[libvirt] [PATCH v1 21/21] qemu: Let users opt-out from containerization
Daniel P. Berrange
berrange at redhat.com
Mon Dec 5 13:41:56 UTC 2016
On Thu, Nov 24, 2016 at 03:48:10PM +0100, Michal Privoznik wrote:
> Given how intrusive previous patches are, it might happen that
> there's a bug or imperfection. Lets give users a way out: if they
> set 'containerize' to false in qemu.conf the feature is
> suppressed.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/qemu/libvirtd_qemu.aug | 1 +
> src/qemu/qemu.conf | 8 ++++++++
> src/qemu/qemu_conf.c | 5 +++++
> src/qemu/qemu_conf.h | 2 ++
> src/qemu/qemu_domain.c | 3 ++-
> src/qemu/test_libvirtd_qemu.aug.in | 1 +
> 6 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
> index f3cc9e6..5bd7f2f 100644
> --- a/src/qemu/libvirtd_qemu.aug
> +++ b/src/qemu/libvirtd_qemu.aug
> @@ -70,6 +70,7 @@ module Libvirtd_qemu =
> | str_array_entry "cgroup_controllers"
> | str_array_entry "cgroup_device_acl"
> | int_entry "seccomp_sandbox"
> + | bool_entry "containerize"
>
> let save_entry = str_entry "save_image_format"
> | str_entry "dump_image_format"
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 2b2bd60..26308a3 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -665,3 +665,11 @@
> # Defaults to 4
> #
> #gluster_debug_level = 9
> +
> +# To enhance security, QEMU driver is capable of mounting private
> +# devtmpfs for each domain started. This means qemu process is
> +# unable to see all the devices on the system, just those
> +# configured for the domain in question. Libvirt manages device
> +# entries throughout the domain lifetime. This is turned on by
> +# default.
> +#containerize = 1
Similarly to my earlier question, I wonder if we're better off
explicitly referring to the namespace we're actually using to
make future enhancements simpler. eg allow either
namespaces = [ "mount" ]
or
namespaces = [ ]
so we can extend this to non-mount namespaces later if desired.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the libvir-list
mailing list