On Fri, Feb 01, 2013 at 11:19:49AM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Simple patch to make sure /sys/kernel/security is mounted inside the > container. Systemd attempts to use/mount this file system if it is not present. > > > One of these days I will figure out how to merge patches. First off all, you should do all your work on a branch and not on 'master'. eg, lets assume you did some work on a branch 'some-fix' which has 2 patches git checkout -b some-fix ...do work.. git add -u git commit ...do more work.. git add -u git commit Now you want to turn this into one single patch for submission. git rebase -i master ....it now displays a list of patches in 'vi'... To merge two patches into one, just change the 'pick' word against the 2nd patch into 'squash'. This causes it to merge the 2nd patch into the first patch and lets you update the commit message. > >From 502f11954550bdd67f9999dc4b668f7ed2317449 Mon Sep 17 00:00:00 2001 > From: Dan Walsh <dwalsh@xxxxxxxxxx> > Date: Tue, 6 Nov 2012 13:26:50 -0500 > Subject: [PATCH 2/5] Add securityfs mounted on /sys/kernel/security for > containers > > --- > src/lxc/lxc_container.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > index 8faa664..e06313e 100644 > --- a/src/lxc/lxc_container.c > +++ b/src/lxc/lxc_container.c > @@ -521,6 +521,7 @@ static int lxcContainerMountBasicFS(bool pivotRoot, > { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, > { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, > { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, > { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > #if HAVE_SELINUX > -- > 1.8.0 > > > >From ead9b3e6f81eccb133b7cca5ef0b83595f5aa132 Mon Sep 17 00:00:00 2001 > From: Dan Walsh <dwalsh@xxxxxxxxxx> > Date: Tue, 6 Nov 2012 15:07:21 -0500 > Subject: [PATCH 3/5] Allow lxc_container to mount securityfs within the > container > > --- > src/lxc/lxc_container.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > index 17f685d..9030c27 100644 > --- a/src/lxc/lxc_container.c > +++ b/src/lxc/lxc_container.c > @@ -521,9 +521,10 @@ static int lxcContainerMountBasicFS(bool pivotRoot, > { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, > { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND }, > { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > - { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, > { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, > + { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, > #if HAVE_SELINUX > { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, > { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY }, If they were combined, these patches would be good. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list