[lxc-users] lxc.mount.entry selectively mount parts of sys and proc read write
catchall
catchall at gc9.org
Wed Mar 26 17:32:59 UTC 2014
On 03/24/2014 05:10 PM, Serge Hallyn wrote:
> Quoting GC (catchall at gc9.org):
>> On 03/21/2014 09:11 PM, Serge Hallyn wrote:
>>> Quoting GC (catchall at gc9.org):
>>>> On 03/21/2014 07:15 AM, Serge Hallyn wrote:
>>>>> Quoting GC (catchall at gc9.org):
>>>>>> Hello,
>>>>>>
>>>>>> I want to selectively mount parts of sys and proc rw, but the rest
>>>>>> ro. I thought I might be able to e.g., mount /sys ro (in the
>>>>>> container), and mount /.sys rw (in the container), then bind mount
>>>>>> bits from /.sys to /sys, and finally hide the rw /.sys by mounting
>>>>>> another directory on top of it, like:
>>>>>>
>>>>>> lxc.mount.entry = sysfs sys sysfs ro 0 0
>>>>>> lxc.mount.entry = sysfs .sys sysfs rw 0 0 # (dot)sys
>>>>>>
>>>>>> lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6
>>>>>> sys/module/ipv6 none defaults,bind 0 0
>>>>>> # or alternatively (also doesn't work) this instead of line above
>>>>>> #lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0
>>>>>>
>>>>>> lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0
>>>>>>
>>>>>>
>>>>>> The part where I try to perform the bind mount of the read/write
>>>>>> .sys/module/ipv6 (in the container) on top of the read only
>>>>>> sys/module/ipv6 (in the container) fails. Is there a way to get
>>>>>> this to work?
>>>>> Wouldn't it be simpler to simply bind mount /sys ro from the host,
>>>>> then bind-mount /sys/module/ipv6 from the host rw into the container?
>>>> I thought there would be issues with namespace support. I thought
>>>> it would break network namespaces, which appears to be wrong from
>>> Oh - yeah, right you are.
>>>
>>
>> Still looking at docs, but I think it should be possible, but not as
>> clean as if lxc.mount.entry did it. From docs it looks like I can
>> get a descriptor from /proc/containerPID/ns/mnt, and use sentns to
>> join the container's mount namespace, and then do the bind mounts.
>
> You'd want to also setns to the container netns so as to get the
> right /sys/class/net, of course.
>
>> Seems there must be an easier/better way though.
>>
>> Ideas?
>
> (Without looking back at previous messages,) Have you tried using a
> mount hook?
>
Whenever I try to use any of the mount hooks, I get this error and the
container doesn't start:
lxc-start: command get_cgroup failed to receive response
I even tried a hook script that didn't do anything, just ran a single
"echo", so it isn't the content of the script.
I am running lxc version: 1.0.0.alpha2.
g
More information about the lxc-users
mailing list