[Lxc-users] mount point isolation
Stuart Yoder
b08248 at gmail.com
Thu Aug 16 22:04:25 UTC 2012
On Thu, Aug 16, 2012 at 4:36 PM, Serge Hallyn
<serge.hallyn at canonical.com> wrote:
> Quoting Stuart Yoder (b08248 at gmail.com):
>> In the lxc.conf man page it says:
>>
>> The linux containers (lxc) are always created before being used. This
>> creation defines a set of system resources to be virtualized / isolated
>> when a process is using the container. By default, the pids, sysv ipc
>> and mount points are virtualized and isolated.
>>
>> What does the mount point isolation really mean?
>>
>> If I do:
>> lxc-execute -n foo /bin/bash
>>
>> In the container, which I assume has default isolation, I don't see any
>> mount point isolation. I can still see all normal mount points from
>> the host rootfs. So, trying to understand specifically what is mean
>> by the statement about default isolation of mount points.
>
> You get a copy of the original mounts namespace. However the host won't
> see mount activity done in the container (unless you play games with
> mounts propagation).
>
> If after
>
> lxc-execute -n foo /bin/bash
>
> you do
>
> mount --bind /proc /mnt
>
> then from a terminal on the host you won't see /proc under /mnt.
Ok, I see now. Thanks!
More information about the lxc-users
mailing list