diff options
author | Mark Asselstine <mark.asselstine@windriver.com> | 2013-10-02 21:17:13 -0400 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2013-10-03 22:41:33 -0400 |
commit | 7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5 (patch) | |
tree | ecc47fd2bc086909bda3421031214b7bdb77a262 /recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch | |
parent | 9f2c3fcf9e514d428a6aadad5bb229fd1c541cc7 (diff) | |
download | meta-virtualization-7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5.tar.gz |
libvirt: don't mount securityfs or selinux if userns enabled
commit 6807238d87fd [Ensure securityfs is mounted readonly in
container] from upstream libvirt requires securityfs to be mounted,
always. Failing to use a kernel without SECURITYFS support results in
the following error when you attempt to start a lxc guest:
error : lxcContainerMountBasicFS:807 : Failed to mkdir securityfs: No
such file or directory Input/output error
Here we apply an upstream fix for this which allows you to use userns
support instead of SECURITYFS, by using <idmap> in your guest config.
A similar situation exists for SELINUX so here we are bringing in 2
more upstream commits, the first for context and the second, which
like the securityfs patch, doesn't force selinux to be mounted if
userns is used.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Cc: Bogdan Purcareata <bogdan.purcareata@freescale.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch')
-rw-r--r-- | recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch new file mode 100644 index 00000000..40f8dd9b --- /dev/null +++ b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 1583dfda7c4e5ad71efe0615c06e5676528d8203 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gao feng <gaofeng@cn.fujitsu.com> | ||
3 | Date: Thu, 5 Sep 2013 11:50:40 +0100 | ||
4 | Subject: [PATCH] LXC: Don't mount securityfs when user namespace enabled | ||
5 | |||
6 | commit 1583dfda7c4e5ad71efe0615c06e5676528d8203 from | ||
7 | git://libvirt.org/libvirt.git | ||
8 | |||
9 | Right now, securityfs is disallowed to be mounted in non-initial | ||
10 | user namespace, so we must avoid trying to mount securityfs in | ||
11 | a container which has user namespace enabled. | ||
12 | |||
13 | Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> | ||
14 | --- | ||
15 | src/lxc/lxc_container.c | 7 +++++-- | ||
16 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c | ||
19 | index 8abaea0..c41ab40 100644 | ||
20 | --- a/src/lxc/lxc_container.c | ||
21 | +++ b/src/lxc/lxc_container.c | ||
22 | @@ -750,7 +750,7 @@ err: | ||
23 | } | ||
24 | |||
25 | |||
26 | -static int lxcContainerMountBasicFS(void) | ||
27 | +static int lxcContainerMountBasicFS(bool userns_enabled) | ||
28 | { | ||
29 | const struct { | ||
30 | const char *src; | ||
31 | @@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void) | ||
32 | continue; | ||
33 | #endif | ||
34 | |||
35 | + if (STREQ(mnts[i].src, "securityfs") && userns_enabled) | ||
36 | + continue; | ||
37 | + | ||
38 | if (virFileMakePath(mnts[i].dst) < 0) { | ||
39 | virReportSystemError(errno, | ||
40 | _("Failed to mkdir %s"), | ||
41 | @@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, | ||
42 | goto cleanup; | ||
43 | |||
44 | /* Mounts the core /proc, /sys, etc filesystems */ | ||
45 | - if (lxcContainerMountBasicFS() < 0) | ||
46 | + if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0) | ||
47 | goto cleanup; | ||
48 | |||
49 | /* Mounts /proc/meminfo etc sysinfo */ | ||
50 | -- | ||
51 | 1.8.1.2 | ||
52 | |||