[FFE] add pre-mount container startup hook
Bug #1043052 reported by
Serge Hallyn
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
It is possible to use an ecryptfs backing store for a container's rootfs. Advantages include the inability of unprivileged processes to see the container's file contents, and, if the host is a cloud instance, confidence that when disk space is recycled for a new instance, container data will be scrambled.
To do this right, the container rootfs should be mounted in the container's namespace (so after clone(2)) and before its rootfs is mounted. That requires a new hook, 'pre-start'.
This hook is trivial to add. The patch to add it will be attached to this bug for the release team's review.
Related branches
To post a comment you must log in.
This hook will be useful to a lot of users and doesn't change anything by default. The code has been around for a while, is simple and can't cause any obvious regression.
Granting the FFe.