[Users] How do I mount /tmp on VEs with noexec,nosuid options?

Wed Nov 14 01:27:19 EST 2007

On Nov 9, 2007 9:56 AM, Joan <aseques at gmail.com> wrote:
> Following http://kb.swsoft.com/article_130_648_en.html
> I get " unrecognized option `--bindmount_add'" so I guess that in
> openVZ it works different.
> There was no message in the list related to this.
> Anyone knows if there is a command for that?

Have you tried the following:

HN# vzctl start 101
HN# mount -n --bind -o nosuid,noexec /tmp /path/to/vz/root/101/tmp

Notice the -n flag. That is necessary, and it'll cause mount not to
update /etc/mtab, so the bind mount won't show up in the output of
`mount`, but it will in the output of /proc/mounts.

Once you've got the mount and unmount working, you can put the
commands into /etc/vz/conf/101.mount and 101.umount (need to be
executable and have appropriate shebangs). The .umount file
particularly seems to executed when you start the VE too, so in it you
need to check if the FS is mounted before trying to unmount. I have
something like this in my 101.umount:

---------
#!/bin/bash
VEID=101
MNTPATH="/path/to/vz/root/${VEID}/tmp"
mnt=`grep ${MNTPATH} /proc/mounts | wc -l`

if [ ${mnt} -eq 1 ]; then
    umount ${MNTPATH}
fi
-------

And 101.mount can be a very simple:
-------
#!/bin/bash
VEID=101
MNTPATH="/path/to/vz/root/${VEID}/tmp"
mount -n --bind /tmp ${MNTPATH}
-------

Let us know if that works for you. I use the above technique, which I
learned long ago, to bind different filesystems to my VEs, including
remote filesystems. Be careful with permissions. I sometimes create a
per-ve directory in the source, then bind mount that one to the named
VE, to keep things tidy.

Roberto
http://blog.divisiblebyfour.org/