11:17 a.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently to make sysfs readonly, we remount the existing
instance and then bind it readonly. Unfortunately this means
sysfs is still showing device objects wrt the host OS namespace.
We need it to reflect the container namespace, so we must mount
a completely new instance of it.
* src/lxc/lxc_container.c: Mount fresh sysfs instance
---
src/lxc/lxc_container.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b953646..77d33e1 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char
*srcprefi
{ false, "proc", "/proc", "proc", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
{ false, "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
- { true, "/sys", "/sys", NULL, NULL, MS_BIND },
- { true, "/sys", "/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { false, "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
#if HAVE_SELINUX
{ true, SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND },
{ true, SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY
},
--
1.7.10.1
3:25 p.m.
On 05/10/2012 10:17 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Currently to make sysfs readonly, we remount the existing
instance and then bind it readonly. Unfortunately this means
sysfs is still showing device objects wrt the host OS namespace.
We need it to reflect the container namespace, so we must mount
a completely new instance of it.
* src/lxc/lxc_container.c: Mount fresh sysfs instance
---
src/lxc/lxc_container.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b953646..77d33e1 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const
char *srcprefi
{ false, "proc", "/proc", "proc", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
{ false, "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
- { true, "/sys", "/sys", NULL, NULL, MS_BIND },
- { true, "/sys", "/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { false, "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
ACK.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
3:41 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/10/2012 04:25 PM, Eric Blake wrote:
On 05/10/2012 10:17 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> Currently to make sysfs readonly, we remount the existing instance and
> then bind it readonly. Unfortunately this means sysfs is still showing
> device objects wrt the host OS namespace. We need it to reflect the
> container namespace, so we must mount a completely new instance of it.
>
> * src/lxc/lxc_container.c: Mount fresh sysfs instance ---
> src/lxc/lxc_container.c | 3 +-- 1 file changed, 1 insertion(+), 2
> deletions(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index
> b953646..77d33e1 100644 --- a/src/lxc/lxc_container.c +++
> b/src/lxc/lxc_container.c @@ -441,8 +441,7 @@ static int
> lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi {
> false, "proc", "/proc", "proc", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV }, {
> false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { false,
> "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY }, -
> { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - { true,
"/sys",
> "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false,
> "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY
> },
ACK.
I have been testing this and it is working correctly now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+sKAwACgkQrlYvE4MpobOC1QCfeMOTUX9B60JkLhEn49/+Af3Z
wboAn3AzoUL1n3eoQOW2MO58leX7/Nzw
=47G8
-----END PGP SIGNATURE-----
11:50 a.m.
On Thu, May 10, 2012 at 04:41:49PM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/10/2012 04:25 PM, Eric Blake wrote:
> On 05/10/2012 10:17 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>>
>> Currently to make sysfs readonly, we remount the existing instance and
>> then bind it readonly. Unfortunately this means sysfs is still showing
>> device objects wrt the host OS namespace. We need it to reflect the
>> container namespace, so we must mount a completely new instance of it.
>>
>> * src/lxc/lxc_container.c: Mount fresh sysfs instance ---
>> src/lxc/lxc_container.c | 3 +-- 1 file changed, 1 insertion(+), 2
>> deletions(-)
>>
>> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index
>> b953646..77d33e1 100644 --- a/src/lxc/lxc_container.c +++
>> b/src/lxc/lxc_container.c @@ -441,8 +441,7 @@ static int
>> lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi {
>> false, "proc", "/proc", "proc", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV }, {
>> false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, {
false,
>> "/proc/sys", "/proc/sys", NULL, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY }, -
>> { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - {
true, "/sys",
>> "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false,
>> "sysfs", "/sys", "sysfs", NULL,
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY
>> },
>
> ACK.
>
I have been testing this and it is working correctly now.
While this works fine, I withdraw it in favour of a more complete
patch posted in this series
https://www.redhat.com/archives/libvir-list/2012-May/msg00671.html
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4632
days inactive
4633
days old
3 comments
3 participants
participants (3)
-
Daniel J Walsh -
Daniel P. Berrange -
Eric Blake