Hi,
Thanks all of you, I managed to make it work !
I understand there are some security concerns, and Matto, you're pointing to
a very interesting detail, dropping capability is really what I want !
Thanks
--
Samuel
On Mon, Jul 4, 2011 at 10:16 PM, Matto Fransen <ma...@matto.nl> wrote:
> Hi,
>
> On Mon, Jun 27, 2011 at 06:05:13PM +0200, Samuel Maftoul wrote:
>
> > I'm searching for a solution to have a read only rootfs inside an LXC
> > container.
>
> I have a webserver running this way :)
>
> > I created a container with the busybox template, this container works.
> > As soon as I try to mount it read only I have this message in the logs:
>
> Create a rootfs outside the container.
> In the config of your container you add lines like:
> lxc.mount.entry=/path/to/rootfs/lib /var/lib/lxc/<container>/rootfs/lib
> none ro,bind 0 0
> and so on for all the dir's you want to mount readonly
>
> Also create some system directories:
> # system mounts
> lxc.mount.entry=proc /var/lib/lxc/<container>/rootfs/proc proc none
> defaults 0 0
> lxc.mount.entry=shmfs /var/lib/lxc/<container>/rootfs/dev/shm tmpfs
> mode=0644 0 0
> lxc.mount.entry=sysfs /var/lib/lxc/<container>/rootfs/sys sysfs defaults 0
> 0
>
> And add the following line to the config of your container:
> lxc.cap.drop=sys_admin
>
> This last line prevents that one can jumo out of the readonly bind mounts
> from
> inside the container :)
>
> Cheers,
>
> Matto
>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
