From: "Daniel P. Berrange" <berrange@redhat.com> An application container shouldn't get a private /dev. Fix the regression from 6d37888e6a35a37e6faf7c0a1b1b4d9a5dee1285 * src/lxc/lxc_container.c: Don't mount /dev for app containers --- src/lxc/lxc_container.c | 34 ++++++++++++++++++++++------------ 1 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index e73128d..cc72586 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -403,9 +403,10 @@ err: } -static int lxcContainerMountBasicFS(const char *srcprefix) +static int lxcContainerMountBasicFS(const char *srcprefix, bool pivotRoot) { const struct { + bool onlyPivotRoot; bool needPrefix; const char *src; const char *dst; @@ -419,20 +420,28 @@ static int lxcContainerMountBasicFS(const char *srcprefix) * mount point in the main OS becomes readonly too which si not what * we want. Hence some things have two entries here. */ - { false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID }, - { false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, - { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, - { false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND }, - { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, - { true, "/selinux", "/selinux", NULL, NULL, MS_BIND }, - { true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { true, false, "devfs", "/dev", "tmpfs", "mode=755", MS_NOSUID }, + { false, false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, + { false, false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, + { false, false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false, true, "/sys", "/sys", NULL, NULL, MS_BIND }, + { false, true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, + { false, true, "/selinux", "/selinux", NULL, NULL, MS_BIND }, + { false, true, "/selinux", "/selinux", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, }; int i, rc = -1; + VIR_DEBUG("Mounting basic filesystems %s pivotRoot=%d", NULLSTR(srcprefix), pivotRoot); + for (i = 0 ; i < ARRAY_CARDINALITY(mnts) ; i++) { char *src = NULL; const char *srcpath = NULL; + + VIR_DEBUG("Consider %s onlyPivotRoot=%d", + mnts[i].src, mnts[i].onlyPivotRoot); + if (mnts[i].onlyPivotRoot && !pivotRoot) + continue; + if (virFileMakePath(mnts[i].dst) < 0) { virReportSystemError(errno, _("Failed to mkdir %s"), @@ -455,6 +464,8 @@ static int lxcContainerMountBasicFS(const char *srcprefix) (access(srcpath, R_OK) < 0)) continue; + VIR_DEBUG("Mount %s on %s type=%s flags=%d, opts=%s", + srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts); if (mount(srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts) < 0) { VIR_FREE(src); virReportSystemError(errno, @@ -915,7 +926,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, return -1; /* Mounts the core /proc, /sys, etc filesystems */ - if (lxcContainerMountBasicFS("/.oldroot") < 0) + if (lxcContainerMountBasicFS("/.oldroot", true) < 0) return -1; /* Mounts /dev and /dev/pts */ @@ -959,8 +970,7 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef) return -1; /* Mounts the core /proc, /sys, etc filesystems */ - VIR_DEBUG("Mounting basic FS"); - if (lxcContainerMountBasicFS(NULL) < 0) + if (lxcContainerMountBasicFS(NULL, false) < 0) return -1; VIR_DEBUG("Mounting completed"); -- 1.7.6