[Libguestfs] Notes on building libguestfs in a systemd-nspawn container

Kashyap Chamarthy kchamart at redhat.com
Thu Jan 30 11:45:37 UTC 2014


On 01/30/2014 05:10 PM, Daniel P. Berrange wrote:
> On Thu, Jan 30, 2014 at 05:07:23PM +0530, Kashyap Chamarthy wrote:
>> On 01/30/2014 04:38 PM, Daniel P. Berrange wrote:
>>
>> [. . .]
>>
>>>>
>>>> Despite reading from the `systemd-nspawn` man page:
>>>>
>>>>  ". . .kernel modules may not be loaded from within the container."
>>>>
>>>> I purposefully tried from inside the container:
>>>
>>> With container based virt there is only one kernel image,
>>
>> Noted, that's one of the main aspects, right, of containers: single
>> Kernel (also a single point of attack-surface; no custom Kernels, etc)[1]
>>
>> But I see the use-case of systemd-nspawn: quick development/debugging
>> just like chroot, but better.
>>
>>> so any
>>> modules you want must be loaded in the host. Libvirt "passthrough"
>>> of char/block devices simply involves libvirt doing mknod in the
>>> /dev tmpfs it sets up. The container itself is blocked from doing
>>> any 'mknod' calls since that'd be a security risk. Hence you must
>>> list any desired device nodes in the XML config.
>>
>> Thanks for the explanation. I have to try libvirt-lxc tools next. Also
>> on my todo-list to try:
>>
>>   $ virt-sandbox mock
>>
>>   [Build a package]
>>
>> I see that the above provides a default SELinux 'seclabel' element. Have
>> to test yet.
>>
>> Meanwhile, I stumbled across an upstream thread[2][3] of yours this
>> morning & learnt re: a regression with user namespaces containers
> 
> Nb user namespaces aren't relevant here. Nothing you're using / trying
> here involves user namespaces at all.

Sorry, didn't mean to imply they both are connected (it was my poor
wording). I came across it while I was learning about user namespaces,
its current state in Fedora.

-- 
/kashyap




More information about the Libguestfs mailing list