Hi there, >> Yep, we discussed this at Plumbers and I think it's really the way >> to >> go, basically remove all of that fs pinning code and just do a >> bind-mount of the rootfs on itself in the container's mountns before >> starting it. > >> That way if the container decideds to remount / ro at any point, >> it'll >> succeed and will give the user a read-only / but without affecting >> the >> outside world. > > Ideally, I think that's the way to go and I use to do that manually > when > setting up my containers but I was thinking there was some breakage > between that and the way we were working around the pivot_root > problem > introduced by systemd (Fedora, Suse, Arch, et al). If we can verify > that works with all the init flavors without breaking, that could be > part of the general cleanup of the mount tables in the containers as > well, maybe...
Just a short comment about what I found out when looking at the auto-mount stuff I just sent to the list when it comes to bind-mounts and remounting ro: Take the following example: mount --bind /foo /bar mount -o remount,ro /bar In kernels up to at least 3.2 (but not much later) this would make the mount /bar read-only, but keep /foo read-write. But: in kernel from at most 3.8 (possibly earlier), this would actually remount the entire filesystem read-only or give a busy message. There was apparently some kind of change here. In order to properly remount bind-mounts read-only in newer kernels, you have to do the following: mount -o remount,bind,ro /bar This will also work in older kernels (I could only test 2.6.32, not earlier), so in that sense it's portable. BUT: the typical bind-mount trick one could use to keep the container from remounting / ro at shutdown will apparently, as far as I can tell, not work anymore in 3.8, possibly earlier, since typical shutdown will do the equivalent of remount,ro and not add the bind option there. So unfortunately, I think we'll have to stick with pinning... :( -- Christian ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
