[libvirt] [PATCH 3/3] Honour filesystem readonly flag & make special FS readonly
Eric Blake
eblake at redhat.com
Fri Jul 22 14:03:59 UTC 2011
On 07/22/2011 07:42 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> A container should not be allowed to modify stuff in /sys
> or /proc/sys so make them readonly. Make /selinux readonly
> so that containers think that selinux is disabled.
Are we ever going to want to mix selinux and containers? But for now, I
guess this makes sense.
>
> Honour the readonly flag when mounting container filesystems
> from the guest XML config
>
> * src/lxc/lxc_container.c: Support readonly mounts
> ---
> src/lxc/lxc_container.c | 29 +++++++++++++++++++++++++++++
> 1 files changed, 29 insertions(+), 0 deletions(-)
>
> } mnts[] = {
> + /* When we want to make a bind mount readonly, for unknown reasons,
> + * it is currently neccessary to bind it once, and then remount the
s/neccessary/necessary/
> + * bind with the readonly flag. If this is not done, then the original
> + * mount point in the main OS becomes readonly too which si not what
s/si/is/
ACK with spelling nits fixed.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
More information about the libvir-list
mailing list