Discussion:
[lxc-users] Why can proc not be remounted read-only inside a container?
Aaron Staley
2014-01-17 01:33:06 UTC
Permalink
I'm trying to run an application that works fine on my host inside a
container.

The application executes:
mount -t proc -o ro proc /mnt/remount_point
But this command errors:
mount: cannot mount block device proc read-only

mounting read-write (mount -t proc proc /mnt/remount_point) does work
however.

I'd rather not modify the application. Is there some LXC option/other
issue blocking a RO mount of proc?

Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140116/28c497ae/attachment-0001.html>
Cal Leeming [Simplicity Media Ltd]
2014-01-17 01:36:15 UTC
Permalink
This was discussed a while back;
https://lists.linuxcontainers.org/pipermail/lxc-users/2013-September/005646.html

Let us know how you get on.

Cal
Post by Aaron Staley
I'm trying to run an application that works fine on my host inside a
container.
mount -t proc -o ro proc /mnt/remount_point
mount: cannot mount block device proc read-only
mounting read-write (mount -t proc proc /mnt/remount_point) does work
however.
I'd rather not modify the application. Is there some LXC option/other
issue blocking a RO mount of proc?
Thanks,
Aaron
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140117/665684ed/attachment.html>
Stéphane Graber
2014-01-17 01:38:21 UTC
Permalink
Post by Aaron Staley
I'm trying to run an application that works fine on my host inside a
container.
mount -t proc -o ro proc /mnt/remount_point
mount: cannot mount block device proc read-only
mounting read-write (mount -t proc proc /mnt/remount_point) does work
however.
I'd rather not modify the application. Is there some LXC option/other
issue blocking a RO mount of proc?
Thanks,
Aaron
This is likely blocked by apparmor. You can disable apparmor for this
container with lxc.aa_profile = unconfined or write your own profile in
/etc/apparmor.d/lxc/, then reload the profiles (/etc/init.d/apparmor
reload) and set lxc.aa_profile to the new profile's name.

However note that blocking proc mounts was done for a very good reason
and that by allowing this, you should consider this container as unsafe
and not trust it to anyone you wouldn't trust to give root access to the
host.
--
St?phane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140116/fabf2023/attachment.pgp>
Qiang Huang
2014-01-17 01:55:59 UTC
Permalink
Hi Aaron,
I'm trying to run an application that works fine on my host inside a container.
mount -t proc -o ro proc /mnt/remount_point
mount: cannot mount block device proc read-only
mounting read-write (mount -t proc proc /mnt/remount_point) does work however.
I'd rather not modify the application. Is there some LXC option/other issue blocking a RO mount of proc?
RO mount of proc should have worked, there must be something else
wrong, maybe like St?phane said.

If you are looking for some LXC options,
lxc.mount.auto = sys proc
may be what you want.
Thanks,
Aaron
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Aaron Staley
2014-03-25 05:05:44 UTC
Permalink
Resurrecting this thread.

I've tried again on a new machine running Ubuntu 13.10 with lxc
1.0.0~alpha1 and I am still getting the same problem.

I can remount /proc rw, but not ro. I've disabled apparmor (via
https://gist.github.com/gionn/7585324) and get no errors.

in lxc.conf:
lxc.mount.auto = proc

I have the same issue if I use:
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0


Are you guys actually able to mount-bind proc ro inside your containers?
Post by Qiang Huang
Hi Aaron,
Post by Aaron Staley
I'm trying to run an application that works fine on my host inside a
container.
Post by Aaron Staley
mount -t proc -o ro proc /mnt/remount_point
mount: cannot mount block device proc read-only
mounting read-write (mount -t proc proc /mnt/remount_point) does work
however.
Post by Aaron Staley
I'd rather not modify the application. Is there some LXC option/other
issue blocking a RO mount of proc?
RO mount of proc should have worked, there must be something else
wrong, maybe like St?phane said.
If you are looking for some LXC options,
lxc.mount.auto = sys proc
may be what you want.
Post by Aaron Staley
Thanks,
Aaron
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140324/d765fdcd/attachment.html>
Serge Hallyn
2014-03-25 05:25:00 UTC
Permalink
Post by Aaron Staley
Resurrecting this thread.
I've tried again on a new machine running Ubuntu 13.10 with lxc
1.0.0~alpha1 and I am still getting the same problem.
I can remount /proc rw, but not ro. I've disabled apparmor (via
https://gist.github.com/gionn/7585324) and get no errors.
lxc.mount.auto = proc
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
Are you guys actually able to mount-bind proc ro inside your containers?
Works fine for me.
Post by Aaron Staley
Post by Qiang Huang
Hi Aaron,
Post by Aaron Staley
I'm trying to run an application that works fine on my host inside a
container.
Post by Aaron Staley
mount -t proc -o ro proc /mnt/remount_point
mount: cannot mount block device proc read-only
mounting read-write (mount -t proc proc /mnt/remount_point) does work
however.
Post by Aaron Staley
I'd rather not modify the application. Is there some LXC option/other
issue blocking a RO mount of proc?
RO mount of proc should have worked, there must be something else
wrong, maybe like St?phane said.
If you are looking for some LXC options,
lxc.mount.auto = sys proc
may be what you want.
Post by Aaron Staley
Thanks,
Aaron
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
lxc-users at lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Loading...