Re: [Lxc-users] Container start unmounts shared bind mounts
Serge Hallyn (2012-02-09 19:30:29 +0100) wrote: Quoting Ivan Vilata i Balaguer (i...@selidor.net): Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up a shared mountpoint to dynamically export some host directories into one container, like this:: # mkdir -p /lxc-shared # mount --bind /lxc-shared /lxc-shared # mount --make-unbindable /lxc-shared # mount --make-shared /lxc-shared (I should think more before answering, but ...) What if you do 'mount --make-rslave /lxc-shared' here? That should prevent the container's mount actions from being forwarded to the host. Thanks for the suggestion! That does prevent a starting container from unmounting bind mounts under /lxc-shared in the host, *however* it also renders (un)mounts performed after the --make-rslave invisible to any container which had access to the directory. E.g. imagine myvm has a /shared directory and this config line:: lxc.mount.entry = /lxc-shared/myvm/ /var/lib/lxc/debtest/rootfs/shared/ none defaults,bind 0 0 Then:: host# mkdir -p /lxc-shared host# mount --bind /lxc-shared /lxc-shared host# mount --make-shared /lxc-shared host# lxc-start -n myvm -d # myvm sees /lxc-shared/myvm at /shared host# mkdir -p /lxc-shared/myvm/foo host# mount --bind /tmp /lxc-shared/myvm/foo # myvm sees mounted /shared/foo host# mount --make-rslave /lxc-shared # myvm still sees mounted /shared/foo host# lxc-start -n myothervm -d # myvm still sees mounted /shared/foo host# mkdir -p /lxc-shared/myvm/bar host# mount --bind /tmp /lxc-shared/myvm/bar # myvm sees /shared/bar but nothing mounted on it! A workaround I found is bind mounting the desired directory *in the container* (which requires not dropping the sys_admin capability):: host# mkdir -p /lxc-shared host# mount --bind /lxc-shared /lxc-shared host# mount --make-shared /lxc-shared host# lxc-start -n myvm -d # myvm sees /lxc-shared/myvm at /shared host# mkdir -p /lxc-shared/myvm/foo host# mount --bind /tmp /lxc-shared/myvm/foo # myvm sees mounted /shared/foo myvm# mount --bind /shared/foo /mnt/foo host# lxc-start -n myothervm -d # host's /lxc-shared/myvm/foo gets unmounted # myvm sees /shared/foo but nothing mounted on it # myvm still sees mounted /mnt/foo host# mkdir -p /lxc-shared/myvm/bar host# mount --bind /tmp /lxc-shared/myvm/bar # myvm sees mounted /shared/bar myvm# mount --bind /shared/bar /mnt/bar # and so on... However, the question still remains: *Why on Earth does starting a container unmount all bind mounts under a shared mount???* Doesn't it look like a bug to you? Thanks cheers! Now I bind mount the host directory under the shared directory:: # mkdir -p /lxc-shared/myvm/foo # mount --bind /tmp /lxc-shared/myvm/foo The problem is that whenever I start any container, /lxc-shared/myvm/foo gets unmounted (even if it has processes working under it!). This affects bind mounts only if they are under shared mountpoints, e.g. if I also do this mount on the host:: # mount --bind /tmp /mnt It survives after starting the container. Does anyone know why does this happen? Should I file a bug report? Thanks a lot! -- Ivan Vilata i Balaguer -- https://elvil.net/ -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container start unmounts shared bind mounts
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Serge Hallyn (2012-02-09 19:30:29 +0100) wrote:
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up
a shared mountpoint to dynamically export some host directories into one
container, like this::
# mkdir -p /lxc-shared
# mount --bind /lxc-shared /lxc-shared
# mount --make-unbindable /lxc-shared
# mount --make-shared /lxc-shared
(I should think more before answering, but ...)
What if you do 'mount --make-rslave /lxc-shared' here? That should
prevent the container's mount actions from being forwarded to the
host.
Thanks for the suggestion! That does prevent a starting container from
unmounting bind mounts under /lxc-shared in the host, *however* it also
renders (un)mounts performed after the --make-rslave invisible to any
container which had access to the directory. E.g. imagine myvm has a
Right, this was a quick test. What you actually want to do is leave the
mount shared on the host, and have the container startup turn it into a
slave mount. I'm not sure offhand what would be the best time to do this,
but one thing you could do is use a wrapper around lxc-start like:
mv /usr/bin/lxc-start /usr/bin/lxc-start.real
cat /usr/bin/lxc-start.mid EOF
mount --make-unbindable /lxc-shared
mount --make-shared /lxc-shared
exec /usr/bin/lxc-start.real $*
EOF
cat /usr/bin/lxc-start EOF
lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $*
EOF
chmod ugo+x /usr/bin/lxc-start{,.mid}
You can probably do this through /var/lib/lxc/container/fstab entries,
but it would take some tweaking. We could also add support for this
in the lxc config files. I think it's a common enough request that it'd
be worth doing.
