[lxc-users] lxc.mount.entry selectively mount parts of sys and proc read write

[GC]

On 03/21/2014 09:11 PM, Serge Hallyn wrote:
> Quoting GC (catchall at gc9.org):
>> On 03/21/2014 07:15 AM, Serge Hallyn wrote:
>>> Quoting GC (catchall at gc9.org):
>>>> Hello,
>>>>
>>>> I want to selectively mount parts of sys and proc rw, but the rest
>>>> ro.  I thought I might be able to e.g., mount /sys ro (in the
>>>> container), and mount /.sys rw (in the container), then bind mount
>>>> bits from /.sys to /sys, and finally hide the rw /.sys by mounting
>>>> another directory on top of it, like:
>>>>
>>>> lxc.mount.entry = sysfs sys sysfs ro 0 0
>>>> lxc.mount.entry = sysfs .sys sysfs rw 0 0        # (dot)sys
>>>>
>>>> lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6
>>>> sys/module/ipv6 none defaults,bind 0 0
>>>> # or alternatively (also doesn't work) this instead of line above
>>>> #lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0
>>>>
>>>> lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0
>>>>
>>>>
>>>> The part where I try to perform the bind mount of the read/write
>>>> .sys/module/ipv6 (in the container) on top of the read only
>>>> sys/module/ipv6  (in the container) fails.  Is there  a way to get
>>>> this to work?
>>> Wouldn't it be simpler to simply bind mount /sys ro from the host,
>>> then bind-mount /sys/module/ipv6 from the host rw into the container?
>> I thought there would be issues with namespace support.  I thought
>> it would break network namespaces, which appears to be wrong from
> Oh - yeah, right you are.
>

Still looking at docs, but I think it should be possible, but not as 
clean as if lxc.mount.entry did it.  From docs it looks like I can get a 
descriptor from /proc/containerPID/ns/mnt, and use sentns to join the 
container's mount namespace, and then do the bind mounts. Seems there 
must be an easier/better way though.

Ideas?

Or, feature request?

g