> -----Original Message----- > From: Purcareata Bogdan-B43198 > Sent: Monday, December 09, 2013 12:55 PM > To: 'Stéphane Graber' > Cc: [email protected] > Subject: RE: [lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount > > > -----Original Message----- > > From: Stéphane Graber [mailto:[email protected]] > > Sent: Friday, December 06, 2013 4:42 PM > > To: Purcareata Bogdan-B43198 > > Cc: [email protected] > > Subject: Re: [lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount > > > > On Fri, Dec 06, 2013 at 12:11:29PM +0200, Bogdan Purcareata wrote: > > > Since the line immediately following will mount the entire > > > /sys read-only, hence /sys/kernel/security too. > > > > > > Also, when installing the container template on systems with > > > no securityfs support, starting the container will fail. > > > > > > > Did you confirm that the lxc.mount.auto entry actually mounts securityfs > > on /sys/kernel/security? > > Sorry, my bad - I only checked to see whether I have the /sys/kernel/security > folder in the container. However, securityfs is not automatically mounted > there, hence the bind-mount is still necessary. > > > > > /sys/kernel/security isn't part of sysfs and needs to be mounted on top of > it. > > If it's not mounted, your proposed change will lead to failure to setup > > apparmor and an unconfined container on systems supporting it. > > > > Instead, I think it'd be better to change that line to simply > > "ro,bind,optional" so that failure to mount doesn't cause a failure to > > start the container. > > I think this would be a way better approach, I will send a patch. > > > > > > Signed-off-by: Bogdan Purcareata <[email protected]> > > > --- > > > templates/lxc-busybox.in | 1 - > > > 1 file changed, 1 deletion(-) > > > > > > diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in > > > index 23d654e..906dc5d 100644 > > > --- a/templates/lxc-busybox.in > > > +++ b/templates/lxc-busybox.in > > > @@ -296,7 +296,6 @@ EOF > > > echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> > > $path/config > > > fi > > > done > > > - echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none > > ro,bind 0 0" >>$path/config > > > echo "lxc.mount.auto = proc:mixed sys" >>$path/config > > > } > > > > > > -- > > > 1.7.11.7 > > > > > > > > > > > > -------------------------------------------------------------------------- > -- > > -- > > > Sponsored by Intel(R) XDK > > > Develop, test and display web and hybrid apps with a single code base. > > > Download it for free now! > > > > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > > > _______________________________________________ > > > lxc-devel mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/lxc-devel > > > > -- > > Stéphane Graber > > Ubuntu developer > > http://www.ubuntu.com _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
