On Sat, Feb 22, 2014 at 11:42:11AM +0100, Ralf Jung wrote: > this would indeed be a great feature. It would also be interesting to be > able to make the chroot "root" mount (which is not controlled by the > fstab file) read-only.
I recall that there's a reason why "ro,bind" doesn't work directly--you have to do two bind mounts to get it properly read-only. Is that correct? What's the recommended sequence to make this work properly? If we see "ro" and "bind" in the mount options, we can probably special-case it; but if it's doable directly in the fstab file, that would be even better. can you do it with two entries? > Furthermore, there are additional interesting > flags that can be set for bind mounts, but only with a remount - think > of nosuid, noexec. Definitely. If we can do this as for ro, that sounds like a good idea. WRT the "root" mount, this will vary depending upon the chroot type. For example, we have mount options for LVM-snapshot and block-device type chroots already. We don't for btrfs, but we could potentially remount the subvolume. Other non-mountable types might be unpacked directly on /var, in which case we would have to do bind mount on to of the mount trickery? Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org