lxc fails to make read-only bind mounts as documented. Read-only bind mounts are important to many use cases. A simple patch has been submitted upstream, but it's not yet clear to me what will done with it. I have tested the patch and it works. Here it is, for your consideration (implement now vs. wait for upstream fix). Although lxc is only in portage for experimentation, it may be worth considering this patch. This is a major loss of functionality that effects the security of a security-oriented application. Reproducible: Always Steps to Reproduce: In short, a line like this in a container's configuration file should have the effect of bind-mounting the file (e.g. /sbin directory below) within the container and making it read-only: lxc.mount.entry = /sbin /lxc/container07/sbin none ro,bind 0 0 Or in a fstab-formatted file referred to by a "lxc.mount" entry in the config file, it would simply be: /sbin /lxc/container07/sbin none ro,bind 0 0 IBM's documentation and templates are full of these "ro,bind" mount entries. Actual Results: Unfortunately, it doesn't work. It bind-mounts, but gives a little warning that it "appears to mounted read-write". :( Sad face, considering the whole point of this is secure compartmentalization. Expected Results: Obviously, it ought to bind-mount it and place it in read-only mode. It isn't exactly surprising that this doesn't work, since 'mount' doesn't support combining options such as "ro" with "bind" (one must remount read-only). Normally, a read-only bind mount requires two steps: mount -o bind /sbin /lxc/container07/sbin mount -o remount,ro /lxc/container07/sbin One may work around this by executing a script (after starting the container) to remount the appropriate things in read-only mode. However, the simple patch mentioned above (and attached) does seem to fix this. Refer to the URL for the discussion presenting the patch.
Created attachment 228469 [details, diff] proposed lxc-0.6.5-bind-remount.patch This is the patch, Created by Ciprian Dorin. I regenerated a clean patch by editing the code according to the changes documented in the diff at the URL referenced above. For me, it makes lxc worth using. You gentlemen can decide whether to include it in the ebuild.
Thank you, this does sound like an important fix. Assigning to maintainers.
I would also love to see this fix integrated. Thanks a lot for taking the time to submit this John. (From a fellow early gentoo lxc adopter.)
The bug still exists in lxc-0.7.0. The patch still works on 0.7.0.
I have communicated with the developers. This was inadvertently left out of this release and will be included in an 0.7.1 release. http://sourceforge.net/mailarchive/message.php?msg_name=4C20B169.1010004%40free.fr Resolve to "Upstream".
