Mount host folder to guest with LXC 2.x, but do it readonly?

Question

NB: This question relates directly to this one and in particular to this answer, but it's not a duplicate.

I'd like to share a folder from the host with the guest, but make sure that the guest's root cannot accidentally write to that folder.

The folder in my case is /toolchains, both on the host and the guest. And it contains a number of GCC-based toolchains used for targeting different platforms.

Now the sharing itself is trivial:

lxc config device add CONTAINER toolchains disk source=/toolchains path=toolchains

Technically it seems to be a bind-mount. However, inside the container a remount to make it readonly fails:

# mount -o remount,ro /toolchains
mount: cannot mount /dev/sda1 read-only

Unfortunately this doesn't provide a great level of detail.

For good measure I also tried this alternative:

# mount -o remount,ro,bind /toolchains
mount: cannot mount /dev/sda1 read-only

which was mentioned in mount(8) under mount --bind,ro foo foo ...

What options do I have to achieve what I want? I.e. share the host folder as readonly with the guest. Should I use some kind of union FS here or is my only true chance of getting a readonly mount to 1.) use a CIFS share or 2.) use some hook to bind-mount the host folder via the mount command from the host into the guest root?

I'm using LXC 2.20.

Answer 1

What happens if you bind-mount your directory read-only on the host and then share it with the LXC container?

mount --bind /toolchains /toolchains-ro
mount -o remount,ro,bind /toolchains-ro
lxc config device add CONTAINER toolchains disk source=/toolchains-ro path=toolchains

Technically everything what is read-only on the host level should remain read-only in the container.