[lxc-users] bind-mounting kernel directories
Chris Burroughs
chris.burroughs at gmail.com
Mon Apr 6 20:17:27 UTC 2015
On 04/01/2015 12:54 PM, Michael H. Warfield wrote:
> Doing a read-only bind mount is marginal at best. We've had issues with
> remounts in containers propagating out (that I think/hope are finally
> fixed) and some containers need mount privs in order to mount images or
> do nfs/afs/cifs mounts, so prohibiting the cap_sysadmin is not a viable
> option in general there.
With the centos default templates (ie with CAP_SYS_ADMIN) + privileged
container the remount is allowed: mount -o remount,rw /dev/foo /lib/modules/
From your 'think/hope' comment it sounded like you were expecting
something besides CAP_SYS_ADMIN to be able to stop the remount, but I'm
not sure what that mechanism would be.
More information about the lxc-users
mailing list