On Mon, 2015-04-06 at 16:17 -0400, Chris Burroughs wrote: > On 04/01/2015 12:54 PM, Michael H. Warfield wrote: > > Doing a read-only bind mount is marginal at best. We've had issues with > > remounts in containers propagating out (that I think/hope are finally > > fixed) and some containers need mount privs in order to mount images or > > do nfs/afs/cifs mounts, so prohibiting the cap_sysadmin is not a viable > > option in general there.
> With the centos default templates (ie with CAP_SYS_ADMIN) + privileged > container the remount is allowed: mount -o remount,rw /dev/foo /lib/modules/ > From your 'think/hope' comment it sounded like you were expecting > something besides CAP_SYS_ADMIN to be able to stop the remount, but I'm > not sure what that mechanism would be. No... The old OLD problem was that if you mounted it RO, a container could remounted it RW (or vice versa), which was one thing, but then, under certain conditions and file systems, that change would be propagated to the host and to other containers. I THINK we got that problem solved a while back with a careful selection of bind mounts and mount options but I haven't retested it in years. It's not the prevention of the remount, it's the prevention of the propagation of the changes from the container making to the changes to the host and containers which did not. Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
