Quoting Papp Tamas (tom...@martos.bme.hu):
> On 02/28/2012 04:13 PM, Serge Hallyn wrote:
> >Quoting Papp Tamas (tom...@martos.bme.hu):
> >>On 02/28/2012 01:20 AM, Serge Hallyn wrote:
> >>>Quoting Daniel Lezcano (daniel.lezc...@free.fr):
> >>>>Hi all,
> >>>>
> >>>>I will release a 0.8.0-rc1. I am looking for volunteer to test it :)
> >>>Worked fine for me. Tested create and clone of ubuntu, ubuntu and
> >>>ubuntu-cloud images, with dir and lvm backing stores. (And a run
> >>>of lp:~serge-hallyn/+junk/lxc-test)
> >>>
> >>>Note, because upstream kernel didn't much care about the
> >>>'mount -o remount,ro /' problem, I'm going to patch lxc to
> >>>pin open a '${rootfs}.hold' file, as long as the container
> >>>is running. That will prevent the underlying fs from being
> >>>remounted ro. (see
> >>>https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/942325 for
> >>>details). That'll buy us some time to find a better solution
> >>>in the kernel.
> >>>
> >>>
> >>Why can a container change mount options outside of its rootfs?
> >>Sorry for the stupid question:)
> >It's not a stupid question at all.
> >
> >The container isn't changing mount options outside of its rootfs. THere
> >are two places an fs can be marked readonly - in the mount itself, and in
> >the superblock. When you make a bind mount, you are creating more mounts
> >(vfsmounts) using the same superblcok.
> >
> >If you do
> >
> > mount --bind / / # not needed in container bc it's already been done
> > mount --bind -o remount,ro /
> >
> >then you are setting the reasonly flag on the mount itself. If you just do
> >
> > mount -o remount,ro /
> >
> >then you are setting the reasonly flag on the superblock, which will
> >force all other mounts of that superblcok to also be readonly.
> >
> >Right now there is no way to prevent a container from doing that. I sent
> >a patch to make the devices cgroup be consulted on that, so that it could
> >reteurn -EPERM. That was refused. The two other options I'm considering
> >(and it wouldn't hurt ot have both) are 1. to pass the remoutn flags to the
> >LSM (selinux or apparmor or smack) so that it can deny permission. Right
> >now it can't do that (except for all-or-nothing check on remount). And 2.
> >to make it so that after doing
> >
> > mount --bind / /
> > mount --bind -o remount,ro /
> > mount --bind -o remount,rw /
> >
> >any subsequent
> >
> > mount -o remount,rw /
> >
> >would be refused (or automatically done only at the mount level). I don't
> >think that should be hard to do at fs/namespace.c:do_remount().
>
>
> This may be to much for my brain:)
>
> Anyway, could you make deb package from it?
I've got it working for an ubuntu package, though we're in freeze right
now. I intend to push the patch to my github tree tomorrow, and I've
pushed the package to ppa:serge-hallyn/virt (version 0.7.5-3ubuntu31,
should build in a few hours). Meanwhile here is the actual patch for
now.
Tests fine for me.
Subject: lxc-start: if rootfs is a dir, pin the fs
Otherwise the container can remount the shared underlying fs readonly.
Index: lxc-dnsmasq/src/lxc/conf.c
===================================================================
--- lxc-dnsmasq.orig/src/lxc/conf.c 2012-02-28 19:13:01.400960000 +0000
+++ lxc-dnsmasq/src/lxc/conf.c 2012-02-28 20:05:45.538144907 +0000
@@ -445,6 +445,51 @@
return mount_unknow_fs(rootfs, target, 0);
}
+/*
+ * pin_rootfs
+ * if rootfs is a directory, then open ${rootfs}.hold for writing for the
+ * duration of the container run, to prevent the container from marking the
+ * underlying fs readonly on shutdown.
+ * return -1 on error.
+ * return -2 if nothing needed to be pinned.
+ * return an open fd (>=0) if we pinned it.
+ */
+int pin_rootfs(const char *rootfs)
+{
+ char absrootfs[MAXPATHLEN];
+ char absrootfspin[MAXPATHLEN];
+ struct stat s;
+ int ret, fd;
+
+ if (!realpath(rootfs, absrootfs)) {
+ SYSERROR("failed to get real path for '%s'", rootfs);
+ return -1;
+ }
+
+ if (access(absrootfs, F_OK)) {
+ SYSERROR("'%s' is not accessible", absrootfs);
+ return -1;
+ }
+
+ if (stat(absrootfs, &s)) {
+ SYSERROR("failed to stat '%s'", absrootfs);
+ return -1;
+ }
+
+ if (!__S_ISTYPE(s.st_mode, S_IFDIR))
+ return -2;
+
+ ret = snprintf(absrootfspin, MAXPATHLEN, "%s%s", absrootfs, ".hold");
+ if (ret >= MAXPATHLEN) {
+ SYSERROR("pathname too long for rootfs hold file");
+ return -1;
+ }
+
+ fd = open(absrootfspin, O_CREAT | O_RDWR, S_IWUSR|S_IRUSR);
+ INFO("opened %s as fd %d\n", absrootfspin, fd);
+ return fd;
+}
+
static int mount_rootfs(const char *rootfs, const char *target)
{
char absrootfs[MAXPATHLEN];
Index: lxc-dnsmasq/src/lxc/conf.h
===================================================================
--- lxc-dnsmasq.orig/src/lxc/conf.h 2012-02-28 19:13:01.400960000 +0000
+++ lxc-dnsmasq/src/lxc/conf.h 2012-02-28 19:13:01.400960000 +0000
@@ -218,6 +218,8 @@
*/
extern struct lxc_conf *lxc_conf_init(void);
+extern int pin_rootfs(const char *rootfs);
+
extern int lxc_create_network(struct lxc_handler *handler);
extern void lxc_delete_network(struct lxc_list *networks);
extern int lxc_assign_network(struct lxc_list *networks, pid_t pid);
Index: lxc-dnsmasq/src/lxc/start.c
===================================================================
--- lxc-dnsmasq.orig/src/lxc/start.c 2012-02-28 19:13:01.400960000 +0000
+++ lxc-dnsmasq/src/lxc/start.c 2012-02-28 20:07:41.174882442 +0000
@@ -565,6 +565,7 @@
int clone_flags;
int failed_before_rename = 0;
const char *name = handler->name;
+ int pinfd;
if (lxc_sync_init(handler))
return -1;
@@ -585,6 +586,17 @@
}
+ /*
+ * if the rootfs is not a blockdev, prevent the container from
+ * marking it readonly.
+ */
+
+ pinfd = pin_rootfs(handler->conf->rootfs.path);
+ if (pinfd == -1) {
+ ERROR("failed to pin the container's rootfs");
+ goto out_abort;
+ }
+
/* Create a process in a new set of namespaces */
handler->pid = lxc_clone(do_start, handler, clone_flags);
if (handler->pid < 0) {
@@ -627,6 +639,10 @@
}
lxc_sync_fini(handler);
+
+ if (pinfd >= 0)
+ close(pinfd);
+
return 0;
out_delete_net:
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
