[lxc/lxc] cb4889: conf: improve read-only /sys with read-write /sys/...

1 view
Skip to first unread message

Stéphane Graber

unread,
Jun 30, 2021, 10:30:40 AMJun 30
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: cb4889abc83057ed6568e543bdb0a89e3941ab54
https://github.com/lxc/lxc/commit/cb4889abc83057ed6568e543bdb0a89e3941ab54
Author: Christian Brauner <christia...@ubuntu.com>
Date: 2021-06-30 (Wed, 30 Jun 2021)

Changed paths:
M src/lxc/conf.c

Log Message:
-----------
conf: improve read-only /sys with read-write /sys/devices/virtual/net

Some tools require /sys/devices/virtual/net to be read-write. At the
same time we want all other parts of /sys to be read-only. To do this we
created a layout where we hade a read-only instance of sysfs mounted on
top of a read-write instance of sysfs:

`-/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
`-/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
|-/sys/devices/virtual/net sysfs sysfs rw,relatime
| `-/sys/devices/virtual/net sysfs[/devices/virtual/net] sysfs rw,nosuid,nodev,noexec,relatime

This causes issues for systemd services that create a separate mount
namespace as they get confused to what mount options need to be
respected.

Simplify our mounting logic so we end up with a single read-only mount
of sysfs on /sys and a read-write bind-mount of /sys/devices/virtual/net:

├─/sys sysfs sysfs ro,nosuid,nodev,noexec,relatime
│ ├─/sys/devices/virtual/net sysfs[/devices/virtual/net] sysfs rw,nosuid,nodev,noexec,relatime

Link: systemd/systemd#20032
Signed-off-by: Christian Brauner <christia...@ubuntu.com>


Commit: d777ffccffe4d9a2c4a268113fc422c729ef73a5
https://github.com/lxc/lxc/commit/d777ffccffe4d9a2c4a268113fc422c729ef73a5
Author: Christian Brauner <christia...@ubuntu.com>
Date: 2021-06-30 (Wed, 30 Jun 2021)

Changed paths:
M .gitignore
M src/tests/Makefile.am
A src/tests/sys_mixed.c

Log Message:
-----------
tests: add tests for read-only /sys with read-write /sys/devices/virtual/net

Signed-off-by: Christian Brauner <christia...@ubuntu.com>


Commit: e75137964017d7b998f60417913401af16d9cef8
https://github.com/lxc/lxc/commit/e75137964017d7b998f60417913401af16d9cef8
Author: Stéphane Graber <stgr...@ubuntu.com>
Date: 2021-06-30 (Wed, 30 Jun 2021)

Changed paths:
M .gitignore
M src/lxc/conf.c
M src/tests/Makefile.am
A src/tests/sys_mixed.c

Log Message:
-----------
Merge pull request #3888 from brauner/2021-06-30.fixes

Improve read-only /sys with read-write /sys/devices/virtual/net


Compare: https://github.com/lxc/lxc/compare/fda9bfb7215a...e75137964017
Reply all
Reply to author
Forward
0 new messages