Quoting Stéphane Graber (stgra...@ubuntu.com): > On Wed, Jul 17, 2013 at 09:41:43AM -0500, Serge Hallyn wrote: > > The debugfs, fusectl, and securityfs may not be mounted inside a > > non-init userns. But mountall hangs waiting for them to be > > mounted. So just pre-mount them using $lxcpath/$name/fstab as > > bind mounts, which will prevent mountall from trying to mount > > them. > > > > If the kernel doesn't provide them, then the bind mount failure > > will be ignored, and mountall in the container will proceed > > without the mount since it is 'optional'. But without these > > bind mounts, starting a container inside a user namespace > > hangs. > > > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > > I think that's reasonable, I'm assuming this won't somehow bypass our > existing apparmor policies (on non-userns) that prevent access to most > of those right?
Right, those will be done by the pathname. For instance, you can actually mount a tmpfs (inside the container) under /sys/kernel/debug, but you still can't create things in that tmpfs. > An alternative would have been to bind-mount the directory on itself > which I believe is sufficient to trick mountall (it won't bother mount > anything that's already a mountpoint) but that's probably a bad idea at > least for fuse which we may actually need, at least on non-userns. Right, this also should allow userspace that wants to read data under /sys/kernel/security to work. Really the saddest part of this imo is that we have these in kernel filesystems that are so untrusted that most kernel devs refuse to compile them in. > Anyway: > Acked-by: Stéphane Graber <stgra...@ubuntu.com> thanks, -serge > > > --- > > templates/lxc-ubuntu-cloud.in | 3 +++ > > templates/lxc-ubuntu.in | 3 +++ > > 2 files changed, 6 insertions(+) > > > > diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in > > index 5ffb5ba..480ef14 100644 > > --- a/templates/lxc-ubuntu-cloud.in > > +++ b/templates/lxc-ubuntu-cloud.in > > @@ -96,6 +96,9 @@ EOF > > cat <<EOF > $path/fstab > > proc proc proc nodev,noexec,nosuid 0 0 > > sysfs sys sysfs defaults 0 0 > > +/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 > > +/sys/kernel/debug sys/kernel/debug none bind 0 0 > > +/sys/kernel/security sys/kernel/security none bind 0 0 > > EOF > > > > # rmdir /dev/shm for containers that have /run/shm > > diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in > > index 0b73529..af3c2b3 100644 > > --- a/templates/lxc-ubuntu.in > > +++ b/templates/lxc-ubuntu.in > > @@ -427,6 +427,9 @@ EOF > > cat <<EOF > $path/fstab > > proc proc proc nodev,noexec,nosuid 0 0 > > sysfs sys sysfs defaults 0 0 > > +/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 > > +/sys/kernel/debug sys/kernel/debug none bind 0 0 > > +/sys/kernel/security sys/kernel/security none bind 0 0 > > EOF > > > > if [ $? -ne 0 ]; then > > -- > > 1.8.1.2 > > > > > > ------------------------------------------------------------------------------ > > See everything from the browser to the database with AppDynamics > > Get end-to-end visibility with application monitoring from AppDynamics > > Isolate bottlenecks and diagnose root cause in seconds. > > Start your free trial of AppDynamics Pro today! > > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > _______________________________________________ > > Lxc-devel mailing list > > Lxc-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/lxc-devel > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
