[lxc-users] debian jessie && ro bind mounts...
Marco
foobar.angus at gmail.com
Thu Mar 12 09:49:30 UTC 2015
On Wed, Mar 11, 2015 at 12:20 PM, Marco <foobar.angus at gmail.com> wrote:
> Ok, I've an Ubuntu trusty 14.04 and I've done some testing with it.
> With an old lxc 1.0.6:
> lxc_1.0.6-0ubuntu0.1_amd64.deb
> the problem is there: read-only bind mounts are not respected.
> Upgrading to lxc 1.0.7:
> lxc_1.0.7-0ubuntu0.1_amd64.deb
> solve the problem.
>
> Debian Jessie is running lxc 1.0.6 so they need to be informed of the bug
> I suppose...
> Is there someone from Debian here in the mailing list ?
>
>
It seems the problem on Debian is worse than expected...
Again:
Host: Debian 8 Jessie
Linux deb 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt4-3 (2015-02-03) x86_64
GNU/Linux
LXC: stock, 1.0.6-6
Guest: Debian 8 (no systemd)
Filesystem on host: ext4
If you have:
- '/system' mounted RW on the host
- bind mounted RO on the guest (e.g. via lxc.mount.entry in the container
config)
you should expect that:
a) guest has RO access : this is not the case for Debian Jessie & lxc 1.0.6
as I've reported
b) guest cannot change HOST mount (from RW to RO!): unfortunately the guest
seems to be able to put RO the HOST filesystem
IMHO the (b) is a very _bad_ thing if others can reproduce the behaviour
I'm experiencing.
Here is exactly the steps I've followed:
1) on the container config: lxc.mount.entry=/system system none
ro,bind,create=dir 0 0
2) in the guest (user: root): the fs /system is available as rw (and this
is a bug per se)
3) in the guest: mount -o remount,ro /system
now the guest /system is read only : good
but now the HOST /system is read only too: bad
Containers should never be able to alter the host filesystem access rights.
Are there other debian users that can confirm that?
Regards,
PS:
BTW, in the guest container if I:
- mount -o remount,rw /system
then in the host filesystem I've:
- /system mounted back as rw
-- Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150312/e817a875/attachment.html>
More information about the lxc-users
mailing list