Quoting Christian Seiler (christ...@iwakd.de): > Hi there, > > >> Yep, we discussed this at Plumbers and I think it's really the way > >> to > >> go, basically remove all of that fs pinning code and just do a > >> bind-mount of the rootfs on itself in the container's mountns before > >> starting it. > > > >> That way if the container decideds to remount / ro at any point, > >> it'll > >> succeed and will give the user a read-only / but without affecting > >> the > >> outside world. > > > > Ideally, I think that's the way to go and I use to do that manually > > when > > setting up my containers but I was thinking there was some breakage > > between that and the way we were working around the pivot_root > > problem > > introduced by systemd (Fedora, Suse, Arch, et al). If we can verify > > that works with all the init flavors without breaking, that could be > > part of the general cleanup of the mount tables in the containers as > > well, maybe... > > Just a short comment about what I found out when looking at the > auto-mount stuff I just sent to the list when it comes to > bind-mounts and remounting ro: > > Take the following example: > > mount --bind /foo /bar > mount -o remount,ro /bar > > In kernels up to at least 3.2 (but not much later) this would make the > mount /bar read-only, but keep /foo read-write. > > But: in kernel from at most 3.8 (possibly earlier), this would actually > remount the entire filesystem read-only or give a busy message. There > was apparently some kind of change here. > > In order to properly remount bind-mounts read-only in newer kernels, > you have to do the following: > > mount -o remount,bind,ro /bar > > This will also work in older kernels (I could only test 2.6.32, not > earlier), so in that sense it's portable. > > BUT: the typical bind-mount trick one could use to keep the container > from remounting / ro at shutdown will apparently, as far as I can > tell, not work anymore in 3.8, possibly earlier, since typical > shutdown will do the equivalent of remount,ro and not add the bind > option there. > > So unfortunately, I think we'll have to stick with pinning... :(
The following works for me both in 3.2 and 3.8: sudo mkdir -p /tmp/a /tmp/b sudo mount -t tmpfs tmpfs /tmp/a sudo mount --bind /tmp/a /tmp/b sudo mount -o remount,bind,rw /tmp/c /tmp/c sudo mount -o remount,ro /tmp/c sudo touch /tmp/b/a # succeeds sudo touch /tmp/c/a # fails -serge ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
