Hey all, Been running into an ugly situation with LXC-Tools that seems to be pointing up a real serious leakage from containers. If you have a mount inside a container (presumably a bind mount in this case), if the container does a mount -o remount (say rw->ro or ro->rw) this propagates to the host mount points (all the way to the primary mount point for that partition in some cases) and is reflected in other containers. This first show up with containers running full VM's running on a mounted fs (aot the host / fs) were causing the real mounted fs to become ro when they were shut down (the VM was remounting its rootfs as ro and it was leaking out of the container). I've since confirmed that and encountered it trying to have a shared ro mounted fs in a container using bind mounts (bind mounts since 2.6.26 have allowed setting the ro flag on individual mount points) and discovering that one container could make it rw and then all the other containers would see it as rw as well! If a container made a mount point ro, all the other containers would see it as ro and the mount point for the entire real fs in the host would become ro! This is very not good. That's a pretty serious leakage from the containers out to the host. Is this a problem with the container isolation or some problem in creating the container? I'm running and testing on a Fedora 12 system with a 2.6.32 kernel. Not related (I don't think) but I have also noted that linux-utils-ng on F16 seems to also have a bug irt something similar here. If I mount a directory from a mounted partition onto another location and then make that other location ro, the entire partition becomes ro. BUT! If I then make the partition rw, that does not propagate back up and the bind mount remains ro. What should work is this: Partition /export Directory /export/readonly mount --bind /export/readonly /srv/readonly At this point, /export and /srv/readonly are both rw mount -o remount,ro /srv/readonly Now. both /export and /srv/readonly are ro! This is wrong. Only /srv/readonly is suppose to be ro! Now, running... mount -o remount,rw /export now, /export is rw and /srv/readonly is readonly. Back to containers... If I have /srv/readonly mounted in several containers (same mount point) it's ro in the host and in the containers... Running this in one container: mount -o remount,rw /srv/readonly (I seriously wish this would NOT WORK AT ALL, but it does. I don't want the container to be able to write to that partition at all, like the media was RO. Anybody have any ideas on that one?) Now /srv/readonly is rw in the host and all the containers! (EVEN WORSE!) Running this in one container: mount -o remount,ro /srv/readonly NOW /srv/readonly is ro in all the containers and /export is ro in the host. NOT GOOD. Thoughts? Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
