Right now, securityfs is disallowed to be mounted in un init user namespace, we should avoid to mount securityfs in the container which enables user namespace. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 8abaea0..c41ab40 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -750,7 +750,7 @@ err: } -static int lxcContainerMountBasicFS(void) +static int lxcContainerMountBasicFS(bool userns_enabled) { const struct { const char *src; @@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void) continue; #endif + if (STREQ(mnts[i].src, "securityfs") && userns_enabled) + continue; + if (virFileMakePath(mnts[i].dst) < 0) { virReportSystemError(errno, _("Failed to mkdir %s"), @@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, goto cleanup; /* Mounts the core /proc, /sys, etc filesystems */ - if (lxcContainerMountBasicFS() < 0) + if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0) goto cleanup; /* Mounts /proc/meminfo etc sysinfo */ -- 1.8.3.1