[Pkg-systemd-maintainers] Bug#734813: Bug#734813: systemd as pid1 allows lxc-containers to unmount host filesystems

[Paul Tagliamonte]

forcemerge 734813 731574
thanks

On Fri, Jan 10, 2014 at 08:08:18AM +0100, Michael Stapelberg wrote:
> Hi Paul,

Hey Michael :)

> Paul Tagliamonte <paultag at debian.org> writes:
> > A workaround was sent to me in a gist[2], but I've not tried it  yet.
> > Seems like it'd work. Another workaround given was to do:
> >
> > for MNT in $(awk '{print $2}' /proc/mounts | sort -u) ; do
> >     mount --make-rprivate $MNT;
> > done
>
> This needs to have #731574 resolved first, because of a bug in mount(8).

Ah. That would explain why the unit file wasn't preventing this.

> > Both are pretty ugly, and I really don't want to have to run this. Can
> > Debian systemd please revert this behavior?
>
> No. This would need to happen upstream, and then we can cherry-pick the
> fix. But in general we don’t want to divert from upstream. FWIW, docker
> on CoreOS has ExecStartPre=/bin/mount --make-rprivate / in its unit
> file to fix this — but as I said, that requires a newer mount(8).

Mm.

> I’m inclined to just mark this as a duplicate of #731574, or let you
> reassign it to lxc, which seems to have support for dealing with shared
> mountpoints as you wrote on IRC. Let me know which one you prefer.

Sounds right. I'll merge this with 731574. I think that solves the
short-term problem faster.

Thanks for all your help!
  Paul

> 
> -- 
> Best regards,
> Michael

-- 
 .''`.  Paul Tagliamonte <paultag at debian.org>  |   Proud Debian Developer
: :'  : 4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
`. `'`  http://people.debian.org/~paultag
 `-     http://people.debian.org/~paultag/conduct-statement.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20140110/fe689377/attachment-0002.sig>