Provide a more turnkey approach for mounting sysfs

aristanetworks / bst

A one-stop shop for process isolation

MIT License

99 stars 9 forks source link

Provide a more turnkey approach for mounting sysfs #34

Closed wwade closed 3 years ago

wwade commented 3 years ago

Either of these may be correct in a given situation, or may fail

Host sysfs mount === user ns sysfs mount:

bst --mount /sys,/sys,none,rbind true

Other:

bst --mount none,/sys,sysfs,default true

Maybe bst should just fallback to a rbind mount when it EPERMs, and add a --no-fallback-sysfs-mount

Snaipe commented 3 years ago

After digging around, this definitely can't happen -- a sysfs in a netns has a special /sys/class/net and /sys/devices/virtual/net directories, so bind-mounting the host /sys is almost always incorrect.

I encountered the same EPERM problem recently -- it turns out that a /sys mount willl EPERM if the user asks to mount it read-write, and the host /sys is read-only. So the solution is fairly simple: just mount the inner sys read-only.