| 1 |
On Sat, May 18, 2019 at 12:44 PM Grant Taylor |
| 2 |
<gtaylor@×××××××××××××××××××××.net> wrote: |
| 3 |
> |
| 4 |
> On 5/18/19 9:26 AM, Peter Humphrey wrote: |
| 5 |
> > Hello list, |
| 6 |
> |
| 7 |
> Hi, |
| 8 |
> |
| 9 |
> > Can anyone answer this? |
| 10 |
> |
| 11 |
> I would think that containers could be made to do this. But I'm not a |
| 12 |
> fan of the containerization systems that I've seen. They seem to be too |
| 13 |
> large and try to control too many things and impose too many |
| 14 |
> limitations. |
| 15 |
|
| 16 |
I'd be interested if there are other scripts people have put out |
| 17 |
there, but I agree that most of the container solutions on Linux are |
| 18 |
overly-complex. |
| 19 |
|
| 20 |
I personally use nspawn, which is actually pretty minimal, but it |
| 21 |
depends on systemd, which I'm sure many would argue is overly complex. |
| 22 |
:) However, if you are running systemd you can basically do a |
| 23 |
one-liner that requires zero setup to turn a chroot into a container. |
| 24 |
|
| 25 |
On to the original questions about mounts: |
| 26 |
|
| 27 |
In general you can mount stuff in containers without issue. There are |
| 28 |
two ways to go about it. One is to mount something on the host and |
| 29 |
bind-mount it into the container, typically at launch time. The other |
| 30 |
is to give the container the necessary capabilities so that it can do |
| 31 |
its own mounting (typically containers are not given the necessary |
| 32 |
capabilities, so mounting will fail even as root inside the |
| 33 |
container). |
| 34 |
|
| 35 |
I believe the reason the wiki says to be careful with mounts has more |
| 36 |
to do with UID/GID mapping. As you are using nfs this is already an |
| 37 |
issue you're probably dealing with. You're probably aware that |
| 38 |
running nfs with multiple hosts with unsynchronized passwd/group files |
| 39 |
can be tricky, because linux (and unix in general) works with |
| 40 |
UIDs/GIDs, and not really directly with names, so if you're doing |
| 41 |
something with one UID on one host and with a different UID on another |
| 42 |
host you might get unexpected permissions behavior. |
| 43 |
|
| 44 |
In a nutshell the same thing can happen with containers, or for that |
| 45 |
matter with chroots. If you have identical passwd/group files it |
| 46 |
should be a non-issue. However, if you want to do mapping with |
| 47 |
unprivileged containers you have to be careful with mounts as they |
| 48 |
might not get translated properly. Using completely different UIDs in |
| 49 |
a container is their suggested solution, which is fine as long as the |
| 50 |
actual container filesystem isn't shared with anything else. That |
| 51 |
tends to be the case anyway when you're using container |
| 52 |
implementations that do a lot of fancy image management. If you're |
| 53 |
doing something very minimal and just using a path/chroot on the host |
| 54 |
as your container then you need to be mindful of your UIDs/GIDs if you |
| 55 |
go accessing anything from the host directly. |
| 56 |
|
| 57 |
The other thing I'd be careful with is mounting physical devices in |
| 58 |
more than one place. Since you're actually sharing a kernel I suspect |
| 59 |
linux will "do the right thing" if you mount an ext4 on /dev/sda2 on |
| 60 |
two different containers, but I've never tried it (and again doing |
| 61 |
that requires giving containers access to even see sda2 because they |
| 62 |
probably won't see physical devices by default). In a VM environment |
| 63 |
you definitely can't do this, because the VMs are completely isolated |
| 64 |
at the kernel level and having two different kernels having dirty |
| 65 |
buffers on the same physical device is going to kill any filesystem |
| 66 |
that isn't designed to be clustered. In a container environment the |
| 67 |
two containers aren't really isolated at the actual physical |
| 68 |
filesystem level since they share the kernel, so I think you'd be fine |
| 69 |
but I'd really want to test or do some research before relying on it. |
| 70 |
|
| 71 |
In any case, the more typical solution is to just mount everything on |
| 72 |
the host and then bind-mount it into the container. So, you could |
| 73 |
mount the nfs in /mnt and then bind-mount that into your container. |
| 74 |
There is really no performance hit and it should work fine without |
| 75 |
giving the container a bunch of capabilities. |
| 76 |
|
| 77 |
-- |
| 78 |
Rich |
Archives