On Mon, Mar 07, 2016 at 11:55:47PM +0100, Tobias Hunger wrote: > Hi, > > I have been running systemd-nspawn containers on top of a btrfs > filesystem for a while now. > > This works great: Snapshots are a huge help to manage containers! > > But today I ran btrfs subvol list . *inside* a container. To my > surprise I got a list of *all* subvolumes on that drive. That is > basically a complete list of containers running on the machine. I do > not want to have that kind of information exposed to my containers.
I have a very stripped down docker image that actually mounts portion of of my root filesystem read only. While it's running out of a btrfs filesystem, you can't run btrfs commands against it: 05233e5c91f0:/# btrfs fi show 05233e5c91f0:/# btrfs subvol list / ERROR: can't perform the search - Operation not permitted 05233e5c91f0:/# btrfs subvol list . ERROR: can't perform the search - Operation not permitted I didn't do anything special, it's just working that way. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | PGP 1024R/763BE901 -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html