Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

I've added code to docker to handle / being shared, since fedora works like that. It works by detecting a shared / and the starting lxc-start in its own namespace where we've mounted / as rslave. See the code here: https://github.com/dotcloud/docker/blob/master/container.go#L673 This works out

Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

❦ 10 janvier 2014 09:05 CET, Alexander Larsson alexander.lars...@gmail.com : I've added code to docker to handle / being shared, since fedora works like that. It works by detecting a shared / and the starting lxc-start in its own namespace where we've mounted / as rslave. See the code here:

Bug#734813: [Pkg-systemd-maintainers] Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

forcemerge 734813 731574 thanks On Fri, Jan 10, 2014 at 08:08:18AM +0100, Michael Stapelberg wrote: Hi Paul, Hey Michael :) Paul Tagliamonte paul...@debian.org writes: A workaround was sent to me in a gist[2], but I've not tried it yet. Seems like it'd work. Another workaround given was

Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

On Thu, Jan 09, 2014 at 11:17:25PM -0800, Josh Triplett wrote: I also believe that preemptively CCing the tech-ctte on bugs like this is a mistake I already talked with Mithrandir. He convinced me so already. Your comments are noted. Thanks, Paul -- .''`. Paul Tagliamonte

Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

Once I was able to get a browser open, I found out olasd had researched and found a commit[1] that seems to mark this as systemd's decision that the kernel is wrong(?) A workaround was sent to me in a gist[2], but I've not tried it yet. Seems like it'd work. Another workaround given was to do:

Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

To clarify — the above-mentioned gist is not a workaround against the issue, but a sample snippet to repair my machine after it becomes unusable because of this bug. It's just remounting everything which was unmounted to make the machine usable again. It's (obviously) specific to my system, but it

Bug#734813: [Pkg-systemd-maintainers] Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

Hi Paul, Paul Tagliamonte paul...@debian.org writes: A workaround was sent to me in a gist[2], but I've not tried it yet. Seems like it'd work. Another workaround given was to do: for MNT in $(awk '{print $2}' /proc/mounts | sort -u) ; do mount --make-rprivate $MNT; done This needs to

Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

Paul Tagliamonte wrote: Once I was able to get a browser open, I found out olasd had researched and found a commit[1] that seems to mark this as systemd's decision that the kernel is wrong(?) [1]: