[lxc-users] shared mount and umount propogation.

Serge Hallyn serge.hallyn at ubuntu.com
Fri Mar 7 23:39:07 UTC 2014


Quoting Craig Ruff (cruff at ucar.edu):
> On Thu, Mar 06, 2014 at 12:03:53PM -0600, Serge Hallyn wrote:
> > That should now be fixed in git, as all of / gets mounted MS_SLAVE
> > if / is found to be shared.  Now if only /media is shared and not
> > /, I suppose that's a different case.
> 
> I am seeing a similar issue, where the host's / itself is not shared
> (i.e. the container has a private root file system), and a a directory
> below root with sharing set has anything mounted below it.
> 
> Example:
> 
> Host setup (/d is used on the host itself, / is not shared):
>     mount --bind /d /d
>     mount --make-shared /d
>     mount --bind /d /containers/d
>     mount --make-slave /containers/d
>     mount --make-shared /containers/d
>     mount x /d/a
> 
> Container configuration file contains:
>     lxc.rootfs = /containers/s/rootfs
>     lxc.mount = /containers/s/lxc.fstab
>     lxc.hook.pre-mount = /usr/local/containers/hooks/premount
> 
> Container lxc.fstab contains:
>     /containers/d /containers/s/rootfs/d none rbind,create=dir 0 0
> 
> Using this setup, anything mounted under /d will then appear in the
> container regardless of the ordering of the mount and container start.
> Mounts and unmounts done on the host will propagate into the containers.
> Unless the premount hook runs a "mount --make-rshared /" (or in this
> case "mount --make-rshared /d" would suffice), the lxc-start will

Now this is interesting, because what you say suggests that doing

mount --make-rshared

actually moves the directory into a new peer group, which I didn't
realize was the case.

> cause /d/a to be unmounted from the host's /d/a.
> 
> That was certainly unexpected behavior!  Since I have not used
> LXC containers extensively, I don't know if this is the desired
> behavior, but it certainly needs better documentation if that
> is the case.

Yeah.  Mounts propagation has been around since 2005, but we're not
dealing with it very well.

So the reason I don't just have a
mount("", "/", NULL, MS_SLAVE|MS_REC, 0) unconditionally at container
start is twofold - first, some people have perfectly find non-shared
non-slave / and don't want it turned *into* a slave.  Second, on
some systems that fails for reasons as yet unknown to me (could be
as mundane as apparmor)

So I guess a new function which walks all mounts and pulls them into
a new peer group if they are shared, would be good.

Volunteers?

-serge


More information about the lxc-users mailing list