/shared directory and this config line::
lxc.mount.entry = /lxc-shared/myvm/ /var/lib/lxc/debtest/rootfs/shared/
none defaults,bind 0 0
Then::
host# mkdir -p /lxc-shared
host# mount --bind /lxc-shared /lxc-shared
host# mount --make-shared /lxc-shared
host# lxc-start -n myvm -d
# myvm sees /lxc-shared/myvm at /shared
host# mkdir -p /lxc-shared/myvm/foo
host# mount --bind /tmp /lxc-shared/myvm/foo
# myvm sees mounted /shared/foo
host# mount --make-rslave /lxc-shared
# myvm still sees mounted /shared/foo
host# lxc-start -n myothervm -d
# myvm still sees mounted /shared/foo
host# mkdir -p /lxc-shared/myvm/bar
host# mount --bind /tmp /lxc-shared/myvm/bar
# myvm sees /shared/bar but nothing mounted on it!
A workaround I found is bind mounting the desired directory *in the
container* (which requires not dropping the sys_admin capability)::
host# mkdir -p /lxc-shared
host# mount --bind /lxc-shared /lxc-shared
host# mount --make-shared /lxc-shared
host# lxc-start -n myvm -d
# myvm sees /lxc-shared/myvm at /shared
host# mkdir -p /lxc-shared/myvm/foo
host# mount --bind /tmp /lxc-shared/myvm/foo
# myvm sees mounted /shared/foo
myvm# mount --bind /shared/foo /mnt/foo
host# lxc-start -n myothervm -d
# host's /lxc-shared/myvm/foo gets unmounted
# myvm sees /shared/foo but nothing mounted on it
# myvm still sees mounted /mnt/foo
host# mkdir -p /lxc-shared/myvm/bar
host# mount --bind /tmp /lxc-shared/myvm/bar
# myvm sees mounted /shared/bar
myvm# mount --bind /shared/bar /mnt/bar
# and so on...
However, the question still remains: *Why on Earth does starting a
container unmount all bind mounts under a shared mount???*
Doesn't it look like a bug to you?
No, when a container starts up, it mounts its new root under, say,
/usr/lib/lxc/, and mounts other directories under there. Then it
does pivot_root (see man 8 pivot_root), so now /usr/lib/lxc is its
'/', and the old '/' and all its submounts are now mounted on '/old'.
Then the container startup recursively unmounts /old, including
/old/lxc-shared.
That umount of /old/lxc-shared is what is getting propagated to
the host mount.
-serge
Thanks cheers!
Now I bind mount the host directory under the shared directory::
# mkdir -p /lxc-shared/myvm/foo
# mount --bind /tmp /lxc-shared/myvm/foo
The problem is that whenever I start any container, /lxc-shared/myvm/foo
gets unmounted (even if it has processes working under it!). This
affects bind mounts only if they are under shared mountpoints, e.g. if I
also do this mount on the host::
# mount --bind /tmp /mnt
It survives after starting the container.
Does anyone know why does this happen? Should I file a bug report?
Thanks a lot!
--
Ivan Vilata i Balaguer -- https://elvil.net/
--
Virtualization Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
Re: [Lxc-users] Container start unmounts shared bind mounts
Serge Hallyn (2012-02-10 16:05:19 +0100) wrote:
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Serge Hallyn (2012-02-09 19:30:29 +0100) wrote:
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up
a shared mountpoint to dynamically export some host directories into one
container, like this::
# mkdir -p /lxc-shared
# mount --bind /lxc-shared /lxc-shared
# mount --make-unbindable /lxc-shared
# mount --make-shared /lxc-shared
(I should think more before answering, but ...)
What if you do 'mount --make-rslave /lxc-shared' here? That should
prevent the container's mount actions from being forwarded to the
host.
Thanks for the suggestion! That does prevent a starting container from
unmounting bind mounts under /lxc-shared in the host, *however* it also
renders (un)mounts performed after the --make-rslave invisible to any
container which had access to the directory. E.g. imagine myvm has a
Right, this was a quick test. What you actually want to do is leave the
mount shared on the host, and have the container startup turn it into a
slave mount. I'm not sure offhand what would be the best time to do this,
but one thing you could do is use a wrapper around lxc-start like:
mv /usr/bin/lxc-start /usr/bin/lxc-start.real
cat /usr/bin/lxc-start.mid EOF
mount --make-unbindable /lxc-shared
mount --make-shared /lxc-shared
exec /usr/bin/lxc-start.real $*
EOF
cat /usr/bin/lxc-start EOF
lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $*
EOF
chmod ugo+x /usr/bin/lxc-start{,.mid}
You can probably do this through /var/lib/lxc/container/fstab entries,
but it would take some tweaking. We could also add support for this
in the lxc config files. I think it's a common enough request that it'd
be worth doing.
