Linux supports read-only bind-mounts, but they can only be made
read-only after bind-mounting, not during.
i.e.
mount --bind /foo /bar
mount -o remount,ro /bar
I hacked support for this into my schroot installation by running the
following after schroot-mount in 10mount:
sed -nre 's/([^ \t]*).*ro,bind.*/\1/ p' "$FSTAB" \
| while read ro_mountpoint; do
info "Remounting $ro_mountpoint read-only"
mount -o remount,ro "$CHROOT_MOUNT_LOCATION/$ro_mountpoint"
done
But it would be really nice if schroot-mount supported it.
SR
The sed line is bugged and doesn't work as expected. It's pulling the first
column but that only works if it happens to be the second column. You
really need to pull the second column directly. I have a very crude version
that works but it's could be done better another way.
grep -v '#' "$FSTAB" | grep ro | grep bind | awk '{$1=$1}1'
\
| tr -s ' ' | sed 's/\( \+\)/ /g' | cut -d' ' -f2 \
| while read ro_mountpoint; do
echo "Remounting $ro_mountpoint read-only"
mount -o remount,ro
"$CHROOT_MOUNT_LOCATION$ro_mountpoint"
done
It runs the file through 3 greps. One to eliminate commented lines and the
next two reduce it to read-only binds only. Note that the bind and ro
parameter order won't matter because it isn't matching ro,bind. It just
matching ro then bind. The next 3 parts are a weird series of awk, tr, and
sed that work quite well to remove extra spaces and convert tabs to spaces
for the cut command that finishes it off to select only the second field.
The other change was to replace the info command with echo so I can see it
in the shell and remove the / between $CHROOT_MOUNT_LOCATION and
$ro_mountpoint.
Like I said I'm sure there is a much more elegant way to do this but it
works well for me.
Robert Pendell
shinji@elite-systems.org
CAcert Assurer
"A perfect world is one of chaos."
Hi, this would indeed be a great feature. It would also be interesting to be able to make the chroot "root" mount (which is not controlled by the fstab file) read-only. Furthermore, there are additional interesting flags that can be set for bind mounts, but only with a remount - think of nosuid, noexec. Kind regards Ralf
I recall that there's a reason why "ro,bind" doesn't work directly--you have to do two bind mounts to get it properly read-only. Is that correct? What's the recommended sequence to make this work properly? If we see "ro" and "bind" in the mount options, we can probably special-case it; but if it's doable directly in the fstab file, that would be even better. can you do it with two entries? Definitely. If we can do this as for ro, that sounds like a good idea. WRT the "root" mount, this will vary depending upon the chroot type. For example, we have mount options for LVM-snapshot and block-device type chroots already. We don't for btrfs, but we could potentially remount the subvolume. Other non-mountable types might be unpacked directly on /var, in which case we would have to do bind mount on to of the mount trickery? Regards, Roger
Hi, I don't know the reason, why a normal mount does not work. But the following works: mount -o bind /original /mounted mount -o remount,bind,ro /mounted Options are only applied when re-mounting. Adding the same entry to the fstab twice does not work. I am using "directory" chroots, which are bind-mounted into /var/lib/schroot/mount, so it should work for them as well. I just don't have a way to configure this. Of course if the chroot is in a tar-file and unpacked, this cannot work. One could bind-mount the folder on itself though, and then re-mount it read-only...^^ For now, I went with a solution that "works for me" (TM) without being particularly elegant: Add [1] to setup.d and [2] into my profile directory. [1] http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/setup.d/80schsh-hardening [2] http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/schsh/schsh-hardening A proper solution would probably be to patch schroot-mount to check if the "ro" option is present (or any option other than rw and bind, for that matter), and then do a re-mount immediately after the mount. Plus some patches in setup.d/10mount for the root case... Kind regards Ralf
Hi all,
I looked at the source code for schroot, and found that a mount command was
being forked/exec'd for every line in the fstab file. I was able to get ro
bind mounts working with two entries in the fstab file. Examples:
/sandboxes/rev3disks/platform /home/Platform none ro,bind
0 0
/sandboxes/rev3disks/sdk /home/SDK none ro,bind
0 0
#The lines below are necessary to change the bind mount to readonly
/home/Platform /home/Platform none remount,ro,bind
0 0
/home/SDK /home/SDK none remount,ro,bind
0 0
The key was to make sure you specify bind even when doing the remount.
Stumbled on that while reading the mount man page.
The output of schroot still warns that the dirs are rw, but a check of
/proc/mounts outside of the sandbox confirms they've been properly
remounted ro.
Thanks for all the great work with schroot! It solves many of my build
problems!
Chris Fester