[lxc-users] Set specific mount options for the ROOTFS

[Serge E. Hallyn]

Quoting Olivier BONHOMME (obonhomme+lxc at nerim.net):
> On Mon, Jun 20, 2016 at 09:51:11AM -0500, Serge E. Hallyn wrote:
> > Quoting Olivier BONHOMME (obonhomme+lxc at nerim.net):
> > > Hello,
> > > 
> > > I'm trying to set up containers using LXC and i have question about how is mounted the rootfs.
> > > 
> > > I would love to start my container with some specific mount options in order to
> > > increase a little bit the security reducing what it is possible to do directly
> > > on the ROOTFS. That's why, I would love to apply some restrictions on the /
> > > mountpoint like ro,nosuid,nodev,noexec.
> > > 
> > > I tried using the lxc.rootfs.options without success. So I wonder to know if it
> > 
> > lxc.rootfs.options is meant to work, fwiw.  If you give more details about your
> > setup (is the rootfs on a device or in a file, or just a directory;  what is the
> > whole config file;  what host system do you have) someone should be able to
> > reproduce and hopefully fix the bug.
> 
> Hello Serge,
> 
> Thanks for your quick answer. My entries are the following :
>  - Host System CentOS 7
>  - LXC Version : 1.0.8 provided by EPEL
>  - Template used : lxc-sshd
>  
> In order to create the container I used the lxc-create command with the -t sshd parametrer.
> So the rootfs created is stored in a directory in the default directory /var/lib/lxc/<mycontainer>/rootfs.
> 
> The config file used is the one automatically created by the sshd template. I just override the lxc.rootfs.options setting ro,noexec,nodev,nosuid.
> 
> But when I do an lxc-attach / is mounted as rw in /proc/mounts.

Can you try actually writing to a file in the rootfs?  Since your
rootfs is a bind mount, there is no separate filesystem to make
ro.  Rather, the bind mount should be made a ro mount without
changing the fs options.  You create a separate rootfs (Look at
the -B option) if you want more separation.