[pve-devel] [PATCH container 1/2] fix #1451: add more mount options for containers

Dominik Csapak d.csapak at proxmox.com
Thu May 16 15:25:16 CEST 2019


hmm, i am not sure if we want to add a seperate option for each one?
maybe it would be better to have one 'mountoptions' option
that is a ';' seperated list like the qemu cpu flags?

@Wolfgang, @Thomas what do you say?

On 5/15/19 6:15 PM, Oguz Bektas wrote:
> added atime-related options (noatime, nodiratime, strictatime,
> relatime), and some other security-related mount options (noexec,
> nosuid, nobarrier, nodev) for container mountpoints (and rootfs).
> 
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>   src/PVE/LXC.pm        | 19 +++++++++++++++++--
>   src/PVE/LXC/Config.pm | 26 ++++++++++++++++++++++++++
>   2 files changed, 43 insertions(+), 2 deletions(-)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 62b6b8c..81cffff 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1415,11 +1415,26 @@ sub mountpoint_mount {
>   
>       die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
>   
> -    my $optstring = '';
> +    my @mount_options = qw(nosuid noexec nodev nobarrier);
> +    my $optlist = [];
> +    foreach my $opt (@mount_options) {
> +	if (defined $mountpoint->{$opt}) {
> +	    push @$optlist, $opt;
> +	}
> +    }
> +
>       my $acl = $mountpoint->{acl};
>       if (defined($acl)) {
> -	$optstring .= ($acl ? 'acl' : 'noacl');
> +	push @$optlist, ($acl ? 'acl' : 'noacl');
>       }
> +
> +    my $atime = $mountpoint->{atime};
> +    if (defined($atime)) {
> +	push @$optlist, $atime;
> +    }
> +
> +    my $optstring = '';
> +    $optstring = join(',', @$optlist);
>       my $readonly = $mountpoint->{ro};
>   
>       my @extra_opts;
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 8dcd73c..d796a45 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -236,6 +236,32 @@ my $rootfs_desc = {
>   	description => 'Explicitly enable or disable ACL support.',
>   	optional => 1,
>       },
> +    atime => {
> +	type => 'string',
> +	description => 'Option for atime',
> +	optional => 1,
> +	enum => [qw(noatime nodiratime relatime strictatime)],
> +    },
> +    nosuid => {
> +	type => 'boolean',
> +	description => 'Disable suid.',
> +	optional => 1,
> +    },
> +    noexec => {
> +	type => 'boolean',
> +	description => 'Disable ability to execute.',
> +	optional => 1,
> +    },
> +    nodev => {
> +	type => 'boolean',
> +	description => 'Disable devices.',
> +	optional => 1,
> +    },
> +    nobarrier => {
> +	type => 'boolean',
> +	description => 'Disable write barriers.',
> +	optional => 1,
> +    },
>       ro => {
>   	type => 'boolean',
>   	description => 'Read-only mount point',
> 





More information about the pve-devel mailing list