Re: [libvirt] This patch mounts /run and /var/run before running a sandbox container

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We do not want to share /run between containers and the host. This patch mounts a tmpfs on /run and then bind mounts /run on /var/run. Reason this is pach 0003 is that this is a part of a previous patch set that was never applied. Sorry to those who are receiving this patch for the second time, as I sent it first to the wrong list.

>From c04fc4f506644d6621654f16198f5cefaa3ef7a1 Mon Sep 17 00:00:00 2001 From: Dan Walsh <dwalsh(a)redhat.com&gt; Date: Tue, 12 Jun 2012 12:08:16 -0400 Subject: [PATCH 03/10] Must mount /run before the lxc container starts --- configure.ac | 2 +- src/lxc/lxc_container.c | 17 +++++++++++++++++ src/security/security_selinux.c | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index a1714c0..7a598e2 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -508,6 +508,23 @@ static int lxcContainerMountBasicFS(virDomainDefPtr def, "devfs", "/dev", "tmpfs"); goto cleanup; } + + VIR_DEBUG("Mount tmpfs on /run type=tmpfs flags=%x, opts=%s", + MS_NOSUID, opts); + if (mount("tmpfs", "/run", "tmpfs", MS_NOSUID | MS_NODEV , opts) < 0) { + virReportSystemError(errno, + _("Failed to mount %s on %s type %s"), + "tmpfs", "/run", "tmpfs"); + goto cleanup; + } + + VIR_DEBUG("Mount /run on /var/run type=bind"); + if (mount("/run", "/var/run", "run", MS_BIND , NULL) < 0) { + virReportSystemError(errno, + _("Failed to mount %s on %s"), + "/run", "/var/run"); + goto cleanup; + }