[lxc-users] How to bind-mount host filesystem inside a container and change mount options
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Sep 15 22:36:02 UTC 2015
Quoting Leonid Isaev (leonid.isaev at jila.colorado.edu):
> Hi,
>
> On Mon, Sep 14, 2015 at 04:53:10PM +0000, Serge Hallyn wrote:
> > Quoting Leonid Isaev (leonid.isaev at jila.colorado.edu):
> > > Hi,
> > >
> > > I am trying to mount a user home directory from the host to a container
> > > and at the same time change its mount options. The lxc.mount= option is:
> > > ----------
> > > (host): grep fstab /tmp/config
> > > lxc.mount=/var/lib/lxc/node1/fstab
> > > (host): cat /tmp/fstab
> > > /export/home /var/lib/lxc/node1/rootfs/export/home/takahe none bind 0 0
> > > /export/home /var/lib/lxc/node1/rootfs/export/home/takahe none remount,exec,bind 0 0
> >
> > Note that if you just specify bind,ro, then lxc should automatically
> > do the double-mount for you. (see src/lxc/conf.c:mount_entry()).
> >
> > However, the bad news for you is that the kernel will not allow you
> > to remount it with MS_EXEC, for security reasons.
>
> Are there any security implications of doing this if a container is priveleged
> and CONFIG_USER_NS is not set (because lxc-start runs as root)?
Running a container not in a user-namespace does have huge security
implications. But you can, as root, still start a container that is
in a user namespace. Just make sure that root has the needed subuid
allcoations in /etc/subuid and /etc/subgid.
So you could start the container as root from a script like
#!/bin/bash
# runcontainer.sh
mount -o remount,exec,bind /export/home
lxc-start -n $1
where you start that by doing
sudo lxc-unshare -s MOUNT -- runcontainer.sh mycontainer
That way root on the host remounts /export/home executable only for
the container, and the container gets an executable /export/home,
so you can keep the container in a user namespace.
-serge
More information about the lxc-users
mailing list