Quoting Craig Ruff (cr...@ucar.edu): > On Thu, Mar 06, 2014 at 12:03:53PM -0600, Serge Hallyn wrote: > > That should now be fixed in git, as all of / gets mounted MS_SLAVE > > if / is found to be shared. Now if only /media is shared and not > > /, I suppose that's a different case. > > I am seeing a similar issue, where the host's / itself is not shared > (i.e. the container has a private root file system), and a a directory > below root with sharing set has anything mounted below it. > > Example: > > Host setup (/d is used on the host itself, / is not shared): > mount --bind /d /d > mount --make-shared /d > mount --bind /d /containers/d > mount --make-slave /containers/d > mount --make-shared /containers/d > mount x /d/a > > Container configuration file contains: > lxc.rootfs = /containers/s/rootfs > lxc.mount = /containers/s/lxc.fstab > lxc.hook.pre-mount = /usr/local/containers/hooks/premount > > Container lxc.fstab contains: > /containers/d /containers/s/rootfs/d none rbind,create=dir 0 0 > > Using this setup, anything mounted under /d will then appear in the > container regardless of the ordering of the mount and container start. > Mounts and unmounts done on the host will propagate into the containers. > Unless the premount hook runs a "mount --make-rshared /" (or in this > case "mount --make-rshared /d" would suffice), the lxc-start will
Now this is interesting, because what you say suggests that doing mount --make-rshared actually moves the directory into a new peer group, which I didn't realize was the case. > cause /d/a to be unmounted from the host's /d/a. > > That was certainly unexpected behavior! Since I have not used > LXC containers extensively, I don't know if this is the desired > behavior, but it certainly needs better documentation if that > is the case. Yeah. Mounts propagation has been around since 2005, but we're not dealing with it very well. So the reason I don't just have a mount("", "/", NULL, MS_SLAVE|MS_REC, 0) unconditionally at container start is twofold - first, some people have perfectly find non-shared non-slave / and don't want it turned *into* a slave. Second, on some systems that fails for reasons as yet unknown to me (could be as mundane as apparmor) So I guess a new function which walks all mounts and pulls them into a new peer group if they are shared, would be good. Volunteers? -serge _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users