Quoting Olivier BONHOMME ([email protected]): > On Mon, Jun 20, 2016 at 09:51:11AM -0500, Serge E. Hallyn wrote: > > Quoting Olivier BONHOMME ([email protected]): > > > Hello, > > > > > > I'm trying to set up containers using LXC and i have question about how > > > is mounted the rootfs. > > > > > > I would love to start my container with some specific mount options in > > > order to > > > increase a little bit the security reducing what it is possible to do > > > directly > > > on the ROOTFS. That's why, I would love to apply some restrictions on the > > > / > > > mountpoint like ro,nosuid,nodev,noexec. > > > > > > I tried using the lxc.rootfs.options without success. So I wonder to know > > > if it > > > > lxc.rootfs.options is meant to work, fwiw. If you give more details about > > your > > setup (is the rootfs on a device or in a file, or just a directory; what > > is the > > whole config file; what host system do you have) someone should be able to > > reproduce and hopefully fix the bug. > > Hello Serge, > > Thanks for your quick answer. My entries are the following : > - Host System CentOS 7 > - LXC Version : 1.0.8 provided by EPEL > - Template used : lxc-sshd > > In order to create the container I used the lxc-create command with the -t > sshd parametrer. > So the rootfs created is stored in a directory in the default directory > /var/lib/lxc/<mycontainer>/rootfs. > > The config file used is the one automatically created by the sshd template. I > just override the lxc.rootfs.options setting ro,noexec,nodev,nosuid. > > But when I do an lxc-attach / is mounted as rw in /proc/mounts.
Can you try actually writing to a file in the rootfs? Since your rootfs is a bind mount, there is no separate filesystem to make ro. Rather, the bind mount should be made a ro mount without changing the fs options. You create a separate rootfs (Look at the -B option) if you want more separation. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
