Re: [vserver] Problem with bind mount

From: John A. Sullivan III <jsullivan_at_opensourcedevel.com>
Date: Wed 19 Aug 2009 - 12:49:15 BST
Message-Id: <1250682555.6484.20.camel@jaspav.missionsit.net.missionsit.net>

Hi, Erdem. I'll try to address both issues.

Yes, I suppose there is the danger of data loss if the data is shared
between vservers. However, if it is only being used for one vserver
(which seems to be the case here), one would only delete the data for
that particular vserver. In effect, there really is only one file
system with different views into it.

To get it to work within a vserver guest, you may need to edit your
capabilities. I do not recall off hand which they are.

Might I also suggest that you bottom post rather than top post in future
threads; it makes it a little easier to follow. Thanks - John

On Wed, 2009-08-19 at 14:32 +0300, Erdem Bayer wrote:
> Hi
>
> I think it is more dangerous than the vserver fstab approach. If you forget to umount the bind before doing a "vserver delete" operation or issuing rm -rf on vserver rootdir, then data on your physical host is lost.
>
> But thanks for the tip. I will keep the idea as fallback.
>
> Can anyone help me on why secure-mount is writing the error message but mounts the fstab entries anyway?
>
> Kind Regards
> Erdem Bayer
>
> On Wed, 19 Aug 2009 07:13:11 -0400
> "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
>
> > If anything, I would think it would be safer. I don't recall but you
> > may need to add specific capabilities to the guests. We only do that as
> > a last resort to keep our guests as secure as possible.
> >
> > Doing your bind mounts from the host gives you a single point of
> > administration for the guest file systems. It means the filesystem is
> > in place before the guest starts. It seems to be easier to maintain. I
> > suppose in an emergency, it also gives you the ability to unbind or
> > rebind from the host.
> >
> > I'm certainly not an expert so, if you think you know better, you
> > probably do, but this is how we manage our systems which rely very
> > heavily on bind mounts - John
> >
> > On Wed, 2009-08-19 at 14:00 +0300, Erdem Bayer wrote:
> > > Hi
> > >
> > > Is it safe to do the bind mounts from the host? What are the pros and cons?
> > >
> > > Kind Regards
> > > Erdem Bayer
> > >
> > > On Wed, 19 Aug 2009 06:51:24 -0400
> > > "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> > >
> > > > On Wed, 2009-08-19 at 13:23 +0300, Erdem Bayer wrote:
> > > > > Hi
> > > > >
> > > > > I have a debian lenny i386 vserver running on lenny amd64 host with the following fstab entry:
> > > > >
> > > > > none /proc proc defaults 0 0
> > > > > none /tmp tmpfs size=256m,mode=1777 0 0
> > > > > none /dev/pts devpts gid=5,mode=620 0 0
> > > > > /home /home bind bind 0 0
> > > > > /iscsi/www /var/www bind bind 0 0
> > > > > /iscsi/log/concero /var/log bind bind 0 0
> > > > >
> > > > > When I start a vserver, I see these errors in the output:
> > > > >
> > > > > secure-mount: mount(): Invalid argument
> > > > > /etc/vservers/concero/fstab:5:1: failed to mount fstab-entry
> > > > > secure-mount: mount(): Invalid argument
> > > > > /etc/vservers/concero/fstab:6:1: failed to mount fstab-entry
> > > > >
> > > > > But the vserver starts and the directories in fstab file are mounted anyway.
> > > > >
> > > > > I don't know if it makes a difference but /home fs is ext3, /iscsi is formatted with ocfs2 and mounted with iscsi. I can mount them manually with the following command:
> > > > >
> > > > > sudo mount --bind /iscsi/log/concero /etc/vservers/concero/vdir/var/log
> > > > >
