[Lxc-users] Container start unmounts shared bind mounts
Ivan Vilata i Balaguer
ivan at selidor.net
Fri Feb 10 22:01:28 UTC 2012
Serge Hallyn (2012-02-10 16:05:19 +0100) wrote:
> Quoting Ivan Vilata i Balaguer (ivan at selidor.net):
>> Serge Hallyn (2012-02-09 19:30:29 +0100) wrote:
>>
>> > Quoting Ivan Vilata i Balaguer (ivan at selidor.net):
>> >> Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up
>> >> a shared mountpoint to dynamically export some host directories into one
>> >> container, like this::
>> >>
>> >> # mkdir -p /lxc-shared
>> >> # mount --bind /lxc-shared /lxc-shared
>> >> # mount --make-unbindable /lxc-shared
>> >> # mount --make-shared /lxc-shared
>> >
>> > (I should think more before answering, but ...)
>> >
>> > What if you do 'mount --make-rslave /lxc-shared' here? That should
>> > prevent the container's mount actions from being forwarded to the
>> > host.
>>
>> Thanks for the suggestion! That does prevent a starting container from
>> unmounting bind mounts under /lxc-shared in the host, *however* it also
>> renders (un)mounts performed after the --make-rslave invisible to any
>> container which had access to the directory. E.g. imagine myvm has a
>
> Right, this was a quick test. What you actually want to do is leave the
> mount shared on the host, and have the container startup turn it into a
> slave mount. I'm not sure offhand what would be the best time to do this,
> but one thing you could do is use a wrapper around lxc-start like:
>
> mv /usr/bin/lxc-start /usr/bin/lxc-start.real
>
> cat > /usr/bin/lxc-start.mid << EOF
> mount --make-unbindable /lxc-shared
> mount --make-shared /lxc-shared
> exec /usr/bin/lxc-start.real $*
> EOF
>
> cat > /usr/bin/lxc-start << EOF
> lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $*
> EOF
>
> chmod ugo+x /usr/bin/lxc-start{,.mid}
>
> You can probably do this through /var/lib/lxc/<container>/fstab entries,
> but it would take some tweaking. We could also add support for this
> in the lxc config files. I think it's a common enough request that it'd
> be worth doing.
Well, I'm actually trying on the host to mount and unmount file systems
I don't know beforehand *while myvm is running* under subdirectories in
/lxc-shared, but running myvm through the scripts you suggest creates a
new namespace so that myvm no longer sees mounts done by the host.
However, I can use a slight modification of your suggestion, namely
running myvm through normal lxc-start (so it uses the same namespace as
the host), and the other containers through those scripts (actually I
don't need --make-shared there).
The ideal solution for me would be making /lxc-shared shared, running
myvm and then doing something which allows mounts under /lxc-shared to
be seen only in the host and myvm but not in other containers started
normaly. But the previous solution comes quite close to it. :)
>> However, the question still remains: *Why on Earth does starting a
>> container unmount all bind mounts under a shared mount???*
>>
>> Doesn't it look like a bug to you?
>
> No, when a container starts up, it mounts its new root under, say,
> /usr/lib/lxc/, and mounts other directories under there. Then it
> does pivot_root (see man 8 pivot_root), so now /usr/lib/lxc is its
> '/', and the old '/' and all its submounts are now mounted on '/old'.
> Then the container startup recursively unmounts /old, including
> /old/lxc-shared.
>
> That umount of /old/lxc-shared is what is getting propagated to
> the host mount.
Ummm, now I see clearly what's going on there. Thanks a lot for your
help and for the explanation! :)
--
Ivan Vilata i Balaguer -- https://elvil.net/
More information about the lxc-users
mailing list