例:
我的chroot env / chroot / base.
然后我将它挂载到每个用户:
mount –bind / chroot / base / chroot / $user
然后我在同一用户的chroot中挂载/ home / $user:
mount –bind / home / $user / chroot / $user / home / $user
在CentOS 6上它工作正常,它正好安装那些目录,但在CentOS 7上我得到这样的东西:
/dev/mapper/cl_cp-home /chroot/user1/home/user1 xfs rw,relatime,attr2,inode64,usrquota 0 0 /dev/mapper/cl_cp-home /chroot/user2/home/user1 xfs rw,usrquota 0 0 /dev/mapper/cl_cp-home /chroot/user3/home/user1 xfs rw,usrquota 0 0 /dev/mapper/cl_cp-home /chroot/user2/home/user2 xfs rw,usrquota 0 0 /dev/mapper/cl_cp-home /chroot/user3/home/user2 xfs rw,usrquota 0 0 /dev/mapper/cl_cp-home /chroot/user1/home/user2 xfs rw,usrquota 0 0 /dev/mapper/cl_cp-home /chroot/user3/home/user3 xfs rw,usrquota 0 0
每个用户的homedir都安装在其他用户的chroot环境中.
为什么会这样? CentOS6 / 7之间可能导致这种情况发生了什么变化?
编辑:
例如,在user1的文件夹上运行ls(123user1是一个简单的touch / home / user1 / 123user1文件):
root@server:~# ls /chroot/user1/home/user1/ 123user1 root@server:~# ls /chroot/user2/home/user1/ 123user1 root@server:~# ls /chroot/user3/home/user1/ 123user1
更奇怪的是:
root@server:~# ls /chroot/base/home/user1/ 123user1
我没有在任何阶段安装这个
root@localhost ~]# mount --bind /chroot/base /chroot/test [root@localhost ~]# grep test /proc/self/mountinfo 234 62 253:1 /chroot/base /chroot/test rw,relatime shared:1 - xfs /dev/vda1 rw,noquota
这会导致/ chroot / test下的挂载传播回/ chroot / base,然后影响从/ chroot / base派生的其他绑定挂载.
要恢复旧的行为,必须在/ etc / fstab中明确指定–make-private作为挂载选项.
[root@localhost ~]# umount /chroot/test [root@localhost ~]# mount --bind --make-private /chroot/base /chroot/test [root@localhost ~]# grep test /proc/self/mountinfo 234 62 253:1 /chroot/base /chroot/test rw,relatime - xfs /dev/vda1 rw,noquota
我认为将私有选项应用于您想要旧行为的任何绑定装载都是保存的.
更新
内核默认仍然是私有的,但systemd将文件系统重新分配为共享,因为更好的容器支持.从systemd github site:
Mark the root directory as shared in regards to mount propagation. The kernel defaults to “private”,but we think it makes more sense to have a default of “shared” so that nspawn and the container tools work out of the Box. If specific setups need other settings they can reset the propagation mode to private if needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a container manager we assume the container manager kNows what it is doing (for example,because it set up some directories with different propagation modes).