Package:lxc Version:0.9.0~alpha3-2+deb8u1
Hello,
I have had my hosts filesystem mounted read-only after the last
container stopped. This is very annoying as you can't do much
which it anymore (e.g. not starting a new container etc.).
After some searching I found:
- It is the guest (in the container) who does a remount on the guests
root.
mount -o remount,ro /
(in /etc/init.d/umountroot)
- This remount propagates "back" to the host. If there are files open
for writing on the host filesystem the remount fails. So this is the
reason why it only happens after the last container closes. And many
users may not even take notice of the problem when running lxc somewhere
on the hosts root filesystem which is always busy.
- Thinking in terms of guest isolation this is a nightmare, of course.
- Since some time the kernel provides slave mounts and there has been an
interesting discussion whether this can be used to isolate the guest.
Obviously it can't. (And the question arose, whether this is a kernel
issue. Seems a remount does not count as a mount operation.)
See:
https://lists.linuxcontainers.org/pipermail/lxc-users/2011-July/002309.html
- There is a trick to solve the problem: lxc-start creates and holds a file
open for writing in order to prevent the remount ("pinning").
Unfortunatedly is releases it too early so the intention is missed.
- I have found a patch for Ubuntu which addresses this issue.
https://lists.linuxcontainers.org/pipermail/lxc-devel/2013-September/005165.html
It does not apply to Debians lxc 0.9.0~alpha3-2+deb8u1 but contains
only four small changes in src/lxc/start.c. Here is my patch for Debians lxc.
Markus
close_pinfd_on_stop
Description: Binary data

