Re: [libvirt] These patches needed to mount the securityfs in containers.
On Fri, Feb 01, 2013 at 11:19:49AM -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simple patch to make sure /sys/kernel/security is mounted inside the
container. Systemd attempts to use/mount this file system if it is not present.
One of these days I will figure out how to merge patches.
First off all, you should do all your work on a branch
and not on 'master'.
eg, lets assume you did some work on a branch 'some-fix'
which has 2 patches
git checkout -b some-fix
...do work..
git add -u
git commit
...do more work..
git add -u
git commit
Now you want to turn this into one single patch for submission.
git rebase -i master
....it now displays a list of patches in 'vi'...
To merge two patches into one, just change the 'pick' word
against the 2nd patch into 'squash'. This causes it to merge
the 2nd patch into the first patch and lets you update the
commit message.
>From 502f11954550bdd67f9999dc4b668f7ed2317449 Mon Sep 17 00:00:00
2001
From: Dan Walsh <dwalsh(a)redhat.com>
Date: Tue, 6 Nov 2012 13:26:50 -0500
Subject: [PATCH 2/5] Add securityfs mounted on /sys/kernel/security for
containers
---
src/lxc/lxc_container.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 8faa664..e06313e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -521,6 +521,7 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
{ "proc", "/proc", "proc", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
{ "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "sysfs", "/sys", "sysfs", NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
#if HAVE_SELINUX
--
1.8.0
>From ead9b3e6f81eccb133b7cca5ef0b83595f5aa132 Mon Sep 17 00:00:00
2001
From: Dan Walsh <dwalsh(a)redhat.com>
Date: Tue, 6 Nov 2012 15:07:21 -0500
Subject: [PATCH 3/5] Allow lxc_container to mount securityfs within the
container
---
src/lxc/lxc_container.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 17f685d..9030c27 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -521,9 +521,10 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
{ "proc", "/proc", "proc", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
{ "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
- { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
{ "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ "sysfs", "/sys", "sysfs", NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
+ { "securityfs", "/sys/kernel/security",
"securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
#if HAVE_SELINUX
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
If they were combined, these patches would be good.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|