[lxc-users] bind-mounting kernel directories

Michael H. Warfield mhw at WittsEnd.com
Thu Apr 2 21:03:01 UTC 2015


On Wed, 2015-04-01 at 13:53 -0300, Andre Nathan wrote:
> I've been running containers in production where pretty much everything
> is bind-mounted from the host, including /lib and /usr, with no problems
> at all.

To quote the stock brokers "past experience is not a guarantee of future
performance".

In this case, I would only consider an overlayfs where the container
specific mods are restricted to the container specific overlays and they
have no chance of modifying the underlying hosts operating files.  That
would help insure (improve) container <-> host isolation and container
<-> container isolation.  Both a very good thing.  This is actually
something I USE to do a long time ago with FreeVPS prior to Linux
Vservers, prior to openvz.  The technique is THAT old.  It's just now we
have the kernel support mainline in 3.18 and up.

Mike

> Cheers,
> Andre
> 
> On 04/01/2015 01:07 PM, Chris Burroughs wrote:
> > Userland tools can be confused if the running kernel does not match
> > anything in /lib/modules, and 'per-container' modules are nonsensical
> > notion anyway.  Is there any reason not to ready only bind-mount
> > /lib/modules & /usr/src/kernels from the host into the container?  I've
> > seen a few references in blogs but this does not appear to be the
> > default behavior of the templates.
> > 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150402/09b8a9b7/attachment.sig>


More information about the lxc-users mailing list