From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
If the LXC config has a filesystem
<filesystem>
<source dir='/'/>
<target dir='/'/>
</filesystem>
then there is no need to go down the pivot root codepath.
We can simply use the existing root as needed.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/lxc/lxc_container.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 2076c04..0e22de5 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1137,6 +1137,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
/* Nothing mapped to /, we're using the main root,
but with extra stuff mapped in */
static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
+ virDomainFSDefPtr root,
virSecurityManagerPtr securityDriver)
{
VIR_DEBUG("def=%p", vmDef);
@@ -1151,6 +1152,14 @@ static int lxcContainerSetupExtraMounts(virDomainDefPtr vmDef,
return -1;
}
+ if (root && root->readonly) {
+ if (mount("", "/", NULL, MS_BIND|MS_REC|MS_RDONLY|MS_REMOUNT, NULL) < 0) {
+ virReportSystemError(errno, "%s",
+ _("Failed to make root readonly"));
+ return -1;
+ }
+ }
+
VIR_DEBUG("Mounting config FS");
if (lxcContainerMountAllFS(vmDef, "", false) < 0)
return -1;
@@ -1192,10 +1201,14 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
if (lxcContainerResolveSymlinks(vmDef) < 0)
return -1;
- if (root)
+ /* If the user has specified a dst '/' with a source of '/'
+ * then we don't really want to go down the pivot root
+ * path, as we're just tuning the existing root
+ */
+ if (root && root->src && STRNEQ(root->src, "/"))
return lxcContainerSetupPivotRoot(vmDef, root, ttyPaths, nttyPaths, securityDriver);
else
- return lxcContainerSetupExtraMounts(vmDef, securityDriver);
+ return lxcContainerSetupExtraMounts(vmDef, root, securityDriver);
}
--
1.7.10.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list