[lxc-users] pre-mount hook namespace
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Nov 11 10:11:52 UTC 2015
The pre-mount hook documentation states that it is "a hook to be run
in the container's fs namespace", which seems a little confusing to me
as I'm not quite sure what the 'fs' namespace is supposed to
represent. clone(2)'s CLONE_FS just refers to the root dir, umask and
current working directory, but when running an unprivileged container
the user-namespace will also be set up.
This puts us in a bit of a pickle as we'd like to setup mountpoints
for an unprivileged container without giving it access to more than it
needs (in particular, the storage configuration and processes involved
in managing and activating them.)
For us this seems to be only possible in the pre-start hook now, but
this will be reflected on the host.
I've thought about running lxc-start in a mount namespace, but then I'd
have another namespace to clean up after (for the same reasons we added
the 'stop' hook.)
Since the CLONE_NEWUSER flag is used in the call to clone() I don't see
any convenient solution here, maybe someone has an idea?
Either way it would probably be a good idea to update the documentation
to reflect this. Maybe have yet another hook? (The user-namespace could
be entered later with unshare(CLONE_NEWUSER) and the sync barriers
already control when the parent can run lxc_map_ids().)
Or maybe I'm just missing something obvious?
More information about the lxc-users
mailing list