Re: [lxc-devel] mount ro in guest change host filesystem to ro
Hi, in my opinion it's never a bad idea to drop the sys_admin cap. except you really need it. I' ve searched for some help because i'm using ubuntu only for some study (normally gentoo). I found a little help here: http://qemu-buch.de/de/index.php/QEMU-KVM- Buch/_Anhang/_Weitere_Virtualisierer_und_Emulatoren/_LXC#Die_LXC- Konfigurationsdatei . My guest is using these settings: lxc.cap.drop = sys_module mknod sys_admin My fstab for a ubuntu host look like this: # cat /var/lib/lxc/guest.temp01/fstab proc/var/lib/lxc/guest.temp01/rootfs/proc proc nodev,noexec,nosuid 0 0 sysfs /var/lib/lxc/guest.temp01/rootfs/syssysfs defaults 0 0 none/var/lib/lxc/guest.temp01/rootfs/dev/shmtmpfs mode=0644 0 0 none/var/lib/lxc/guest.temp01/rootfs/dev/ptsdevpts defaults 0 0 none/var/lib/lxc/guest.temp01/rootfs/var/runtmpfs defaults 0 0 none/var/lib/lxc/guest.temp01/rootfs/sys/fs/fuse/connections fusectl optional0 0 none/var/lib/lxc/guest.temp01/rootfs/sys/kernel/debug debugfs optional0 0 none/var/lib/lxc/guest.temp01/rootfs/sys/kernel/security securityfs optional0 0 Inside the container the lib/init/fstab has to be modified like this: # /lib/init/fstab: static file system information. # # These are the filesystems that are always mounted on boot, you can # override any of these by copying the appropriate line from this file into # /etc/fstab and tweaking it as you see fit. See fstab(5). # # /dev/root / rootfs defaults 0 1 #none/proc procnodev,noexec,nosuid 0 0 none/proc/sys/fs/binfmt_misc binfmt_misc nodev,noexec,nosuid,optional 0 0 none/sys sysfs nodev,noexec,nosuid 0 0 #none/sys/fs/fuse/connections fusectl optional 0 0 #none/sys/kernel/debug debugfs optional 0 0 #none/sys/kernel/security securityfs optional 0 0 none/spu spufs gid=spu,optional 0 0 #none/dev devtmpfs,tmpfs mode=0755 0 0 #none/dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 none/dev/shm tmpfs nosuid,nodev 0 0 none/tmp nonedefaults 0 0 none/var/run tmpfs mode=0755,nosuid,showthrough 0 0 #none/var/lock tmpfs nodev,noexec,nosuid,showthrough 0 0 none/lib/init/rw tmpfs mode=0755,nosuid,optional 0 0 Regards, Axel Schöner On Friday, 2. September 2011 11:51:55 Michael H. Warfield wrote: > On Fri, 2011-09-02 at 08:35 +0400, Michael Tokarev wrote: > > On 02.09.2011 00:46, Daniel Lezcano wrote: > > > On 09/01/2011 09:30 PM, Nico wrote: > > >> Hi, > > >> > > >> I just wanted to give it a try again with lxc after one year, > > >> this is so bad same bugs are always here : > > >> > > >> * you can do a "mount -o romount,ro /" inside container (reported > > >> since first times ... :( ), > > >> and host filesystem is remounted ro !! > > > > > > Argh ! I still don't understand how that can happen with a > > > CLONE_NEWNS > > > and a pivot_root. > > > Do you have particular mount options on your host's rootfs ? > > > > In order for guest remount to NOT influence host mount, you have to > > give -o bind option to mount inside guest. If you don't specify > > MS_BIND with MS_REMOUNT, the remount applies to _host_ mountpoint, > > not guest. > > Last time I recall playing with this was a couple of months ago and was > not the rootfs that was causing me headaches with random acts of > terrorism but the devpts file system mounted on /dev/pts. When a > container would to a remount ro (the evil deed in the "halt" script that > was causing the problems) it would make ALL of the devpts mounts in the > host and in all of the other containers ro, and you were screwed till > you remounted it rw once again. At the time, we played with things like > SLAVE, SHARED, and PRIVATE mounting with bind mounts and I had it > (mostly?) working for real file systems, like additional mounts, but > never did get it working for t
