I am trying to get lxd to set a mount option noexec
on a disk device of an unprivileged container, but it doesn’t work. The original file system has the noexec mount option set.
I understand that lxd performs an independent bind mount of the directory on container startup that sets its own mount options. So I tried
raw.mount.options: noexec
but with no success. Then I tried both
propagation: shared
and
propagation: slave
both also with no success.
What do I need to do to make lxd enforce the noexec
mount option on a container’s disk device?
My setup is:
Distribution: Ubuntu 20.04
Kernel: 5.4.0-122-generic
lxd (installed via snap): 5.0.0