[lxc-users] bind-mounting kernel directories

Mon Apr 6 20:52:50 UTC 2015

On Mon, 2015-04-06 at 16:17 -0400, Chris Burroughs wrote:
> On 04/01/2015 12:54 PM, Michael H. Warfield wrote:
> > Doing a read-only bind mount is marginal at best.  We've had issues with
> > remounts in containers propagating out (that I think/hope are finally
> > fixed) and some containers need mount privs in order to mount images or
> > do nfs/afs/cifs mounts, so prohibiting the cap_sysadmin is not a viable
> > option in general there.

> With the centos default templates (ie with CAP_SYS_ADMIN) + privileged 
> container the remount is allowed: mount -o remount,rw /dev/foo /lib/modules/

>  From your 'think/hope' comment it sounded like you were expecting 
> something besides CAP_SYS_ADMIN to be able to stop the remount, but I'm 
> not sure what that mechanism would be.

No...  The old OLD problem was that if you mounted it RO, a container
could remounted it RW (or vice versa), which was one thing, but then,
under certain conditions and file systems, that change would be
propagated to the host and to other containers.  I THINK we got that
problem solved a while back with a careful selection of bind mounts and
mount options but I haven't retested it in years.  It's not the
prevention of the remount, it's the prevention of the propagation of the
changes from the container making to the changes to the host and
containers which did not.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150406/cacc0ba0/attachment.sig>