On Fri, Feb 01, 2013 at 11:19:49AM -0500, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Simple patch to make sure /sys/kernel/security is mounted inside the container. Systemd attempts to use/mount this file system if it is not present.

One of these days I will figure out how to merge patches.

First off all, you should do all your work on a branch and not on 'master'. eg, lets assume you did some work on a branch 'some-fix' which has 2 patches git checkout -b some-fix ...do work.. git add -u git commit ...do more work.. git add -u git commit Now you want to turn this into one single patch for submission. git rebase -i master ....it now displays a list of patches in 'vi'... To merge two patches into one, just change the 'pick' word against the 2nd patch into 'squash'. This causes it to merge the 2nd patch into the first patch and lets you update the commit message.

...

From 502f11954550bdd67f9999dc4b668f7ed2317449 Mon Sep 17 00:00:00 2001 From: Dan Walsh <dwalsh@redhat.com> Date: Tue, 6 Nov 2012 13:26:50 -0500 Subject: [PATCH 2/5] Add securityfs mounted on /sys/kernel/security for containers

--- src/lxc/lxc_container.c | 1 + 1 file changed, 1 insertion(+)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 8faa664..e06313e 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -521,6 +521,7 @@ static int lxcContainerMountBasicFS(bool pivotRoot, { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, #if HAVE_SELINUX -- 1.8.0

...

From ead9b3e6f81eccb133b7cca5ef0b83595f5aa132 Mon Sep 17 00:00:00 2001 From: Dan Walsh <dwalsh@redhat.com> Date: Tue, 6 Nov 2012 15:07:21 -0500 Subject: [PATCH 3/5] Allow lxc_container to mount securityfs within the container

--- src/lxc/lxc_container.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 17f685d..9030c27 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -521,9 +521,10 @@ static int lxcContainerMountBasicFS(bool pivotRoot, { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, #if HAVE_SELINUX { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },

If they were combined, these patches would be good. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|