[pve-devel] [PATCH container 2/2] fix #1451: add mountoptions to lxc
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Jul 4 10:51:31 CEST 2019
On 7/4/19 10:50 AM, Oguz Bektas wrote:
> for now allows:
> * noexec
> * noatime
> * nosuid
> * nodev
>
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> src/PVE/LXC.pm | 12 ++++++++++--
> src/PVE/LXC/Config.pm | 9 +++++++++
> 2 files changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 4922fb0..16bca48 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1415,11 +1415,19 @@ sub mountpoint_mount {
>
> die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
>
> - my $optstring = '';
> + my @mountoptions= split(/;/, $mountpoint->{mountoptions});
> + my @allowed_options = qw(nosuid nodev noatime noexec);
> + my $optlist = [];
> + foreach my $opt (@mountoptions) {
> + push @$optlist, $opt if ( grep ( /^$opt$/, @allowed_options) );
> + }
> +
> my $acl = $mountpoint->{acl};
> if (defined($acl)) {
> - $optstring .= ($acl ? 'acl' : 'noacl');
> + push @$optlist, ($acl ? 'acl' : 'noacl');
> }
> +
> + my $optstring = join(',', @$optlist);
> my $readonly = $mountpoint->{ro};
>
> my @extra_opts;
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 8dcd73c..c368ca2 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -216,6 +216,8 @@ sub __snapshot_foreach_volume {
>
> cfs_register_file('/lxc/', \&parse_pct_config, \&write_pct_config);
>
> +my $mount_option = qr/(noatime|nodev|nosuid|noexec)/;
> +
> my $rootfs_desc = {
> volume => {
> type => 'string',
> @@ -236,6 +238,13 @@ my $rootfs_desc = {
> description => 'Explicitly enable or disable ACL support.',
> optional => 1,
> },
> + mountoptions => {
> + optional => 1,
> + type => 'string',
> + description => 'Extra mount options for rootfs/mps.',
> + format_description => 'opt[;opt...]',
> + pattern => qr/$mount_option(;$mount_option)*/,
> + },
> ro => {
> type => 'boolean',
> description => 'Read-only mount point',
>
in the backend the flag whitelist must not be on multiple places, though,
that's a hard requirement for me.
More information about the pve-devel
mailing list