to prohibit mounts inside the containers to prohibit the remount
> problems.  It would probably be a good idea to test it and see if the
> container can remount an ro mount point as rw and what the impact would
> be.

does this happen when the container rootfs is marked as a
slave/private mount?  slaves et al should not propagate changes to the
master/host.

-- 

C Anthony




More information about the lxc-users mailing list