On Mon, Mar 07, 2016 at 11:55:47PM +0100, Tobias Hunger wrote:
> Hi,
>
> I have been running systemd-nspawn containers on top of a btrfs
> filesystem for a while now.
>
> This works great: Snapshots are a huge help to manage containers!
>
> But today I ran btrfs subvol list . *inside* a container. To my
> surprise I got a list of *all* subvolumes on that drive. That is
> basically a complete list of containers running on the machine. I do
> not want to have that kind of information exposed to my containers.
I have a very stripped down docker image that actually mounts portion of
of my root filesystem read only.
While it's running out of a btrfs filesystem, you can't run btrfs
commands against it:
05233e5c91f0:/# btrfs fi show
05233e5c91f0:/# btrfs subvol list /
ERROR: can't perform the search - Operation not permitted
05233e5c91f0:/# btrfs subvol list .
ERROR: can't perform the search - Operation not permitted
I didn't do anything special, it's just working that way.
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | PGP 1024R/763BE901
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
