On Wed, Aug 19, 2009 at 07:13:11AM -0400, John A. Sullivan III wrote:
> If anything, I would think it would be safer. I don't recall but you
> may need to add specific capabilities to the guests. We only do that as
> a last resort to keep our guests as secure as possible.
I think we have a misunderstanding here, and I'd like to
clarify this, before misinformation starts spreading :)
there are at least 3 ways to do a bind mount which is
visible inside a guest, and I'll try to list them here
1) you can allow the guest to do bind mounts (capabilities)
and do the bind mount in some runlevel/startup script
advantages: you can do it as guest root anytime
disadvantages: requires additional capabilities
2) you can do the mount on the host _before_ the guest is
started up (the guest will 'inherit' the mount)
advantages: single point of administration, guest
filesystem is the same as seen on the host
disadvantages: mounts have to be administrated and
startup sequence has to be known
3) you can put the bind mount entry in the guest config's
fstab (util-vserver will create the mount on startup)
advantages: mounts only visible in the guest space,
no capabilities required, cleanup automatic
disadvantages: different views (host, guest)
note: John seems to be doing 2), while Erdem is doing 3)
> Doing your bind mounts from the host gives you a single point of
> administration for the guest file systems. It means the filesystem is
> in place before the guest starts. It seems to be easier to maintain.
that, I think, completely depends on the administrator
> I suppose in an emergency, it also gives you the ability to unbind or
> rebind from the host.
yes, but it won't affect the already started guests.
on startup, the guest namespace is cloned from the host
space and unless you configured the mount point to
propagate through the namespaces, the guest will keep
its view into the filesystem, regardless what you do
with the mount on the host
HTH,
Herbert
> I'm certainly not an expert so, if you think you know better, you
> probably do, but this is how we manage our systems which rely very
> heavily on bind mounts - John
> On Wed, 2009-08-19 at 14:00 +0300, Erdem Bayer wrote:
> > Hi
> >
> > Is it safe to do the bind mounts from the host? What are the pros and cons?
> >
> > Kind Regards
> > Erdem Bayer
> >
> > On Wed, 19 Aug 2009 06:51:24 -0400
> > "John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> >
> > > On Wed, 2009-08-19 at 13:23 +0300, Erdem Bayer wrote:
> > > > Hi
> > > >
> > > > I have a debian lenny i386 vserver running on lenny amd64 host with the following fstab entry:
> > > >
> > > > none /proc proc defaults 0 0
> > > > none /tmp tmpfs size=256m,mode=1777 0 0
> > > > none /dev/pts devpts gid=5,mode=620 0 0
> > > > /home /home bind bind 0 0
> > > > /iscsi/www /var/www bind bind 0 0
> > > > /iscsi/log/concero /var/log bind bind 0 0
> > > >
> > > > When I start a vserver, I see these errors in the output:
> > > >
> > > > secure-mount: mount(): Invalid argument
> > > > /etc/vservers/concero/fstab:5:1: failed to mount fstab-entry
> > > > secure-mount: mount(): Invalid argument
> > > > /etc/vservers/concero/fstab:6:1: failed to mount fstab-entry
> > > >
> > > > But the vserver starts and the directories in fstab file are mounted anyway.
> > > >
> > > > I don't know if it makes a difference but /home fs is ext3, /iscsi is formatted with ocfs2 and mounted with iscsi. I can mount them manually with the following command:
> > > >
> > > > sudo mount --bind /iscsi/log/concero /etc/vservers/concero/vdir/var/log
> > > >
> > > > When I dig deeper I found that secure-mount is called with the following parameters:
> > > >
> > > > ++ pushd /etc/vservers/concero/vdir
> > > > ++ test -w etc -o -w etc/mtab
> > > > ++ /usr/lib/util-vserver/secure-mount -a --chroot --fstab /etc/vservers/concero/fstab --rootfs no
> > > >
> > > > Here are the strace of the manual running of secure-mount (if it helps):
> > > >
> > > >
> > > > chroot(".") = 0
> > > > chdir("/") = 0
> > > > fchdir(3) = 0
> > > > chroot(".") = 0
> > > > chdir("/var/www") = 0
> > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > fchdir(4) = 0
> > > > chroot(".") = 0
> > > > fchdir(6) = 0
> > > > close(6) = 0
> > > > mount("/iscsi/www", ".", 0x7fffdf03e67f, MS_NODEV|MS_BIND, 0x7f9ad703f070) = 0
> > > > fchdir(3) = 0
> > > > chroot(".") = 0
> > > > chdir("/var/www") = 0
> > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > fchdir(4) = 0
> > > > chroot(".") = 0
> > > > fchdir(6) = 0
> > > > close(6) = 0
> > > > mount("/iscsi/www", ".", 0x7fffdf03e67f, MS_NODEV|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
> > > > write(2, "secure-mount: mount()"..., 21secure-mount: mount()) = 21
> > > > write(2, ": "..., 2: ) = 2
> > > > write(2, "Invalid argument"..., 16Invalid argument) = 16
> > > > write(2, "\n"..., 1
> > > > ) = 1
> > > > write(2, "/etc/vservers/concero/fstab"..., 27/etc/vservers/concero/fstab) = 27
> > > > write(2, ":5:1"..., 4:5:1) = 4
> > > > write(2, ": failed to mount fstab-entry\n"..., 30: failed to mount fstab-entry
> > > > ) = 30
> > > > chdir("/") = 0
> > > > fchdir(3) = 0
> > > >
> > > >
> > > > chroot(".") = 0
> > > > chdir("/var/log") = 0
> > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > fchdir(4) = 0
> > > > chroot(".") = 0
> > > > fchdir(6) = 0
> > > > close(6) = 0
> > > > mount("/iscsi/log/concero", ".", 0x7fffdf03e6a9, MS_NODEV|MS_BIND, 0x7f9ad703f090) = 0
> > > > fchdir(3) = 0
> > > > chroot(".") = 0
> > > > chdir("/var/log") = 0
> > > > open(".", O_RDONLY|O_DIRECTORY) = 6
> > > > fchdir(4) = 0
> > > > chroot(".") = 0
> > > > fchdir(6) = 0
> > > > close(6) = 0
> > > > mount("/iscsi/log/concero", ".", 0x7fffdf03e6a9, MS_NODEV|MS_REMOUNT, NULL) = -1 EINVAL (Invalid argument)
> > > > write(2, "secure-mount: mount()"..., 21secure-mount: mount()) = 21
> > > > write(2, ": "..., 2: ) = 2
> > > > write(2, "Invalid argument"..., 16Invalid argument) = 16
> > > > write(2, "\n"..., 1
> > > > ) = 1
> > > > write(2, "/etc/vservers/concero/fstab"..., 27/etc/vservers/concero/fstab) = 27
> > > > write(2, ":6:1"..., 4:6:1) = 4
> > > > write(2, ": failed to mount fstab-entry\n"..., 30: failed to mount fstab-entry
> > > > ) = 30
> > > > close(5) = 0
> > > > _exit(0) = ?
> > > >
> > > > Kind Regards
> > > > Erdem Bayer
> > > Might it be faster and easier to do the bind mounts from the host,
> > > e.g.,
> > > /somesource/iscsi/log/concero /vservers/vserver1/var/log bind bind 0 0
> > >
> > > --
> > > John A. Sullivan III
> > > Open Source Development Corporation
> > > +1 207-985-7880
> > > jsullivan@opensourcedevel.com
> > >
> > > http://www.spiritualoutreach.com
> > > Making Christianity intelligible to secular society
> > >
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
Received on Wed Aug 19 13:09:32 2009