Ubuntu
libvirt package

The LXC container propagate the ro remount to the host mount point

Bug #1008393 reported by Sebastien Douche
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libvirt (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Hi,
Occasionally, after stopped a LXC container, libvirt remount the partition to readonly. Ex:

    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/srv/lxc/lib/vprobe20'/>
      <target dir='/'/>
    </filesystem>

In this case, /srv is remounted to ro, and all containers are blocked. The workaround is to use an LVM partition for earch container.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for bringing up this bug.

Note there are other workarounds. One is to use apparmor, but the LSM hooks for libvirt-lxc are still under development. Another is to use the root filesystem to host the libvirt container directories, instead of using a separate partition.

The one we used first in liblxc is to simply hold open a file next to the container's root file system for the duration of the container run. So long as any one file is held open on the filesystem, the 'mount -o remount,ro /' in the container will simply fail. That is the same reason why your /srv is only sometimes remounted - it is only remounted when no other containers are running.

The real solution to this bug will be to either implement an apparmor policy preventing this, or to do a fix as in liblxc holding open a file.

But as a workaround, you can simply run a program on your server, even started in upstart if you like, which holdes open a file /srv/hold and runs forever (until killed at shutdown).

Changed in libvirt (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libvirt - 1.2.8-0ubuntu1

---------------
libvirt (1.2.8-0ubuntu1) utopic; urgency=medium

  [ Chuck Short ]
  * New upstream release: (LP: #1367422)
    + Dropped:
      - debian/patches/ovs-delete-port-if-exists-while-adding-new-one
    + Refreshed:
      - debian/patches/add-cgmanager-support.patch
      - debian/patches/storage-default-permission-mode-to-0711

  [ Serge Hallyn ]
  * d/apparmor
    - install TEMPLATE.qemu and TEMPLATE.lxc
    - add libvirt-lxc abstraction, add permissions to it needed for
      a ubuntu container to start.
    - libvirt-qemu - add qemu-bridge-helper policy from upstream
    - libvirt-qemu - add qemu-microblaze allows from upstream
    - edit lxc.conf to enable apparmor by default (LP: #914716)
      (LP: #1008393) (LP: #1088295)
  * d/apparmor/libvirt-qemu: add /dev/shm as path to spice.* nodes
    for systemd case. (LP: #1365163)
  * d/p/9030-create-socket-dir - create session socket dir if
    needed (Should be replaced eventually by the upstream fix)
  * d/p/9032-lxc-allow-no-security-driver: don't fail if apparmor
    driver is not available (else the qa-regression-tests fail with
    skip_apparmor)
 -- Serge Hallyn <email address hidden> Mon, 15 Sep 2014 18:30:06 -0500

Changed in libvirt (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.