On Mon, Jun 27, 2011 at 12:06 PM, Michael H. Warfield <m...@wittsend.com> wrote: > On Mon, 2011-06-27 at 17:20 +0100, Justin Cormack wrote: >> On Mon, 2011-06-27 at 18:05 +0200, Samuel Maftoul wrote: >> >> > >> > I tried several ways to have the rootfs mounted RO. >> > First I removed the lxc.rootfs from my config file and the tried: >> > >> > >> > - lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s >> > "lxc.mount.entry=/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0" >> > >> > >> > Then I tried: >> > >> > >> > - echo "/ /var/lib/lxc/vm0/rootfs none ro,bind 0 0" >> > > /var/lib/lxc/vm0/fstab ; >> > lxc-start -n vm0 -o /tmp/lxc-vm0.log -l DEBUG -s "lxc.mount >> > = /var/lib/lxc/vm0/fstab" >> > >> > Finally I tried to boot with lxc.rootfs pointing to the same content, >> > but on it's block device, mounted read-only >> > The system starts, I have a console, but in the logs I get: >> > lxc_conf - ignoring mount point '/var/lib/lxc/vm0/rootfs/lib' >> > lxc_conf - ignoring mount point >> > '/var/lib/lxc/vm0/rootfs/usr/lib' >> > >> > >> > and of course, If I ls these directories, I have nothing inside. > >> Bind mounting the root fs is fine, but it will not bind mount file >> systems under this, so you will need to add these to your fstab too. It >> looks like you have /lib and /usr/lib mounted on separate file systems >> and need to bind mount these too? > > Bind mounts work but, iirc, there was (in the past) a problem that if > the container did a remount, the remount would propagate to the parent > device. That caused all sorts of headaches (and I know, I was suppose > to retest that scenario ages ago and I haven't) like when a container > remounted its rootfs ro during a shutdown it made partitions ro to the > host. Very bad. This was also at the heart of the problem with > shutdowns causing ptty failures for any subsequent connections an > container starts (it made that fs ro). If you try to do this, you may > have to prohibit mounts inside the containers to prohibit the remount > problems. It would probably be a good idea to test it and see if the > container can remount an ro mount point as rw and what the impact would > be.
does this happen when the container rootfs is marked as a slave/private mount? slaves et al should not propagate changes to the master/host. -- C Anthony ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users