Re: [lxc-devel] mount ro in guest change host filesystem to ro
On Sun, 2011-09-04 at 21:53 +0200, axel.schoe...@gmx.de wrote: > Hi, > > in my opinion it's never a bad idea to drop the sys_admin cap. except you > really need it. It's been my personal experience that it's ALWAYS a bad experience to drop sys_admin cap when you are doing a full system container. You can NOT even set your own host name for crying out loud! You also can not mount file images or set crypto keys. If I was one of those container owners, I would be asking "what the shit is this crap..." Seriously... Not an option. > I' ve searched for some help because i'm using ubuntu only for > some study (normally gentoo). > I found a little help here: http://qemu-buch.de/de/index.php/QEMU-KVM- > Buch/_Anhang/_Weitere_Virtualisierer_und_Emulatoren/_LXC#Die_LXC- > Konfigurationsdatei . > > My guest is using these settings: > lxc.cap.drop = sys_module mknod sys_admin > > > My fstab for a ubuntu host look like this: > # cat /var/lib/lxc/guest.temp01/fstab > > proc/var/lib/lxc/guest.temp01/rootfs/proc proc > > nodev,noexec,nosuid 0 0 > sysfs /var/lib/lxc/guest.temp01/rootfs/syssysfs > defaults 0 0 > > none/var/lib/lxc/guest.temp01/rootfs/dev/shmtmpfs > mode=0644 0 0 > none/var/lib/lxc/guest.temp01/rootfs/dev/pts > devpts > defaults 0 0 > none/var/lib/lxc/guest.temp01/rootfs/var/runtmpfs > defaults 0 0 > > none/var/lib/lxc/guest.temp01/rootfs/sys/fs/fuse/connections > fusectl optional0 0 > none/var/lib/lxc/guest.temp01/rootfs/sys/kernel/debug > debugfs optional0 0 > none/var/lib/lxc/guest.temp01/rootfs/sys/kernel/security > securityfs optional0 0 > > > Inside the container the lib/init/fstab has to be modified like this: > # /lib/init/fstab: static file system information. > # > # These are the filesystems that are always mounted on boot, you can > # override any of these by copying the appropriate line from this file into > # /etc/fstab and tweaking it as you see fit. See fstab(5). > # > # > > > /dev/root / rootfs defaults > > 0 1 > #none/proc proc > nodev,noexec,nosuid > 0 0 > none/proc/sys/fs/binfmt_misc binfmt_misc > nodev,noexec,nosuid,optional 0 0 > none/sys sysfs nodev,noexec,nosuid > > 0 0 > #none/sys/fs/fuse/connections fusectl optional > > 0 0 > #none/sys/kernel/debug debugfs optional > > 0 0 > #none/sys/kernel/security securityfs optional > > 0 0 > none/spu spufs gid=spu,optional > > 0 0 > #none/dev devtmpfs,tmpfs mode=0755 > > 0 0 > #none/dev/pts devpts > noexec,nosuid,gid=tty,mode=0620 0 0 > none/dev/shm tmpfs nosuid,nodev > > 0 0 > none/tmp nonedefaults > > 0 0 > none/var/run tmpfs > mode=0755,nosuid,showthrough 0 0 > #none/var/lock tmpfs > nodev,noexec,nosuid,showthrough 0 0 > none/lib/init/rw tmpfs > mode=0755,nosuid,optional 0 0 > > > Regards, Axel Schöner > > > > On Friday, 2. September 2011 11:51:55 Michael H. Warfield wrote: > > On Fri, 2011-09-02 at 08:35 +0400, Michael Tokarev wrote: > > > On 02.09.2011 00:46, Daniel Lezcano wrote: > > > > On 09/01/2011 09:30 PM, Nico wrote: > > > >> Hi, > > > >> > > > >> I just wanted to give it a try again with lxc after one year, > > > >> this is so bad same bugs are always here : > > > >> > > > >> * you can do a "mount -o romount,ro /" inside container (reported > > > >> since first times ... :( ), > > > >> and host filesystem is remounted ro !! > > > > > > > > Argh ! I still don't understand how that can happen with a > > > > CLONE_NEWNS > > > > and a pivot_root. > > > > Do you have particular mount options on your host's rootfs ? > > > > > > In order for guest remount to NOT influence host mount, you have to > > > give -o bind option to mount inside guest. If you don't specify > > > MS_BIND with MS_REMOUNT, the remount applies to _host_ mountpoint, > > > not guest. > > >
