[pve-devel] [RFC PATCH container] prestart: cleanup monitor mount namespace

Wolfgang Bumiller w.bumiller at proxmox.com
Mon Mar 7 11:53:04 CET 2016 

Basically any mount points the monitor doesn't need access
to can be removed to avoid "leaking" mounts into monitors.
---
 src/lxc-pve-prestart-hook | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index 9835b1c..b631787 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -21,6 +21,8 @@ use PVE::CLIHandler;
 use PVE::Storage;
 use PVE::LXC;
 use PVE::LXC::Setup;
+use PVE::ProcFSTools;
+use Cwd qw();
 use Data::Dumper;
 
 use base qw(PVE::CLIHandler);
@@ -57,6 +59,7 @@ __PACKAGE__->register_method ({
 	return undef if $param->{name} !~ m/^\d+$/;
 
 	my $vmid = $param->{name};
+	my $config_path = $param->{path};
 
 	PVE::Cluster::check_cfs_quorum(); # only start if we have quorum
 
@@ -104,6 +107,42 @@ __PACKAGE__->register_method ({
 	    }
 	    PVE::Tools::file_set_contents($devlist_file, $devlist);
 	}
+
+	# If the monitor is running in its own mount namespace we should clean it up a bit...
+	my $config = PVE::Tools::file_get_contents($config_path);
+	my $unshared = 0;
+	while ($config =~ /^\h*lxc\.monitor\.unshare\h*=\h*(\S+)\h*$/gm) {
+	    $unshared = $1 eq '1';
+	}
+	if ($unshared) {
+	    my $mounts = PVE::ProcFSTools::parse_proc_mounts();
+	    my @sorted = sort { $b cmp $a } map { $_->[1] } @$mounts;
+	    foreach my $mp (@sorted) {
+		# keep the rootfs, /sys, /proc, /dev and /tmp
+		next if $mp eq '/';
+		next if $mp =~ m@^/(?:dev|sys|proc|tmp)@;
+		# Don't unmount anything...
+		#   1) ... up to or inside the $rootdir
+		my $check = Cwd::realpath($rootdir) . '/';
+		next if $mp eq substr($check, 0, length $mp) ||
+			$check eq substr($mp, 0, length $check);
+		#   2) ... up to or inside /var/lib/lxcfs
+		$check = Cwd::realpath('/var/lib/lxcfs') . '/';
+		next if $mp eq substr($check, 0, length $mp) ||
+			$check eq substr($mp, 0, length $check);
+		#   3) ... up to or inside /run/lxcfs
+		$check = Cwd::realpath('/run/lxcfs') . '/';
+		next if $mp eq substr($check, 0, length $mp) ||
+			$check eq substr($mp, 0, length $check);
+		#   4) ... up to /dev/log (it's symlinked to /run/systemd/journal/dev/log)
+		$check = Cwd::realpath('/dev/log') . '/';
+		next if $mp eq substr($check, 0, length $mp);
+
+		# lazy unmounting (-l) without helpers (-i)
+		PVE::Tools::run_command(['umount', '-i', '-l', $mp]);
+	    }
+	}
+
 	return undef;
     }});
 
-- 
2.1.4

More information about the pve-devel mailing list