Re: [libvirt] [PATCH v1 21/21] qemu: Let users opt-out from containerization

Given how intrusive previous patches are, it might happen that there's a bug or imperfection. Lets give users a way out: if they set 'containerize' to false in qemu.conf the feature is suppressed. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 8 ++++++++ src/qemu/qemu_conf.c | 5 +++++ src/qemu/qemu_conf.h | 2 ++ src/qemu/qemu_domain.c | 3 ++- src/qemu/test_libvirtd_qemu.aug.in | 1 + 6 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index f3cc9e6..5bd7f2f 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -70,6 +70,7 @@ module Libvirtd_qemu = | str_array_entry "cgroup_controllers" | str_array_entry "cgroup_device_acl" | int_entry "seccomp_sandbox" + | bool_entry "containerize" let save_entry = str_entry "save_image_format" | str_entry "dump_image_format" diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 2b2bd60..26308a3 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -665,3 +665,11 @@ # Defaults to 4 # #gluster_debug_level = 9 + +# To enhance security, QEMU driver is capable of mounting private +# devtmpfs for each domain started. This means qemu process is +# unable to see all the devices on the system, just those +# configured for the domain in question. Libvirt manages device +# entries throughout the domain lifetime. This is turned on by +# default. +#containerize = 1