On Wed, Jul 17, 2013 at 09:41:43AM -0500, Serge Hallyn wrote: > The debugfs, fusectl, and securityfs may not be mounted inside a > non-init userns. But mountall hangs waiting for them to be > mounted. So just pre-mount them using $lxcpath/$name/fstab as > bind mounts, which will prevent mountall from trying to mount > them. > > If the kernel doesn't provide them, then the bind mount failure > will be ignored, and mountall in the container will proceed > without the mount since it is 'optional'. But without these > bind mounts, starting a container inside a user namespace > hangs. > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
I think that's reasonable, I'm assuming this won't somehow bypass our existing apparmor policies (on non-userns) that prevent access to most of those right? An alternative would have been to bind-mount the directory on itself which I believe is sufficient to trick mountall (it won't bother mount anything that's already a mountpoint) but that's probably a bad idea at least for fuse which we may actually need, at least on non-userns. Anyway: Acked-by: Stéphane Graber <stgra...@ubuntu.com> > --- > templates/lxc-ubuntu-cloud.in | 3 +++ > templates/lxc-ubuntu.in | 3 +++ > 2 files changed, 6 insertions(+) > > diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in > index 5ffb5ba..480ef14 100644 > --- a/templates/lxc-ubuntu-cloud.in > +++ b/templates/lxc-ubuntu-cloud.in > @@ -96,6 +96,9 @@ EOF > cat <<EOF > $path/fstab > proc proc proc nodev,noexec,nosuid 0 0 > sysfs sys sysfs defaults 0 0 > +/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 > +/sys/kernel/debug sys/kernel/debug none bind 0 0 > +/sys/kernel/security sys/kernel/security none bind 0 0 > EOF > > # rmdir /dev/shm for containers that have /run/shm > diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in > index 0b73529..af3c2b3 100644 > --- a/templates/lxc-ubuntu.in > +++ b/templates/lxc-ubuntu.in > @@ -427,6 +427,9 @@ EOF > cat <<EOF > $path/fstab > proc proc proc nodev,noexec,nosuid 0 0 > sysfs sys sysfs defaults 0 0 > +/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 > +/sys/kernel/debug sys/kernel/debug none bind 0 0 > +/sys/kernel/security sys/kernel/security none bind 0 0 > EOF > > if [ $? -ne 0 ]; then > -- > 1.8.1.2 > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
