online jail / bind mounting ...
Michael Meeks
michael.meeks at collabora.com
Tue Apr 28 10:32:23 UTC 2020
Hi Ash,
Great to have you resurrect the bind mounting optimization - that's great:
https://gerrit.libreoffice.org/c/online/+/92829
I'd really like to reduce the number of bind-mounts though per jail,
ideally to just two. Currently we have 6 mount points for: /etc, /lib,
/lib64, /var, /usr and /lo.
AFAICS these are all from the template except for 'lo' - so we
could/should be able to do:
mount -o bind systemplate jail-root
mount -o bind /path/to/lo -> jail-root/lo
mount -o bind /path/to-jail-data -> jail-root/tmp
Hopefully that would work nicely.
Interestingly the kernel gives us some other nice tools here cf.
https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
If we turn our systemplate into a mount-point (look away this is grim):
mount -o bind systemplate systemplate-shared
Now systemplate-shared is a mount-point: what a win ;-) so now we can do:
mount --make-shared systemplate-shared
This sets a magic flag such that re-mounting systemplate-shared will
share any sub-mounts it has. So we can do this setup as a one-off at
startup:
mount -o bind systemplate systemplate-shared
mount --make-shared systemplate-shared
mount -o bind /path/to/lo systemplate-shared/lo
And now we can get down to two mounts per jail:
mount -o bind systemplate-shared jail-root
mkdir writeable-tmp
mount -o bind writable-temp jail-root/tmp
And - assuming we can get $HOME into /tmp and wherever else we want to
write to (IIRC we do somethings of this kind already) - then we're done.
Crazy ? ;-)
Of course as a quicker hack to get something in for now we could just
use bind mounting in the 1st pass for /usr and for /lo - and copy the
(much smaller) /etc /lib /lib64 in instead of binding with the current
approach.
Of course, my thesis that very large numbers of mounts will make the
kernel slow anyway ;-) is perhaps obsolete eg.
https://github.com/torvalds/linux/commit/d29216842a85
has a nice curio ;-)
Thoughts ?
Michael.
--
michael.meeks at collabora.com <><, GM Collabora Productivity
Hangout: mejmeeks at gmail.com, Skype: mmeeks
(M) +44 7795 666 147 - timezone usually UK / Europe
More information about the LibreOffice
mailing list