[Lxc-users] Container start unmounts shared bind mounts

Fri Feb 10 23:08:10 UTC 2012

Quoting Ivan Vilata i Balaguer (ivan at selidor.net):
> Serge Hallyn (2012-02-10 16:05:19 +0100) wrote:
> 
> > Quoting Ivan Vilata i Balaguer (ivan at selidor.net):
> >> Serge Hallyn (2012-02-09 19:30:29 +0100) wrote:
> >> 
> >> > Quoting Ivan Vilata i Balaguer (ivan at selidor.net):
> >> >> Hi all.  I'm running Debian's LXC 0.7.5 under Linux 3.2.0.  I've set up
> >> >> a shared mountpoint to dynamically export some host directories into one
> >> >> container, like this::
> >> >> 
> >> >>   # mkdir -p /lxc-shared
> >> >>   # mount --bind /lxc-shared /lxc-shared
> >> >>   # mount --make-unbindable /lxc-shared
> >> >>   # mount --make-shared /lxc-shared
> >> >
> >> > (I should think more before answering, but ...)
> >> >
> >> > What if you do 'mount --make-rslave /lxc-shared' here?  That should
> >> > prevent the container's mount actions from being forwarded to the
> >> > host.
> >> 
> >> Thanks for the suggestion!  That does prevent a starting container from
> >> unmounting bind mounts under /lxc-shared in the host, *however* it also
> >> renders (un)mounts performed after the --make-rslave invisible to any
> >> container which had access to the directory.  E.g. imagine myvm has a
> >
> > Right, this was a quick test.  What you actually want to do is leave the
> > mount shared on the host, and have the container startup turn it into a
> > slave mount.  I'm not sure offhand what would be the best time to do this,
> > but one thing you could do is use a wrapper around lxc-start like:
> >
> > mv /usr/bin/lxc-start /usr/bin/lxc-start.real
> >
> > cat > /usr/bin/lxc-start.mid << EOF
> > mount --make-unbindable /lxc-shared
> > mount --make-shared /lxc-shared

Oops, this isn't right.  I think I just meant

cat > /usr/bin/lxc-start.mid << EOF
mount --make-rslave /lxc-shared
exec /usr/bin/lxc-start.real $*
EOF

> > exec /usr/bin/lxc-start.real $*
> > EOF
> >
> > cat > /usr/bin/lxc-start << EOF
> > lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $*
> > EOF
> >
> > chmod ugo+x /usr/bin/lxc-start{,.mid}
> >
> > You can probably do this through /var/lib/lxc/<container>/fstab entries,
> > but it would take some tweaking.  We could also add support for this
> > in the lxc config files.  I think it's a common enough request that it'd
> > be worth doing.
> 
> Well, I'm actually trying on the host to mount and unmount file systems
> I don't know beforehand *while myvm is running* under subdirectories in
> /lxc-shared,

You've lost me here (I don't understand what you're saying), but

> but running myvm through the scripts you suggest creates a
> new namespace so that myvm no longer sees mounts done by the host.

Note that you're still supposed to do

	mount --bind /lxc-shared /lxc-shared
	mount --make-shared /lxc-shared /lxc-shared

at host boot.  Then creating a new namespace shouldn't stop myvm from
seeing new mounts done by the host.  The reason I was creating that new
namespace was so that the mount --make-rslave wouldn't happen in the
host's namespace.

But in any case, like I say I think it'd be worth adding explicit
support through the config file for this.

thanks,
-serge