[lxc-users] lxc.mount.entry selectively mount parts of sys and proc read write

Serge Hallyn serge.hallyn at ubuntu.com
Tue Mar 25 00:10:51 UTC 2014 

Quoting GC (catchall at gc9.org):
> On 03/21/2014 09:11 PM, Serge Hallyn wrote:
> >Quoting GC (catchall at gc9.org):
> >>On 03/21/2014 07:15 AM, Serge Hallyn wrote:
> >>>Quoting GC (catchall at gc9.org):
> >>>>Hello,
> >>>>
> >>>>I want to selectively mount parts of sys and proc rw, but the rest
> >>>>ro.  I thought I might be able to e.g., mount /sys ro (in the
> >>>>container), and mount /.sys rw (in the container), then bind mount
> >>>>bits from /.sys to /sys, and finally hide the rw /.sys by mounting
> >>>>another directory on top of it, like:
> >>>>
> >>>>lxc.mount.entry = sysfs sys sysfs ro 0 0
> >>>>lxc.mount.entry = sysfs .sys sysfs rw 0 0        # (dot)sys
> >>>>
> >>>>lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6
> >>>>sys/module/ipv6 none defaults,bind 0 0
> >>>># or alternatively (also doesn't work) this instead of line above
> >>>>#lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0
> >>>>
> >>>>lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0
> >>>>
> >>>>
> >>>>The part where I try to perform the bind mount of the read/write
> >>>>.sys/module/ipv6 (in the container) on top of the read only
> >>>>sys/module/ipv6  (in the container) fails.  Is there  a way to get
> >>>>this to work?
> >>>Wouldn't it be simpler to simply bind mount /sys ro from the host,
> >>>then bind-mount /sys/module/ipv6 from the host rw into the container?
> >>I thought there would be issues with namespace support.  I thought
> >>it would break network namespaces, which appears to be wrong from
> >Oh - yeah, right you are.
> >
> 
> Still looking at docs, but I think it should be possible, but not as
> clean as if lxc.mount.entry did it.  From docs it looks like I can
> get a descriptor from /proc/containerPID/ns/mnt, and use sentns to
> join the container's mount namespace, and then do the bind mounts.

You'd want to also setns to the container netns so as to get the
right /sys/class/net, of course.

> Seems there must be an easier/better way though.
> 
> Ideas?

(Without looking back at previous messages,) Have you tried using a
mount hook?

> Or, feature request?

You might be able to convince someone to implement 'lxc.mount.auto =
sys:mixed", however this is well served by apparmor/selinux...

More information about the lxc-users mailing list