Quoting GC ([email protected]): > On 03/21/2014 07:15 AM, Serge Hallyn wrote: > >Quoting GC ([email protected]): > >>Hello, > >> > >>I want to selectively mount parts of sys and proc rw, but the rest > >>ro. I thought I might be able to e.g., mount /sys ro (in the > >>container), and mount /.sys rw (in the container), then bind mount > >>bits from /.sys to /sys, and finally hide the rw /.sys by mounting > >>another directory on top of it, like: > >> > >>lxc.mount.entry = sysfs sys sysfs ro 0 0 > >>lxc.mount.entry = sysfs .sys sysfs rw 0 0 # (dot)sys > >> > >>lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6 > >>sys/module/ipv6 none defaults,bind 0 0 > >># or alternatively (also doesn't work) this instead of line above > >>#lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0 > >> > >>lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0 > >> > >> > >>The part where I try to perform the bind mount of the read/write > >>.sys/module/ipv6 (in the container) on top of the read only > >>sys/module/ipv6 (in the container) fails. Is there a way to get > >>this to work? > >Wouldn't it be simpler to simply bind mount /sys ro from the host, > >then bind-mount /sys/module/ipv6 from the host rw into the container? > > I thought there would be issues with namespace support. I thought > it would break network namespaces, which appears to be wrong from
Oh - yeah, right you are. > your comment. But, I also don't see how this can work with user > namespaces, since root in container will not be able to write to the > host's /sys, if it is bind mounted. I'm still trying to get a > container to work with user namespaces, so my assumption that writes > will work to /sys, mounted rw via lxc.mount.entry, is untested. > > > > >I assume your container won't have cap_sys_admin to prevent remounting? > > Correct. > > Thnx, > > g > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