> > > > > When I dig deeper I found that secure-mount is called with the following parameters:
> > > > >
> > > > > ++ pushd /etc/vservers/concero/vdir
> > > > > ++ test -w etc -o -w etc/mtab
> > > > > ++ /usr/lib/util-vserver/secure-mount -a --chroot --fstab /etc/vservers/concero/fstab --rootfs no
> > > > >
> > > > > Here are the strace of the manual running of secure-mount (if it helps):
> > > > >
> > > > >
> > > > > chroot(".") = 0
> > > > > chdir("/") = 0
> > > > > fchdir(3) = 0
> > > > > chroot(".") = 0
> > > > > chdir("/var/www") = 0
> > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > fchdir(4) = 0
> > > > > chroot(".") = 0
> > > > > fchdir(6) = 0
> > > > > close(6) = 0
> > > > > mount("/iscsi/www", ".", 0x7fffdf03e67f, MS_NODEV|MS_BIND, 0x7f9ad703f070) = 0
> > > > > fchdir(3) = 0
> > > > > chroot(".") = 0
> > > > > chdir("/var/www") = 0
> > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > fchdir(4) = 0
> > > > > chroot(".") = 0
> > > > > fchdir(6) = 0
> > > > > close(6) = 0
> > > > > mount("/iscsi/www", ".", 0x7fffdf03e67f, MS_NODEV|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
> > > > > write(2, "secure-mount: mount()"..., 21secure-mount: mount()) = 21
> > > > > write(2, ": "..., 2: ) = 2
> > > > > write(2, "Invalid argument"..., 16Invalid argument) = 16
> > > > > write(2, "\n"..., 1
> > > > > ) = 1
> > > > > write(2, "/etc/vservers/concero/fstab"..., 27/etc/vservers/concero/fstab) = 27
> > > > > write(2, ":5:1"..., 4:5:1) = 4
> > > > > write(2, ": failed to mount fstab-entry\n"..., 30: failed to mount fstab-entry
> > > > > ) = 30
> > > > > chdir("/") = 0
> > > > > fchdir(3) = 0
> > > > >
> > > > >
> > > > > chroot(".") = 0
> > > > > chdir("/var/log") = 0
> > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > fchdir(4) = 0
> > > > > chroot(".") = 0
> > > > > fchdir(6) = 0
> > > > > close(6) = 0
> > > > > mount("/iscsi/log/concero", ".", 0x7fffdf03e6a9, MS_NODEV|MS_BIND, 0x7f9ad703f090) = 0
> > > > > fchdir(3) = 0
> > > > > chroot(".") = 0
> > > > > chdir("/var/log") = 0
> > > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > > fchdir(4) = 0
> > > > > chroot(".") = 0
> > > > > fchdir(6) = 0
> > > > > close(6) = 0
> > > > > mount("/iscsi/log/concero", ".", 0x7fffdf03e6a9, MS_NODEV|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
> > > > > write(2, "secure-mount: mount()"..., 21secure-mount: mount()) = 21
> > > > > write(2, ": "..., 2: ) = 2
> > > > > write(2, "Invalid argument"..., 16Invalid argument) = 16
> > > > > write(2, "\n"..., 1
> > > > > ) = 1
> > > > > write(2, "/etc/vservers/concero/fstab"..., 27/etc/vservers/concero/fstab) = 27
> > > > > write(2, ":6:1"..., 4:6:1) = 4
> > > > > write(2, ": failed to mount fstab-entry\n"..., 30: failed to mount fstab-entry
> > > > > ) = 30
> > > > > close(5) = 0
> > > > > _exit(0) = ?
> > > > >
> > > > > Kind Regards
> > > > > Erdem Bayer
> > > > Might it be faster and easier to do the bind mounts from the host,
> > > > e.g.,
> > > > /somesource/iscsi/log/concero /vservers/vserver1/var/log bind bind 0 0
> > > >
> > > > --
> > > > John A. Sullivan III
> > > > Open Source Development Corporation
> > > > +1 207-985-7880
> > > > jsullivan@opensourcedevel.com
> > > >
> > > > http://www.spiritualoutreach.com
> > > > Making Christianity intelligible to secular society
> > > >
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> >
> > http://www.spiritualoutreach.com
> > Making Christianity intelligible to secular society
> >

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
Received on Wed Aug 19 12:49:40 2009
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 19 Aug 2009 - 12:49:41 BST by hypermail 2.1.8