[lxc-users] bind-mounting kernel directories

Fajar A. Nugraha list at fajar.net
Tue Apr 7 04:08:37 UTC 2015


On Tue, Apr 7, 2015 at 5:57 AM, Marco <foobar.angus at gmail.com> wrote:

>> >  From your 'think/hope' comment it sounded like you were expecting
>> > something besides CAP_SYS_ADMIN to be able to stop the remount, but I'm
>> > not sure what that mechanism would be.
>>
>> No...  The old OLD problem was that if you mounted it RO, a container
>> could remounted it RW (or vice versa), which was one thing, but then,
>> under certain conditions and file systems, that change would be
>> propagated to the host and to other containers.

>
> On Debian at least, it still has some problems as I've reported here on the
> ML: Deb 8 && Lxc 1.0.6.
> An host fs, configured to be bind-mounted ro in the guest is actually
> accessible as rw (in the guest).
> The guest can than remount it as ro, but than the host fs becomes ro!
> Clearly not a desirable event.

You can backport lxc-1.0.7 from experimental.

Or better yet, compile lxc-1.1.1 yourself as well as lxcfs-0.7, which
brings (among others) better support for systemd-based containers.



On Wed, Apr 1, 2015 at 11:07 PM, Chris Burroughs
<chris.burroughs at gmail.com> wrote:
> Userland tools can be confused if the running kernel does not match anything
> in /lib/modules, and 'per-container' modules are nonsensical notion anyway.
> Is there any reason not to ready only bind-mount /lib/modules &
> /usr/src/kernels from the host into the container?  I've seen a few
> references in blogs but this does not appear to be the default behavior of
> the templates.
>

When I think about it, this requirement doesn't make sense for newer setups:
- default config (at least in ubuntu) includes lxc.cap.drop =
mac_admin mac_override sys_time sys_module, which prevents module
loading. A good thing, since allowing that could mean root user in
container loading malicious kernel modules which could bring down the
system.

- containers can run just fine even without kernel package installed
inside it. At least that's the case with ubuntu and centos 7
containers (possibly others as well)

The only use case that I can think of to having /lib/modules and
/usr/src/kernels inside a container is if you're going to using it for
module development, in which case you'd have to install other packages
as well (e.g. build-essential), and you won't need the same kernel
version as the one currently running.

-- 
Fajar


More information about the lxc-users mailing list