[pve-devel] [PATCH container 2/2] update_lxc_config: mount /sys read-only for CONTAINER_INTERFACE comapt
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Mar 17 10:50:36 CET 2020
On 3/17/20 10:27 AM, Wolfgang Bumiller wrote:
> On 3/17/20 7:35 AM, Thomas Lamprecht wrote:
>> CONTAINER_INTERFACE[0] is omething systemd people call their API and
>> we need to adapt to it a bit, even if it means doing stupid
>> unnecessary things, as else systemd decides to regress and suddenly
>> break network stack in CT after an upgrade[1].
>>
>> This mounts the parent /sys as ro, child mounts can be whatever.
>> Fixes the system regression introduced by[2].
>>
>> [0]: https://systemd.io/CONTAINER_INTERFACE/
>> [1]:
>> https://github.com/systemd/systemd/issues/15101#issuecomment-598607582
>> [2]:
>> https://github.com/systemd/systemd/commit/bf331d87171b7750d1c72ab0b140a240c0cf32c3
>>
>>
>> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
>> ---
>>
>> I hate it.
>>
>> Just a POC for commenting or picking up, probably belongs in a LXC
>> config or in
>> a "per distro, per systemd version" specific thing
>
> Could `sys:mixed` be enough?
sys:mixed is default for privileged btw:
common.conf:46:lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
and becomes rw with user namespaces:
userns.conf:13:lxc.mount.auto = sys:rw
More information about the pve-devel
mailing list