Unable to set mount option "noexec" on disk device

bernd · July 18, 2022, 1:32pm

I am trying to get lxd to set a mount option noexec on a disk device of an unprivileged container, but it doesn’t work. The original file system has the noexec mount option set.

I understand that lxd performs an independent bind mount of the directory on container startup that sets its own mount options. So I tried
raw.mount.options: noexec
but with no success. Then I tried both
propagation: shared
and
propagation: slave
both also with no success.

What do I need to do to make lxd enforce the noexec mount option on a container’s disk device?

My setup is:
Distribution: Ubuntu 20.04
Kernel: 5.4.0-122-generic
lxd (installed via snap): 5.0.0

tomp · July 18, 2022, 2:59pm

Please can you show lxc config show <instance>

bernd · July 18, 2022, 8:07pm

I figured out what the issue was: a mount -o remount,noexec /data doesn’t do the trick, even when restarting the container afterwards. However, stopping the container, umounting the directory, then mounted it again with mount option noexec and finally starting the container works as expected and the mount options is then propagated to the container’s disk device. Sorry for the “false alarm”.