Quoting GC ([email protected]): > On 03/21/2014 09:11 PM, Serge Hallyn wrote: > >Quoting GC ([email protected]): > >>On 03/21/2014 07:15 AM, Serge Hallyn wrote: > >>>Quoting GC ([email protected]): > >>>>Hello, > >>>> > >>>>I want to selectively mount parts of sys and proc rw, but the rest > >>>>ro. I thought I might be able to e.g., mount /sys ro (in the > >>>>container), and mount /.sys rw (in the container), then bind mount > >>>>bits from /.sys to /sys, and finally hide the rw /.sys by mounting > >>>>another directory on top of it, like: > >>>> > >>>>lxc.mount.entry = sysfs sys sysfs ro 0 0 > >>>>lxc.mount.entry = sysfs .sys sysfs rw 0 0 # (dot)sys > >>>> > >>>>lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6 > >>>>sys/module/ipv6 none defaults,bind 0 0 > >>>># or alternatively (also doesn't work) this instead of line above > >>>>#lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0 > >>>> > >>>>lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0 > >>>> > >>>> > >>>>The part where I try to perform the bind mount of the read/write > >>>>.sys/module/ipv6 (in the container) on top of the read only > >>>>sys/module/ipv6 (in the container) fails. Is there a way to get > >>>>this to work? > >>>Wouldn't it be simpler to simply bind mount /sys ro from the host, > >>>then bind-mount /sys/module/ipv6 from the host rw into the container? > >>I thought there would be issues with namespace support. I thought > >>it would break network namespaces, which appears to be wrong from > >Oh - yeah, right you are. > > > > Still looking at docs, but I think it should be possible, but not as > clean as if lxc.mount.entry did it. From docs it looks like I can > get a descriptor from /proc/containerPID/ns/mnt, and use sentns to > join the container's mount namespace, and then do the bind mounts.
You'd want to also setns to the container netns so as to get the right /sys/class/net, of course. > Seems there must be an easier/better way though. > > Ideas? (Without looking back at previous messages,) Have you tried using a mount hook? > Or, feature request? You might be able to convince someone to implement 'lxc.mount.auto = sys:mixed", however this is well served by apparmor/selinux... _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
