lxc fails to make read-only bind mounts as documented. Read-only bind mounts are important to many use cases.
A simple patch has been submitted to the lxc-devel mailing list (by Ciprian Dorin), but when I last checked, it was not clear if any action had been taken on it. It is clear, however, that the bug still exists in release 0.7.0. I have tested the patch, and it fixes the problem in both 0.6.5 and 0.7.0. I have been using it for a couple months. This is where the patch was submitted to the lxc-devel list.- http://sourceforge.net/mailarchive/forum.php?thread_name=4B9E0AE0.9000100%40free.fr&forum_name=lxc-devel I think this patch should be implemented (when it is convenient to do so). This is a significant loss of functionality that effects the security of a security-oriented application. So I am posting so that others know the patch exists and also to see what should be done to get this included in the next release. Details: ------------------------------------------------------------- In short, a line like this in a container's configuration file should have the effect of bind-mounting the file (e.g. /sbin directory below) within the container and making it *read-only*: lxc.mount.entry = /sbin /lxc/container07/sbin none ro,bind 0 0 Or in a fstab-formatted file referred to by a "lxc.mount" entry in the config file, it would simply be: /sbin /lxc/container07/sbin none ro,bind 0 0 Unfortunately, it doesn't work. It bind-mounts, but gives a little warning that it "appears to mounted read-write". This is easily confirmed by writing and deleting files in the filesystems that should have been mounted read-only. This is unforunate, considering the whole point of these tools is secure compartmentalization. Normally, a read-only bind mount requires two steps: mount -o bind /sbin /lxc/container07/sbin mount -o remount,ro /lxc/container07/sbin So, one may work around this bug by executing a script (after starting the container) to carry out that second step, remounting the appropriate things in read-only mode. But this shouldn't be necessary, since handling read-only bind-mounts are an intended feature of the lxc tools. The patch is very simple and does seem to fix the problem nicely. Barring regressions I may not be aware of, I, for one, would like to see it implemented. I am using it as a means to re-use the host operating system's files, in read-only bind-mounts, with exceptions overlaid on top of them (rather than having to maintain an additional and separate "guest operating system" filesystem). With the patch, this seems to work quite well. ----------------------------------------------------------------------- ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
