[libvirt] These patches needed to mount the securityfs in containers.
Daniel P. Berrange
berrange at redhat.com
Fri Feb 1 16:24:17 UTC 2013
On Fri, Feb 01, 2013 at 11:19:49AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Simple patch to make sure /sys/kernel/security is mounted inside the
> container. Systemd attempts to use/mount this file system if it is not present.
>
>
> One of these days I will figure out how to merge patches.
First off all, you should do all your work on a branch
and not on 'master'.
eg, lets assume you did some work on a branch 'some-fix'
which has 2 patches
git checkout -b some-fix
...do work..
git add -u
git commit
...do more work..
git add -u
git commit
Now you want to turn this into one single patch for submission.
git rebase -i master
....it now displays a list of patches in 'vi'...
To merge two patches into one, just change the 'pick' word
against the 2nd patch into 'squash'. This causes it to merge
the 2nd patch into the first patch and lets you update the
commit message.
> >From 502f11954550bdd67f9999dc4b668f7ed2317449 Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh at redhat.com>
> Date: Tue, 6 Nov 2012 13:26:50 -0500
> Subject: [PATCH 2/5] Add securityfs mounted on /sys/kernel/security for
> containers
>
> ---
> src/lxc/lxc_container.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 8faa664..e06313e 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -521,6 +521,7 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
> { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> #if HAVE_SELINUX
> --
> 1.8.0
>
>
> >From ead9b3e6f81eccb133b7cca5ef0b83595f5aa132 Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh at redhat.com>
> Date: Tue, 6 Nov 2012 15:07:21 -0500
> Subject: [PATCH 3/5] Allow lxc_container to mount securityfs within the
> container
>
> ---
> src/lxc/lxc_container.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 17f685d..9030c27 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -521,9 +521,10 @@ static int lxcContainerMountBasicFS(bool pivotRoot,
> { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
> { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> - { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> #if HAVE_SELINUX
> { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
If they were combined, these patches would be good.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list