[lxc-users] lxc.mount.entry bind mounts not respected on tmpfs filesystems

Stéphane Graber stgraber at ubuntu.com
Sat Feb 7 21:38:47 UTC 2015 

On Sat, Feb 07, 2015 at 06:44:31PM +0100, Christian Brauner wrote:
> When an init such as systemd mounts a folder as a tmpfs during startup and the
> lxc defines a bind-mount on the same folder in the containers config it will be
> overmounted on container startup. Here is an example. Create an archlinux (or
> fedora) container with:
> 
>     sudo lxc-create -t archlinux -n arch
> 
> define a bind-mount on /tmp in the containers config in:
> 
>     /var/lib/lxc/arch/config
> 
> with
> 
>     lxc.mount.entry=/tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0
> 
> to mount the X0 socket of the X-server for e.g. graphical output. Now boot the
> container. Altough lxc creates the bind-mount as can be seen e.g. from the
> logs, the X0 socker will not show up under /tmp/.X11-unix as systemd's
> tmp.mount unit mounts /tmp as a tmpfs over lxc's bind mount. This can be
> verified in two steps. By doing
> 
>     findmnt --target /tmp
> 
> in the container. This will show:
> 
>     [root at arch ~]# findmnt --target /tmp/
>     TARGET SOURCE FSTYPE OPTIONS
>     /tmp   tmpfs  tmpfs  rw
> 
> And then by unmounting /tmp with:
> 
>     umount /tmp
> 
> After this, the X0 socket will show up under /tmp/.X11-unix. I think Ubuntu has
> a downstream patch because tmp is somehow treated differently on Debian-based
> distros. (It must either be
> Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch or
> Don-t-mount-tmp-as-tmpfs-by-default.patch as seen in the source code of
> systemd_218-7ubuntu1.debian.tar.xz.) But for any other distro not using this
> downstream patch this is a problem. When you want to have the default behavior
> of having /tmp cleaned out on shutdown or reboot it is neither a good option to
> disable nor to mask the service. Maybe, there is a workaround such that lxc' s
> bind-mounts are respected/reflected even when on a mountpoint that gets mounted
> as tmpfs during boot?
> 
> I also filed this as a github issue but a) I'm unsure whether it's lxc's job or
> upstream systemd-related and b) is there an easy workaround apart from
> disabling/masking tmp.mount or doing umount /tmp everytime after the container
> has been started.
> 
> Christian

There isn't really anything LXC can do to prevent over-mounting. You
could drop the capability and thus prevent systemd from mounting
anything, but I'm pretty sure that'd just fail your container boot
entirely.

One thing that may however work, depending on how clever systemd is, is to add:
lxc.mount.entry = tmpfs /tmp tmpfs defaults

Before the bind-mount line. This will cause lxc to mount your /tmp
before starting init. If systemd is clever, it'll detect it was already
mounted and will leave it alone.


If that trick doesn't work, then you've got two solutions:
 - Patch systemd
 - Bind-mount to some other path which doesn't get over-mounted, then
   have a systemd job mount --move it back to place during boot.


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150207/b3bd4911/attachment.sig>

More information about the lxc-users mailing list