On Wed, Mar 9, 2016 at 2:10 PM, Marc MERLIN <[email protected]> wrote: > On Mon, Mar 07, 2016 at 11:55:47PM +0100, Tobias Hunger wrote: >> Hi, >> >> I have been running systemd-nspawn containers on top of a btrfs >> filesystem for a while now. >> >> This works great: Snapshots are a huge help to manage containers! >> >> But today I ran btrfs subvol list . *inside* a container. To my >> surprise I got a list of *all* subvolumes on that drive. That is >> basically a complete list of containers running on the machine. I do >> not want to have that kind of information exposed to my containers. > > I have a very stripped down docker image that actually mounts portion of > of my root filesystem read only. > While it's running out of a btrfs filesystem, you can't run btrfs > commands against it: > 05233e5c91f0:/# btrfs fi show > 05233e5c91f0:/# btrfs subvol list / > ERROR: can't perform the search - Operation not permitted > 05233e5c91f0:/# btrfs subvol list . > ERROR: can't perform the search - Operation not permitted > > I didn't do anything special, it's just working that way.
Yep, you're not using --privileged in which case you can't list things. But I'm not sure what the equivalent is off hand with systemd-nspawn containers, I think those may always be privileged? -- Chris Murphy -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
