[Lxc-users] mount point isolation
Serge Hallyn
serge.hallyn at canonical.com
Thu Aug 16 21:36:43 UTC 2012
Quoting Stuart Yoder (b08248 at gmail.com):
> In the lxc.conf man page it says:
>
> The linux containers (lxc) are always created before being used. This
> creation defines a set of system resources to be virtualized / isolated
> when a process is using the container. By default, the pids, sysv ipc
> and mount points are virtualized and isolated.
>
> What does the mount point isolation really mean?
>
> If I do:
> lxc-execute -n foo /bin/bash
>
> In the container, which I assume has default isolation, I don't see any
> mount point isolation. I can still see all normal mount points from
> the host rootfs. So, trying to understand specifically what is mean
> by the statement about default isolation of mount points.
You get a copy of the original mounts namespace. However the host won't
see mount activity done in the container (unless you play games with
mounts propagation).
If after
lxc-execute -n foo /bin/bash
you do
mount --bind /proc /mnt
then from a terminal on the host you won't see /proc under /mnt.
More information about the lxc-users
mailing list