[lxc-users] lxc.mount.entry bind mounts not respected on tmpfs filesystems

Christian Brauner christianvanbrauner at gmail.com
Sat Feb 7 17:44:31 UTC 2015 

When an init such as systemd mounts a folder as a tmpfs during startup and the
lxc defines a bind-mount on the same folder in the containers config it will be
overmounted on container startup. Here is an example. Create an archlinux (or
fedora) container with:

    sudo lxc-create -t archlinux -n arch

define a bind-mount on /tmp in the containers config in:

    /var/lib/lxc/arch/config

with

    lxc.mount.entry=/tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0

to mount the X0 socket of the X-server for e.g. graphical output. Now boot the
container. Altough lxc creates the bind-mount as can be seen e.g. from the
logs, the X0 socker will not show up under /tmp/.X11-unix as systemd's
tmp.mount unit mounts /tmp as a tmpfs over lxc's bind mount. This can be
verified in two steps. By doing

    findmnt --target /tmp

in the container. This will show:

    [root at arch ~]# findmnt --target /tmp/
    TARGET SOURCE FSTYPE OPTIONS
    /tmp   tmpfs  tmpfs  rw

And then by unmounting /tmp with:

    umount /tmp

After this, the X0 socket will show up under /tmp/.X11-unix. I think Ubuntu has
a downstream patch because tmp is somehow treated differently on Debian-based
distros. (It must either be
Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch or
Don-t-mount-tmp-as-tmpfs-by-default.patch as seen in the source code of
systemd_218-7ubuntu1.debian.tar.xz.) But for any other distro not using this
downstream patch this is a problem. When you want to have the default behavior
of having /tmp cleaned out on shutdown or reboot it is neither a good option to
disable nor to mask the service. Maybe, there is a workaround such that lxc' s
bind-mounts are respected/reflected even when on a mountpoint that gets mounted
as tmpfs during boot?

I also filed this as a github issue but a) I'm unsure whether it's lxc's job or
upstream systemd-related and b) is there an easy workaround apart from
disabling/masking tmp.mount or doing umount /tmp everytime after the container
has been started.

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150207/dbf37779/attachment.sig>

More information about the lxc-users mailing list