libvirt: don't mount securityfs or selinux if userns enabled

commit 6807238d87fd [Ensure securityfs is mounted readonly in container] from upstream libvirt requires securityfs to be mounted, always. Failing to use a kernel without SECURITYFS support results in the following error when you attempt to start a lxc guest: error : lxcContainerMountBasicFS:807 : Failed to mkdir securityfs: No such file or directory Input/output error Here we apply an upstream fix for this which allows you to use userns support instead of SECURITYFS, by using <idmap> in your guest config. A similar situation exists for SELINUX so here we are bringing in 2 more upstream commits, the first for context and the second, which like the securityfs patch, doesn't force selinux to be mounted if userns is used. Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Cc: Bogdan Purcareata <bogdan.purcareata@freescale.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Mark Asselstine <mark.asselstine@windriver.com> 2013-10-02 21:17:13 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2013-10-03 22:41:33 -0400
commit: 7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5 (patch)
tree: ecc47fd2bc086909bda3421031214b7bdb77a262 /recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
parent: 9f2c3fcf9e514d428a6aadad5bb229fd1c541cc7 (diff)
download: meta-virtualization-7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5.tar.gz
1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
new file mode 100644
index 00000000..40f8dd9b
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
@@ -0,0 +1,52 @@
+From 1583dfda7c4e5ad71efe0615c06e5676528d8203 Mon Sep 17 00:00:00 2001
+From: Gao feng <gaofeng@cn.fujitsu.com>
+Date: Thu, 5 Sep 2013 11:50:40 +0100
+Subject: [PATCH] LXC: Don't mount securityfs when user namespace enabled
+commit 1583dfda7c4e5ad71efe0615c06e5676528d8203 from
+git://libvirt.org/libvirt.git
+Right now, securityfs is disallowed to be mounted in non-initial
+user namespace, so we must avoid trying to mount securityfs in
+a container which has user namespace enabled.
+Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
+---
+ src/lxc/lxc_container.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
+index 8abaea0..c41ab40 100644
+--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
+@@ -750,7 +750,7 @@ err:
+ }
+ 
+ 
+-static int lxcContainerMountBasicFS(void)
+static int lxcContainerMountBasicFS(bool userns_enabled)
+ {
+     const struct {
+         const char *src;
+@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
+             continue;
+ #endif
+ 
+        if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
+            continue;
+
+         if (virFileMakePath(mnts[i].dst) < 0) {
+             virReportSystemError(errno,
+                                  _("Failed to mkdir %s"),
+@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
+         goto cleanup;
+ 
+     /* Mounts the core /proc, /sys, etc filesystems */
+-    if (lxcContainerMountBasicFS() < 0)
+    if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
+         goto cleanup;
+ 
+     /* Mounts /proc/meminfo etc sysinfo */
+-- 
+1.8.1.2
author	Mark Asselstine <mark.asselstine@windriver.com>	2013-10-02 21:17:13 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2013-10-03 22:41:33 -0400
commit	7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5 (patch)
tree	ecc47fd2bc086909bda3421031214b7bdb77a262 /recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
parent	9f2c3fcf9e514d428a6aadad5bb229fd1c541cc7 (diff)
download	meta-virtualization-7fd8190b23b4e7c6d0d12a006a165bba50ecc9c5.tar.gz

diff --git a/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch new file mode 100644 index 00000000..40f8dd9b --- /dev/null +++ b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
@@ -0,0 +1,52 @@
	1	From 1583dfda7c4e5ad71efe0615c06e5676528d8203 Mon Sep 17 00:00:00 2001
	2	From: Gao feng <gaofeng@cn.fujitsu.com>
	3	Date: Thu, 5 Sep 2013 11:50:40 +0100
	4	Subject: [PATCH] LXC: Don't mount securityfs when user namespace enabled
	5
	6	commit 1583dfda7c4e5ad71efe0615c06e5676528d8203 from
	7	git://libvirt.org/libvirt.git
	8
	9	Right now, securityfs is disallowed to be mounted in non-initial
	10	user namespace, so we must avoid trying to mount securityfs in
	11	a container which has user namespace enabled.
	12
	13	Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
	14	---
	15	src/lxc/lxc_container.c \| 7 +++++--
	16	1 file changed, 5 insertions(+), 2 deletions(-)
	17
	18	diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
	19	index 8abaea0..c41ab40 100644
	20	--- a/src/lxc/lxc_container.c
	21	+++ b/src/lxc/lxc_container.c
	22	@@ -750,7 +750,7 @@ err:
	23	}
	24
	25
	26	-static int lxcContainerMountBasicFS(void)
	27	+static int lxcContainerMountBasicFS(bool userns_enabled)
	28	{
	29	const struct {
	30	const char *src;
	31	@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
	32	continue;
	33	#endif
	34
	35	+ if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
	36	+ continue;
	37	+
	38	if (virFileMakePath(mnts[i].dst) < 0) {
	39	virReportSystemError(errno,
	40	_("Failed to mkdir %s"),
	41	@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
	42	goto cleanup;
	43
	44	/* Mounts the core /proc, /sys, etc filesystems */
	45	- if (lxcContainerMountBasicFS() < 0)
	46	+ if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
	47	goto cleanup;
	48
	49	/* Mounts /proc/meminfo etc sysinfo */
	50	--
	51	1.8.1.2
	52