Well, I'm actually trying on the host to mount and unmount file systems
I don't know beforehand *while myvm is running* under subdirectories in
/lxc-shared, but running myvm through the scripts you suggest creates a
new namespace so that myvm no longer sees mounts done by the host.
However, I can use a slight modification of your suggestion, namely
running myvm through normal lxc-start (so it uses the same namespace as
the host), and the other containers through those scripts (actually I
don't need --make-shared there).
The ideal solution for me would be making /lxc-shared shared, running
myvm and then doing something which allows mounts under /lxc-shared to
be seen only in the host and myvm but not in other containers started
normaly. But the previous solution comes quite close to it. :)
However, the question still remains: *Why on Earth does starting a
container unmount all bind mounts under a shared mount???*
Doesn't it look like a bug to you?
No, when a container starts up, it mounts its new root under, say,
/usr/lib/lxc/, and mounts other directories under there. Then it
does pivot_root (see man 8 pivot_root), so now /usr/lib/lxc is its
'/', and the old '/' and all its submounts are now mounted on '/old'.
Then the container startup recursively unmounts /old, including
/old/lxc-shared.
That umount of /old/lxc-shared is what is getting propagated to
the host mount.
Ummm, now I see clearly what's going on there. Thanks a lot for your
help and for the explanation! :)
--
Ivan Vilata i Balaguer -- https://elvil.net/
--
Virtualization Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Container start unmounts shared bind mounts
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Serge Hallyn (2012-02-10 16:05:19 +0100) wrote:
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Serge Hallyn (2012-02-09 19:30:29 +0100) wrote:
Quoting Ivan Vilata i Balaguer (i...@selidor.net):
Hi all. I'm running Debian's LXC 0.7.5 under Linux 3.2.0. I've set up
a shared mountpoint to dynamically export some host directories into one
container, like this::
# mkdir -p /lxc-shared
# mount --bind /lxc-shared /lxc-shared
# mount --make-unbindable /lxc-shared
# mount --make-shared /lxc-shared
(I should think more before answering, but ...)
What if you do 'mount --make-rslave /lxc-shared' here? That should
prevent the container's mount actions from being forwarded to the
host.
Thanks for the suggestion! That does prevent a starting container from
unmounting bind mounts under /lxc-shared in the host, *however* it also
renders (un)mounts performed after the --make-rslave invisible to any
container which had access to the directory. E.g. imagine myvm has a
Right, this was a quick test. What you actually want to do is leave the
mount shared on the host, and have the container startup turn it into a
slave mount. I'm not sure offhand what would be the best time to do this,
but one thing you could do is use a wrapper around lxc-start like:
mv /usr/bin/lxc-start /usr/bin/lxc-start.real
cat /usr/bin/lxc-start.mid EOF
mount --make-unbindable /lxc-shared
mount --make-shared /lxc-shared
Oops, this isn't right. I think I just meant
cat /usr/bin/lxc-start.mid EOF
mount --make-rslave /lxc-shared
exec /usr/bin/lxc-start.real $*
EOF
exec /usr/bin/lxc-start.real $*
EOF
cat /usr/bin/lxc-start EOF
lxc-unshare -s MOUNT -- /usr/bin/lxc-start.mid $*
EOF
chmod ugo+x /usr/bin/lxc-start{,.mid}
You can probably do this through /var/lib/lxc/container/fstab entries,
but it would take some tweaking. We could also add support for this
in the lxc config files. I think it's a common enough request that it'd
be worth doing.
Well, I'm actually trying on the host to mount and unmount file systems
I don't know beforehand *while myvm is running* under subdirectories in
/lxc-shared,
You've lost me here (I don't understand what you're saying), but
but running myvm through the scripts you suggest creates a
new namespace so that myvm no longer sees mounts done by the host.
Note that you're still supposed to do
mount --bind /lxc-shared /lxc-shared
mount --make-shared /lxc-shared /lxc-shared
at host boot. Then creating a new namespace shouldn't stop myvm from
seeing new mounts done by the host. The reason I was creating that new
namespace was so that the mount --make-rslave wouldn't happen in the
host's namespace.
But in any case, like I say I think it'd be worth adding explicit
support through the config file for this.
thanks,
-serge
--
Virtualization Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
