Quoting Christian Seiler (christ...@iwakd.de):
> Hi Serge,
>
> Am 12.09.2013 16:43, schrieb Serge Hallyn:
> >Quoting Christian Seiler (christ...@iwakd.de):
> >>Add funbction to mount cgroup filesystem hierarchy into the
> >>container,
> >>allowing only access to the parts that the container should have
> >>access
> >>to, but none else.
> >>
> >>Signed-off-by: Christian Seiler <christ...@iwakd.de>
> >
> >Hm, these last two patches aren't working for me. They don't break
> >anything in a normal setup, but when I try use lxc.mount.auto it
> >hangs. It may not be a fault in the patches, as mountall starts and
> >hangs.
>
> It may be that the image you are using doesn't like what one
> of the auto-mounted filesystems is doing. It could be that if
Ah, no, mountall just gets upset about some forced readonly
mounts. lxc.mount.auto = proc always worked for me. If I do
ubuntu@c-saucy-1:~/lxc-0.9.0.0~staging~20130911-2324$ git diff src/lxc/conf.c
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 364e571..708bb48 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -762,7 +762,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int
flags, struct cgroup
goto cleanup;
}
- r = mount("sysfs", path, "sysfs", MS_RDONLY, NULL);
+ r = mount("sysfs", path, "sysfs", 0, NULL);
if (r < 0) {
SYSERROR("error mounting /sys");
goto cleanup;
and
ubuntu@c-saucy-1:~/lxc-0.9.0.0~staging~20130911-2324$ git diff src/lxc/cgroup.c
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 876c60c..a2ed467 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -1310,7 +1310,7 @@ int lxc_setup_mount_cgroup(const char *root, struct
cgroup_process_info *base_in
* new cgroups outside the allowed area fails with an error instead
* of simply causing this to create directories in the tmpfs itself)
*/
- mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
+ //mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
free(path);
then sys and cgroup auto-mount also work. The problem with both is that
mountall has entries in /lib/init/fstab saying they should be mounted
readwrite, so it hangs trying to force that to happen.
How would you feel about adding a flag to specify whether they should be
readonly? How would we specify the flag? (Note it's ok for sys to be
read-write in ubuntu since apparmor confines it. cgroups by default are
too, but we don't have a good way yet to generate policy which will allow
/sys/fs/cgroup/$controller/$container-cgroup-path/ to be written to but the
/sys/fs/cgroup/$controller not)
-serge
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
