Hi, On Mon, Jun 27, 2011 at 06:05:13PM +0200, Samuel Maftoul wrote:
> I'm searching for a solution to have a read only rootfs inside an LXC > container. I have a webserver running this way :) > I created a container with the busybox template, this container works. > As soon as I try to mount it read only I have this message in the logs: Create a rootfs outside the container. In the config of your container you add lines like: lxc.mount.entry=/path/to/rootfs/lib /var/lib/lxc/<container>/rootfs/lib none ro,bind 0 0 and so on for all the dir's you want to mount readonly Also create some system directories: # system mounts lxc.mount.entry=proc /var/lib/lxc/<container>/rootfs/proc proc none defaults 0 0 lxc.mount.entry=shmfs /var/lib/lxc/<container>/rootfs/dev/shm tmpfs mode=0644 0 0 lxc.mount.entry=sysfs /var/lib/lxc/<container>/rootfs/sys sysfs defaults 0 0 And add the following line to the config of your container: lxc.cap.drop=sys_admin This last line prevents that one can jumo out of the readonly bind mounts from inside the container :) Cheers, Matto ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
