[Libguestfs] Notes on building libguestfs in a systemd-nspawn container
Kashyap Chamarthy
kchamart at redhat.com
Thu Jan 30 11:37:23 UTC 2014
On 01/30/2014 04:38 PM, Daniel P. Berrange wrote:
[. . .]
>>
>> Despite reading from the `systemd-nspawn` man page:
>>
>> ". . .kernel modules may not be loaded from within the container."
>>
>> I purposefully tried from inside the container:
>
> With container based virt there is only one kernel image,
Noted, that's one of the main aspects, right, of containers: single
Kernel (also a single point of attack-surface; no custom Kernels, etc)[1]
But I see the use-case of systemd-nspawn: quick development/debugging
just like chroot, but better.
> so any
> modules you want must be loaded in the host. Libvirt "passthrough"
> of char/block devices simply involves libvirt doing mknod in the
> /dev tmpfs it sets up. The container itself is blocked from doing
> any 'mknod' calls since that'd be a security risk. Hence you must
> list any desired device nodes in the XML config.
Thanks for the explanation. I have to try libvirt-lxc tools next. Also
on my todo-list to try:
$ virt-sandbox mock
[Build a package]
I see that the above provides a default SELinux 'seclabel' element. Have
to test yet.
Meanwhile, I stumbled across an upstream thread[2][3] of yours this
morning & learnt re: a regression with user namespaces containers
[1]
http://rwmj.wordpress.com/2013/06/19/the-boring-truth-full-virtualization-and-containerization-both-have-their-place/
[2]
https://lists.linuxfoundation.org/pipermail/containers/2013-November/033635.html
[3] https://bugzilla.redhat.com/show_bug.cgi?id=917708
--
/kashyap
More information about the Libguestfs
mailing list