[lxc-users] lxc.mount.entry selectively mount parts of sys and proc read write

[GC]

On 03/21/2014 07:15 AM, Serge Hallyn wrote:
> Quoting GC (catchall at gc9.org):
>> Hello,
>>
>> I want to selectively mount parts of sys and proc rw, but the rest
>> ro.  I thought I might be able to e.g., mount /sys ro (in the
>> container), and mount /.sys rw (in the container), then bind mount
>> bits from /.sys to /sys, and finally hide the rw /.sys by mounting
>> another directory on top of it, like:
>>
>> lxc.mount.entry = sysfs sys sysfs ro 0 0
>> lxc.mount.entry = sysfs .sys sysfs rw 0 0        # (dot)sys
>>
>> lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6
>> sys/module/ipv6 none defaults,bind 0 0
>> # or alternatively (also doesn't work) this instead of line above
>> #lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0
>>
>> lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0
>>
>>
>> The part where I try to perform the bind mount of the read/write
>> .sys/module/ipv6 (in the container) on top of the read only
>> sys/module/ipv6  (in the container) fails.  Is there  a way to get
>> this to work?
> Wouldn't it be simpler to simply bind mount /sys ro from the host,
> then bind-mount /sys/module/ipv6 from the host rw into the container?

I thought there would be issues with namespace support.  I thought it 
would break network namespaces, which appears to be wrong from your 
comment.  But, I also don't see how this can work with user namespaces, 
since root in container will not be able to write to the host's /sys, if 
it is bind mounted.    I'm still trying to get a container to work with 
user namespaces, so my assumption that writes will work to /sys, mounted 
rw via lxc.mount.entry, is untested.

>
> I assume your container won't have cap_sys_admin to prevent remounting?

Correct.

Thnx,

g