1 |
On Sat, May 18, 2019 at 12:44 PM Grant Taylor |
2 |
<gtaylor@×××××××××××××××××××××.net> wrote: |
3 |
> |
4 |
> On 5/18/19 9:26 AM, Peter Humphrey wrote: |
5 |
> > Hello list, |
6 |
> |
7 |
> Hi, |
8 |
> |
9 |
> > Can anyone answer this? |
10 |
> |
11 |
> I would think that containers could be made to do this. But I'm not a |
12 |
> fan of the containerization systems that I've seen. They seem to be too |
13 |
> large and try to control too many things and impose too many |
14 |
> limitations. |
15 |
|
16 |
I'd be interested if there are other scripts people have put out |
17 |
there, but I agree that most of the container solutions on Linux are |
18 |
overly-complex. |
19 |
|
20 |
I personally use nspawn, which is actually pretty minimal, but it |
21 |
depends on systemd, which I'm sure many would argue is overly complex. |
22 |
:) However, if you are running systemd you can basically do a |
23 |
one-liner that requires zero setup to turn a chroot into a container. |
24 |
|
25 |
On to the original questions about mounts: |
26 |
|
27 |
In general you can mount stuff in containers without issue. There are |
28 |
two ways to go about it. One is to mount something on the host and |
29 |
bind-mount it into the container, typically at launch time. The other |
30 |
is to give the container the necessary capabilities so that it can do |
31 |
its own mounting (typically containers are not given the necessary |
32 |
capabilities, so mounting will fail even as root inside the |
33 |
container). |
34 |
|
35 |
I believe the reason the wiki says to be careful with mounts has more |
36 |
to do with UID/GID mapping. As you are using nfs this is already an |
37 |
issue you're probably dealing with. You're probably aware that |
38 |
running nfs with multiple hosts with unsynchronized passwd/group files |
39 |
can be tricky, because linux (and unix in general) works with |
40 |
UIDs/GIDs, and not really directly with names, so if you're doing |
41 |
something with one UID on one host and with a different UID on another |
42 |
host you might get unexpected permissions behavior. |
43 |
|
44 |
In a nutshell the same thing can happen with containers, or for that |
45 |
matter with chroots. If you have identical passwd/group files it |
46 |
should be a non-issue. However, if you want to do mapping with |
47 |
unprivileged containers you have to be careful with mounts as they |
48 |
might not get translated properly. Using completely different UIDs in |
49 |
a container is their suggested solution, which is fine as long as the |
50 |
actual container filesystem isn't shared with anything else. That |
51 |
tends to be the case anyway when you're using container |
52 |
implementations that do a lot of fancy image management. If you're |
53 |
doing something very minimal and just using a path/chroot on the host |
54 |
as your container then you need to be mindful of your UIDs/GIDs if you |
55 |
go accessing anything from the host directly. |
56 |
|
57 |
The other thing I'd be careful with is mounting physical devices in |
58 |
more than one place. Since you're actually sharing a kernel I suspect |
59 |
linux will "do the right thing" if you mount an ext4 on /dev/sda2 on |
60 |
two different containers, but I've never tried it (and again doing |
61 |
that requires giving containers access to even see sda2 because they |
62 |
probably won't see physical devices by default). In a VM environment |
63 |
you definitely can't do this, because the VMs are completely isolated |
64 |
at the kernel level and having two different kernels having dirty |
65 |
buffers on the same physical device is going to kill any filesystem |
66 |
that isn't designed to be clustered. In a container environment the |
67 |
two containers aren't really isolated at the actual physical |
68 |
filesystem level since they share the kernel, so I think you'd be fine |
69 |
but I'd really want to test or do some research before relying on it. |
70 |
|
71 |
In any case, the more typical solution is to just mount everything on |
72 |
the host and then bind-mount it into the container. So, you could |
73 |
mount the nfs in /mnt and then bind-mount that into your container. |
74 |
There is really no performance hit and it should work fine without |
75 |
giving the container a bunch of capabilities. |
76 |
|
77 |
-- |
78 |
Rich |