[lxc-users] lxc.mount.entry bind mounts not respected on tmpfs filesystems

Christian Brauner christianvanbrauner at gmail.com
Sat Feb 7 22:22:56 UTC 2015 

> On Sat, Feb 07, 2015 at 06:44:31PM +0100, Christian Brauner wrote:
> > When an init such as systemd mounts a folder as a tmpfs during startup and the
> > lxc defines a bind-mount on the same folder in the containers config it will be
> > overmounted on container startup. Here is an example. Create an archlinux (or
> > fedora) container with:
> > 
> >     sudo lxc-create -t archlinux -n arch
> > 
> > define a bind-mount on /tmp in the containers config in:
> > 
> >     /var/lib/lxc/arch/config
> > 
> > with
> > 
> >     lxc.mount.entry=/tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0
> > 
> > to mount the X0 socket of the X-server for e.g. graphical output. Now boot the
> > container. Altough lxc creates the bind-mount as can be seen e.g. from the
> > logs, the X0 socker will not show up under /tmp/.X11-unix as systemd's
> > tmp.mount unit mounts /tmp as a tmpfs over lxc's bind mount. This can be
> > verified in two steps. By doing
> > 
> >     findmnt --target /tmp
> > 
> > in the container. This will show:
> > 
> >     [root at arch ~]# findmnt --target /tmp/
> >     TARGET SOURCE FSTYPE OPTIONS
> >     /tmp   tmpfs  tmpfs  rw
> > 
> > And then by unmounting /tmp with:
> > 
> >     umount /tmp
> > 
> > After this, the X0 socket will show up under /tmp/.X11-unix. I think Ubuntu has
> > a downstream patch because tmp is somehow treated differently on Debian-based
> > distros. (It must either be
> > Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch or
> > Don-t-mount-tmp-as-tmpfs-by-default.patch as seen in the source code of
> > systemd_218-7ubuntu1.debian.tar.xz.) But for any other distro not using this
> > downstream patch this is a problem. When you want to have the default behavior
> > of having /tmp cleaned out on shutdown or reboot it is neither a good option to
> > disable nor to mask the service. Maybe, there is a workaround such that lxc' s
> > bind-mounts are respected/reflected even when on a mountpoint that gets mounted
> > as tmpfs during boot?
> > 
> > I also filed this as a github issue but a) I'm unsure whether it's lxc's job or
> > upstream systemd-related and b) is there an easy workaround apart from
> > disabling/masking tmp.mount or doing umount /tmp everytime after the container
> > has been started.
> > 
> > Christian
> 
> There isn't really anything LXC can do to prevent over-mounting. You
> could drop the capability and thus prevent systemd from mounting
> anything, but I'm pretty sure that'd just fail your container boot
> entirely.
> 
> One thing that may however work, depending on how clever systemd is, is to add:
> lxc.mount.entry = tmpfs /tmp tmpfs defaults
>

That actually does work with a slight modification:

    lxc.mount.entry = tmpfs tmp tmpfs defaults

systemd seems smart enough :)

Thank you very much!
 
> Before the bind-mount line. This will cause lxc to mount your /tmp
> before starting init. If systemd is clever, it'll detect it was already
> mounted and will leave it alone.
> 
> 
> If that trick doesn't work, then you've got two solutions:
>  - Patch systemd
>  - Bind-mount to some other path which doesn't get over-mounted, then
>    have a systemd job mount --move it back to place during boot.
> 
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150207/b5c6bb7b/attachment.sig>

More information about the lxc-users mailing list