[lxc-users] How to bind-mount host filesystem inside a container and change mount options
Leonid Isaev
leonid.isaev at jila.colorado.edu
Mon Sep 14 17:49:54 UTC 2015
Hi,
On Mon, Sep 14, 2015 at 04:53:10PM +0000, Serge Hallyn wrote:
> Quoting Leonid Isaev (leonid.isaev at jila.colorado.edu):
> > Hi,
> >
> > I am trying to mount a user home directory from the host to a container
> > and at the same time change its mount options. The lxc.mount= option is:
> > ----------
> > (host): grep fstab /tmp/config
> > lxc.mount=/var/lib/lxc/node1/fstab
> > (host): cat /tmp/fstab
> > /export/home /var/lib/lxc/node1/rootfs/export/home/takahe none bind 0 0
> > /export/home /var/lib/lxc/node1/rootfs/export/home/takahe none remount,exec,bind 0 0
>
> Note that if you just specify bind,ro, then lxc should automatically
> do the double-mount for you. (see src/lxc/conf.c:mount_entry()).
>
> However, the bad news for you is that the kernel will not allow you
> to remount it with MS_EXEC, for security reasons.
Are there any security implications of doing this if a container is priveleged
and CONFIG_USER_NS is not set (because lxc-start runs as root)?
But anyway, the only way is to remount /dir from inside the container, right?
Thanks,
L.
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
More information about the lxc-users
mailing list