Matto Fransen <ma...@matto.nl> writes:
>> In the container, I can use the mount command with the -oremount,rw
>> options and then edit the file from the container.
>
> So the bind read-only mounts are no protection against changing the
> filesystem of the container, but even makes it possible to corrupt the
> _host_ filesystem ...
>
>> Is there a way to disable that behavior and forbid the mount options
>
> Perhaps there should be a drop.caps possibility to prevent remounting
> from within the container.
lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container. It seems to work for me. In fact... I thought LXC *always*
removed that capability, even if you never mentioned it?
$ grep /srv/mirror /proc/mounts
/dev/mapper/omega-mirror /srv/mirror ext4
ro,relatime,barrier=1,data=ordered 0 0
$ sudo mount -o remount,rw /srv/mirror
$ grep /srv/mirror /proc/mounts
/dev/mapper/omega-mirror /srv/mirror ext4
ro,relatime,barrier=1,data=ordered 0 0
Note that, obviously, this means all mounts must be done by
lxc.mount.entry or prior to starting LXC.
------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world?
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
