Re: [vserver] vnamespace mount -o remount,ro does not make it read-only

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Fri 02 Dec 2011 - 18:49:45 GMT
Message-ID: <20111202184945.GA28476@MAIL.13thfloor.at>

On Thu, Dec 01, 2011 at 10:17:18PM -0500, Christian Jaeger wrote:
> Hello,

> I want to bind mount a directory from the host (named 'tn')
> into a running vserver (named 't3'). I want the bind mount to
> be read-only. Yes I already know that mount --bind can't do
> them read-only immediately, so there will be a period during
> which the guest can write, but I can live with that right now.

you can actually make it read only first and then move
it into the guest ... see below

> The real problem is that I can't manage to make the bind mount
> read-only at all.

> When I do the mounts from /etc/vservers/t3/fstab like with:
> /root/GIT /root/GIT none noatime,ro,bind 0 0
> they are correctly read-only.

> But when I try to do it manually, no go:
> First, to show that the commands work in the host context:

> tn:~# mount --bind ~chris/GIT/ /var/lib/vservers/t3/home/chris/GIT
> tn:~# touch /var/lib/vservers/t3/home/chris/GIT/fe
> tn:~# mount -o remount,ro /var/lib/vservers/t3/home/chris/GIT
> tn:~# touch /var/lib/vservers/t3/home/chris/GIT/fe
> touch: cannot touch `/var/lib/vservers/t3/home/chris/GIT/fe':
> Read-only file system

> i.e. as expected. Now,

> tn:~# vnamespace -e t3 mount --bind ~chris/GIT/
> /var/lib/vservers/t3/home/chris/GIT
> tn:~# vnamespace -e t3 mount -o remount,ro /var/lib/vservers/t3/home/chris/GIT
> tn:~# vnamespace -e t3 touch /var/lib/vservers/t3/home/chris/GIT/fe
> touch: cannot touch `/var/lib/vservers/t3/home/chris/GIT/fe':
> Read-only file system

> good, *but* this shows that the guest can still write there:

> chris@t3:~$ touch GIT/feh
> chris@t3:~$

> Why is this?

because there are actually two gues namespaces, one
which has everything copied from the host when the guest
ist prepared, which is used to administrate the guest,
and one which the guest actually resides in, you can
reach them with different indexes to vnamespace (0/1)
and for whatever reason, the remount,ro is not propagated
through the rbind used to propagate mounts from namespace
index 0 to namespace index 1 ... probably a mainline
bug^Hfeature :)

here is a proper sequence which will work for your case:

vnamespace -e t3 mkdir -p /mnt/tmp
vnamespace -e t3 mount --bind ~chris/GIT/ /mnt/tmp
vnamespace -e t3 mount -o remount,ro /mnt/tmp
vnamespace -e t3 mount --move /mnt/tmp /var/lib/vservers/t3/home/chris/GIT

best,
Herbert

> Christian.
Received on Fri Dec 2 18:50:03 2011

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 02 Dec 2011 - 18:50:05 GMT by hypermail 2.1.8