The pre-mount hook documentation states that it is "a hook to be run in the container's fs namespace", which seems a little confusing to me as I'm not quite sure what the 'fs' namespace is supposed to represent. clone(2)'s CLONE_FS just refers to the root dir, umask and current working directory, but when running an unprivileged container the user-namespace will also be set up. This puts us in a bit of a pickle as we'd like to setup mountpoints for an unprivileged container without giving it access to more than it needs (in particular, the storage configuration and processes involved in managing and activating them.)
For us this seems to be only possible in the pre-start hook now, but this will be reflected on the host. I've thought about running lxc-start in a mount namespace, but then I'd have another namespace to clean up after (for the same reasons we added the 'stop' hook.) Since the CLONE_NEWUSER flag is used in the call to clone() I don't see any convenient solution here, maybe someone has an idea? Either way it would probably be a good idea to update the documentation to reflect this. Maybe have yet another hook? (The user-namespace could be entered later with unshare(CLONE_NEWUSER) and the sync barriers already control when the parent can run lxc_map_ids().) Or maybe I'm just missing something obvious? _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
