[lxc-users] Establish a bind mount to a running container

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Oct 7 12:39:44 UTC 2016


> On October 7, 2016 at 11:45 AM Stéphane Graber <stgraber at ubuntu.com> wrote:
> 
> 
> On Fri, Oct 07, 2016 at 07:03:21AM +0000, Jäkel, Guido wrote:
> > Dear experts,
> > 
> > I wonder if it's possible to establish a bind mount filesystem resource from the LXC host to an already running container in an manual way, but analogous as it is done at startup time. 
> > 
> > I already figured out that the releasing an existing link is no thing; just umount it from inside the container. But is there a way to establish one while shifting the destination of a bind mount into the right namespace?
> > 
> > I ask about, because in a couple of days I have to change a (NFS) filesystem source (because of an hardware migration) that is common to a large number of running containers but not frequently used and I want to avoid to restart all the containers with it services.
> > 
> > thank you for advice
> > 
> > Guido
> 
> It's very difficult due to a number of restrictions in place in the kernel.
> 
> The only way of doing this that I'm aware of is what we do in LXD. We
> create a path on the host before the container starts, put that on a
> rshared mountpoint, then bind-mount that directory into the container
> under some arbitrary path.

But the container can break this from the inside by turning the inner
slave mount point into a private mountpoint once (which cannot be undone).
Then again, the standard AppArmor profile still has the make-private
on ** rules commented out with the note that AppArmor treats it as
allowing all mounts, so I suppose in the default case it'll be hard to
break this functionality.

I've been wondering if there's a more reliable way for a while now...



More information about the lxc-users mailing list