[lxc-users] Why can proc not be remounted read-only inside a container?
Stéphane Graber
stgraber at ubuntu.com
Fri Jan 17 01:38:21 UTC 2014
On Thu, Jan 16, 2014 at 05:33:06PM -0800, Aaron Staley wrote:
> I'm trying to run an application that works fine on my host inside a
> container.
>
> The application executes:
> mount -t proc -o ro proc /mnt/remount_point
> But this command errors:
> mount: cannot mount block device proc read-only
>
> mounting read-write (mount -t proc proc /mnt/remount_point) does work
> however.
>
> I'd rather not modify the application. Is there some LXC option/other
> issue blocking a RO mount of proc?
>
> Thanks,
> Aaron
This is likely blocked by apparmor. You can disable apparmor for this
container with lxc.aa_profile = unconfined or write your own profile in
/etc/apparmor.d/lxc/, then reload the profiles (/etc/init.d/apparmor
reload) and set lxc.aa_profile to the new profile's name.
However note that blocking proc mounts was done for a very good reason
and that by allowing this, you should consider this container as unsafe
and not trust it to anyone you wouldn't trust to give root access to the
host.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140116/fabf2023/attachment.pgp>
More information about the lxc-users
mailing list