[pve-devel] [PATCH container 2/2] fix #1451: add mountoptions to lxc

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Jul 4 10:51:31 CEST 2019


On 7/4/19 10:50 AM, Oguz Bektas wrote:
> for now allows:
> * noexec
> * noatime
> * nosuid
> * nodev
> 
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  src/PVE/LXC.pm        | 12 ++++++++++--
>  src/PVE/LXC/Config.pm |  9 +++++++++
>  2 files changed, 19 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 4922fb0..16bca48 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1415,11 +1415,19 @@ sub mountpoint_mount {
>  
>      die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
>  
> -    my $optstring = '';
> +    my @mountoptions= split(/;/, $mountpoint->{mountoptions});
> +    my @allowed_options = qw(nosuid nodev noatime noexec);
> +    my $optlist = [];
> +    foreach my $opt (@mountoptions) {
> +	push @$optlist, $opt if ( grep ( /^$opt$/, @allowed_options) );
> +    }
> +
>      my $acl = $mountpoint->{acl};
>      if (defined($acl)) {
> -	$optstring .= ($acl ? 'acl' : 'noacl');
> +	push @$optlist, ($acl ? 'acl' : 'noacl');
>      }
> +
> +    my $optstring = join(',', @$optlist);
>      my $readonly = $mountpoint->{ro};
>  
>      my @extra_opts;
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 8dcd73c..c368ca2 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -216,6 +216,8 @@ sub __snapshot_foreach_volume {
>  
>  cfs_register_file('/lxc/', \&parse_pct_config, \&write_pct_config);
>  
> +my $mount_option = qr/(noatime|nodev|nosuid|noexec)/;
> +
>  my $rootfs_desc = {
>      volume => {
>  	type => 'string',
> @@ -236,6 +238,13 @@ my $rootfs_desc = {
>  	description => 'Explicitly enable or disable ACL support.',
>  	optional => 1,
>      },
> +    mountoptions => {
> +	optional => 1,
> +	type => 'string',
> +	description => 'Extra mount options for rootfs/mps.',
> +	format_description => 'opt[;opt...]',
> +	pattern => qr/$mount_option(;$mount_option)*/,
> +    },
>      ro => {
>  	type => 'boolean',
>  	description => 'Read-only mount point',
> 

in the backend the flag whitelist must not be on multiple places, though,
that's a hard requirement for me.




More information about the pve-devel mailing list