[lxc-users] Establish a bind mount to a running container

Jäkel, Guido G.Jaekel at dnb.de
Tue Oct 25 09:46:08 UTC 2016 

Dear Stéphane,

I got time to play around with injecting mounts into a running container

You suggest:
>>>> Setup steps, before you first start the container:
>>>>
>>>> 1) mkdir /tmp/shared-c1
>>>> 2) mount --bind /tmp/shared-c1 /tmp/shared-c1
>>>> 3) mount --make-rshared /tmp/shared-c1
>>>> 4) Add to /var/lib/lxc/c1/config => lxc.mount.entry=/tmp/shared-c1 /.shared none bind,create=dir 0 0
>>>> 5) lxc-start -n c1
>>>>
>>>> At which point, you could inject a new mount with:
>>>>
>>>> 1) mkdir /tmp/share-c1/some_directory
>>>> 2) mount -- bind /mnt/some_host_mountpoint/some_directory /tmp/share-c1/some_directory
>>>> 3) lxc-attach -n c1 -- mkdir -p /import/some_container_mountpoint
>>>> 4) lxc-attach -n c1 -- mount --move /.shared/some_directory /import/some_container_mountpoint
>>>>

I take a slightly different approach:

1) Before starting the Container,  I rshared-bind-over the "injecting directory" right at the containers source image tree. With this, there's no need to configure an additional lxc-mount. Using the names from you example, I use

    mount --bind --make-rshared  $PATH_TO_C1_ROOTFS/.shared $PATH_TO_C1_ROOTFS/.shared

2) Start the Container, e.g.

    lxc-start -n c1

3) After start, this might be made slave for security, but must not for functionality. (BTW: I can't use lxc-attach because of a bug in my very old LXC 0.8.4, I did it via a ssh channel)

    lxc-attach -n c1 -- mount --make-slave .shared


Now, I was able to inject a filesystem:

1)  mkdir $PATH_TO_C1_ROOTFS/.shared/some_container_mountpoint
2) mount --bind /mnt/some_host_mountpoint/some_directory  $PATH_TO_C1_ROOTFS/.shared/some_container_mountpoint

However, it's not allowed to move a shared subtree. But I found that I can rebind it to move it to the final destination (in the example: at /import/)

3) lxc-attach -n c1 -- mkdir -p /import/some_container_mountpoint
4) lxc-attach -n c1 -- mount --bind .shared/some_container_mountpoint /import/some_container_mountpoint

After re-binding in the container, one may release the bind-mount to the filesystem at the host

5) umount $PATH_TO_C1_ROOTFS/.shared/some_container_mountpoint

At this point, along with the host, in the container the shared mount at .shared will disappear, but the one at /import will kept (and lost the shared stae, of corse). And it may be dropped inside the container by umount if needed as usual.



In your first answer, you wrote:
>The only way of doing this that I'm aware of is what we do in LXD.

Does this mean, that with LXD filesystem injection at runtime is supported? Is this done by  using 'lxc config device add <container> <name> disk ...' ?


Greetings

Guido

More information about the lxc-users mailing list