[lxc-users] bind-mounting kernel directories

Marco foobar.angus at gmail.com
Mon Apr 6 22:57:33 UTC 2015 

Il 06/apr/2015 22:54, "Michael H. Warfield" <mhw at wittsend.com> ha scritto:
>
> On Mon, 2015-04-06 at 16:17 -0400, Chris Burroughs wrote:
> > On 04/01/2015 12:54 PM, Michael H. Warfield wrote:
> > > Doing a read-only bind mount is marginal at best.  We've had issues
with
> > > remounts in containers propagating out (that I think/hope are finally
> > > fixed) and some containers need mount privs in order to mount images
or
> > > do nfs/afs/cifs mounts, so prohibiting the cap_sysadmin is not a
viable
> > > option in general there.
>
> > With the centos default templates (ie with CAP_SYS_ADMIN) + privileged
> > container the remount is allowed: mount -o remount,rw /dev/foo
/lib/modules/
>
> >  From your 'think/hope' comment it sounded like you were expecting
> > something besides CAP_SYS_ADMIN to be able to stop the remount, but I'm
> > not sure what that mechanism would be.
>
> No...  The old OLD problem was that if you mounted it RO, a container
> could remounted it RW (or vice versa), which was one thing, but then,
> under certain conditions and file systems, that change would be
> propagated to the host and to other containers.  I THINK we got that
> problem solved a while back with a careful selection of bind mounts and
> mount options but I haven't retested it in years.  It's not the
> prevention of the remount, it's the prevention of the propagation of the
> changes from the container making to the changes to the host and
> containers which did not.

On Debian at least, it still has some problems as I've reported here on the
ML: Deb 8 && Lxc 1.0.6.
An host fs, configured to be bind-mounted ro in the guest is actually
accessible as rw (in the guest).
The guest can than remount it as ro, but than the host fs becomes ro!
Clearly not a desirable event.

More infos on my previous thread.

-- Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150407/ccdf7517/attachment.html>

More information about the lxc-users mailing list