git.ipfire.org Git - thirdparty/lxc.git/commit

author	Christian Seiler <christian@iwakd.de>
	Wed, 11 Sep 2013 23:44:44 +0000 (01:44 +0200)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Thu, 12 Sep 2013 20:33:57 +0000 (15:33 -0500)
commit	368bbc02ba132cd978141f392e610adf3b9dcec8
tree	97d0ba7fd764f433e1bed5bb70d7a75d16c00c4d	tree
parent	aae1f3c47b09dfcecd17ec56a5fccfc60e52a220	commit \| diff

Support for automatic mounting of filesystems

This patch adds the lxc.mount.auto configuration option that allows the
user to specify that certain standard filesystems should be
automatically pre-mounted when the container is started.

Currently, four things are implemented:

- /proc (mounted read-write)
- /sys (mounted read-only)
- /sys/fs/cgroup (special logic, see mailing list discussions)
- /proc/sysrq-trigger (see below)

/proc/sysrq-trigger may be used from within a container to trigger a
forced host reboot (echo b > /proc/sysrq-trigger) or do other things
that a container shouldn't be able to do. The logic here is to
bind-mount /dev/null over /proc/sysrq-trigger, so that that cannot
happen. This obviously only protects fully if CAP_SYS_ADMIN is not
available inside the container (otherwise that bind-mount could be
removed).

Signed-off-by: Christian Seiler <christian@iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/lxc/confile.c		diff \| blob \| blame \| history
src/lxc/start.c		diff \| blob \| blame \| history