Bind mount with changing noexec?

This is a follow-up of How to set secondary volume mount options? - #11 by Lox with some variations.

On my host system, I have a drive mounted on /srv/ct/ct1data with noexec option since it’s ‘passive’ data which are better not to be executable. That folder is bind-mounted on my container, but for the container, it is supposed to be executable.

  1. Is that possible to tell LXD to mount with exec option that drive in the container?
  2. According to the mentioned post, it seems it must be done from within the container’s fstab, but I didn’t manage to get it to work ; notably, if I put it in the CT’s fstab, should I remove the bind mount from the configuration of the CT in LXD?)

Thank you very much for the help and tips!

PS: The server is running Debian 10, kernel 5.10, LXD 4.18 with btrfs storage (btrfs 5.4.1).

Have you tried bind mounting it on the host and then passing it in as a disk device?

Hi @tomp , could you detail your suggestion with an example? I’m not sure to understand. Thank you

I’m not sure, but maybe you could create a new bind mount on the host that isn’t noexec and then share that into the container using a disk device e.g. lxc config device add <instance> <device name> disk source=/path/on/host path=/path/in/instance

Thank you Thomas, you idea was very close to solution.

Solution 1

  1. create directory /srv/ct1_exec and bind mount the original directory /srv/ct/ct1data to it: mount --bind /srv/ct/ct1data to say /srv/ct1_exec
  2. remount /srv/ct1_exec as executable: mount -o remount,exec /srv/ct1_exec
  3. mount /srv/ct1_exec in your container.
    As per mount man page, you cannot change the mount option with a bind mount, only with a remount.

Solution 2
Even more simple, I forgot that my source directory was also a btrfs subvolume. So step 1 is replaced with mount /dev/sdb /srv/ct1_exec -o subvol=ct1data

1 Like