[lxc/lxc] 81d94a: conf: create separate peer group for container's root
0 views
Skip to first unread message
Stéphane Graber
Nov 29, 2022, 5:11:45 PM11/29/22
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: 81d94a4eec65fecc244e2d2def457e1b510d8777
https://github.com/lxc/lxc/commit/81d94a4eec65fecc244e2d2def457e1b510d8777
Author: Christian Brauner <bra...@kernel.org>
Date: 2022-11-24 (Thu, 24 Nov 2022)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: create separate peer group for container's root
Finally, we turn the rootfs into a shared mount. Note, that this
doesn't reestablish mount propagation with the hosts mount
namespace. Instead we'll create a new peer group.
We're doing this because most workloads do rely on the rootfs being
a shared mount. For example, systemd daemon like sytemd-udevd run in
their own mount namespace. Their mount namespace has been made a
dependent mount (MS_SLAVE) with the host rootfs as it's dominating
mount. This means new mounts on the host propagate into the
respective services.
This is broken if we leave the container's rootfs a dependent mount.
In which case both the container's rootfs and the service's rootfs
will be dependent mounts with the host's rootfs as their dominating
mount. So if you were to mount over the rootfs from the host it
would not just propagate into the container's mount namespace it
would also propagate into the service. That's nonsense semantics for
nearly all relevant use-cases. Instead, establish the container's
rootfs as a separate peer group mirroring the behavior on the host.
Signed-off-by: Christian Brauner (Microsoft) <christia...@ubuntu.com>
Commit: 01ae6d4713f1dc0659999adcfa6aa75a243d18fd
https://github.com/lxc/lxc/commit/01ae6d4713f1dc0659999adcfa6aa75a243d18fd
Author: Christian Brauner <bra...@kernel.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M config/apparmor/abstractions/start-container.in
Log Message:
-----------
apparmor: allow shared mounts in start-container.in
Signed-off-by: Christian Brauner (Microsoft) <christia...@ubuntu.com>
Commit: 7e73934130c2be62192773327f3271b45bc5c47f
https://github.com/lxc/lxc/commit/7e73934130c2be62192773327f3271b45bc5c47f
Author: Christian Brauner <bra...@kernel.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: ensure mount tunnel is a dependent mount
Signed-off-by: Christian Brauner (Microsoft) <christia...@ubuntu.com>
Commit: b16e4ea85b80b2d6daf9e86a8f5c6180eec59f4f
https://github.com/lxc/lxc/commit/b16e4ea85b80b2d6daf9e86a8f5c6180eec59f4f
Author: Stéphane Graber <stgr...@ubuntu.com>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M config/apparmor/abstractions/start-container.in
M src/lxc/conf.c
Log Message:
-----------
Merge pull request #4229 from brauner/rootfs.propagate.shared
conf: create separate peer group for container's root
Compare: https://github.com/lxc/lxc/compare/d493695e3010...b16e4ea85b80
Home: https://github.com/lxc/lxc
Commit: 81d94a4eec65fecc244e2d2def457e1b510d8777
https://github.com/lxc/lxc/commit/81d94a4eec65fecc244e2d2def457e1b510d8777
Author: Christian Brauner <bra...@kernel.org>
Date: 2022-11-24 (Thu, 24 Nov 2022)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: create separate peer group for container's root
Finally, we turn the rootfs into a shared mount. Note, that this
doesn't reestablish mount propagation with the hosts mount
namespace. Instead we'll create a new peer group.
We're doing this because most workloads do rely on the rootfs being
a shared mount. For example, systemd daemon like sytemd-udevd run in
their own mount namespace. Their mount namespace has been made a
dependent mount (MS_SLAVE) with the host rootfs as it's dominating
mount. This means new mounts on the host propagate into the
respective services.
This is broken if we leave the container's rootfs a dependent mount.
In which case both the container's rootfs and the service's rootfs
will be dependent mounts with the host's rootfs as their dominating
mount. So if you were to mount over the rootfs from the host it
would not just propagate into the container's mount namespace it
would also propagate into the service. That's nonsense semantics for
nearly all relevant use-cases. Instead, establish the container's
rootfs as a separate peer group mirroring the behavior on the host.
Signed-off-by: Christian Brauner (Microsoft) <christia...@ubuntu.com>
Commit: 01ae6d4713f1dc0659999adcfa6aa75a243d18fd
https://github.com/lxc/lxc/commit/01ae6d4713f1dc0659999adcfa6aa75a243d18fd
Author: Christian Brauner <bra...@kernel.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M config/apparmor/abstractions/start-container.in
Log Message:
-----------
apparmor: allow shared mounts in start-container.in
Signed-off-by: Christian Brauner (Microsoft) <christia...@ubuntu.com>
Commit: 7e73934130c2be62192773327f3271b45bc5c47f
https://github.com/lxc/lxc/commit/7e73934130c2be62192773327f3271b45bc5c47f
Author: Christian Brauner <bra...@kernel.org>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: ensure mount tunnel is a dependent mount
Signed-off-by: Christian Brauner (Microsoft) <christia...@ubuntu.com>
Commit: b16e4ea85b80b2d6daf9e86a8f5c6180eec59f4f
https://github.com/lxc/lxc/commit/b16e4ea85b80b2d6daf9e86a8f5c6180eec59f4f
Author: Stéphane Graber <stgr...@ubuntu.com>
Date: 2022-11-29 (Tue, 29 Nov 2022)
Changed paths:
M config/apparmor/abstractions/start-container.in
M src/lxc/conf.c
Log Message:
-----------
Merge pull request #4229 from brauner/rootfs.propagate.shared
conf: create separate peer group for container's root
Compare: https://github.com/lxc/lxc/compare/d493695e3010...b16e4ea85b80
Reply all
Reply to author
Forward
0 new messages