On Thu, Nov 24, 2016 at 03:48:10PM +0100, Michal Privoznik wrote:
Given how intrusive previous patches are, it might happen that there's a bug or imperfection. Lets give users a way out: if they set 'containerize' to false in qemu.conf the feature is suppressed.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 8 ++++++++ src/qemu/qemu_conf.c | 5 +++++ src/qemu/qemu_conf.h | 2 ++ src/qemu/qemu_domain.c | 3 ++- src/qemu/test_libvirtd_qemu.aug.in | 1 + 6 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index f3cc9e6..5bd7f2f 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -70,6 +70,7 @@ module Libvirtd_qemu = | str_array_entry "cgroup_controllers" | str_array_entry "cgroup_device_acl" | int_entry "seccomp_sandbox" + | bool_entry "containerize"
let save_entry = str_entry "save_image_format" | str_entry "dump_image_format" diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 2b2bd60..26308a3 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -665,3 +665,11 @@ # Defaults to 4 # #gluster_debug_level = 9 + +# To enhance security, QEMU driver is capable of mounting private +# devtmpfs for each domain started. This means qemu process is +# unable to see all the devices on the system, just those +# configured for the domain in question. Libvirt manages device +# entries throughout the domain lifetime. This is turned on by +# default. +#containerize = 1
Similarly to my earlier question, I wonder if we're better off explicitly referring to the namespace we're actually using to make future enhancements simpler. eg allow either namespaces = [ "mount" ] or namespaces = [ ] so we can extend this to non-mount namespaces later if desired. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|