[pve-devel] [RFC pve-container 4/6] unshare lxc-start into a slave mount namespace
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Nov 12 14:00:27 CET 2015
The rationale here is simply that if the host can see all
the mounts, then any program on the host entering a new
mount namespace can keep the mountpoints active.
This can potentially lead to hard-to-track problems with
multiple mount protection or NFS storages not syncing to the
end when stop-migrating a container to another node.
---
src/PVE/API2/LXC/Status.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/LXC/Status.pm b/src/PVE/API2/LXC/Status.pm
index 5e5e116..dc05445 100644
--- a/src/PVE/API2/LXC/Status.pm
+++ b/src/PVE/API2/LXC/Status.pm
@@ -163,7 +163,8 @@ __PACKAGE__->register_method({
PVE::LXC::update_lxc_config($storage_cfg, $vmid, $conf);
- my $cmd = ['lxc-start', '-n', $vmid];
+ my $cmd = ['unshare', '-m', '--',
+ 'sh', '-c', "mount --make-rslave / && exec lxc-start -n $vmid"];
run_command($cmd);
--
2.1.4
More information about the pve-devel
mailing list