[pve-devel] [PATCH container 1/2] fix #1451: add more mount options for containers
Dominik Csapak
d.csapak at proxmox.com
Thu May 16 15:25:16 CEST 2019
hmm, i am not sure if we want to add a seperate option for each one?
maybe it would be better to have one 'mountoptions' option
that is a ';' seperated list like the qemu cpu flags?
@Wolfgang, @Thomas what do you say?
On 5/15/19 6:15 PM, Oguz Bektas wrote:
> added atime-related options (noatime, nodiratime, strictatime,
> relatime), and some other security-related mount options (noexec,
> nosuid, nobarrier, nodev) for container mountpoints (and rootfs).
>
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> src/PVE/LXC.pm | 19 +++++++++++++++++--
> src/PVE/LXC/Config.pm | 26 ++++++++++++++++++++++++++
> 2 files changed, 43 insertions(+), 2 deletions(-)
>
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index 62b6b8c..81cffff 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -1415,11 +1415,26 @@ sub mountpoint_mount {
>
> die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
>
> - my $optstring = '';
> + my @mount_options = qw(nosuid noexec nodev nobarrier);
> + my $optlist = [];
> + foreach my $opt (@mount_options) {
> + if (defined $mountpoint->{$opt}) {
> + push @$optlist, $opt;
> + }
> + }
> +
> my $acl = $mountpoint->{acl};
> if (defined($acl)) {
> - $optstring .= ($acl ? 'acl' : 'noacl');
> + push @$optlist, ($acl ? 'acl' : 'noacl');
> }
> +
> + my $atime = $mountpoint->{atime};
> + if (defined($atime)) {
> + push @$optlist, $atime;
> + }
> +
> + my $optstring = '';
> + $optstring = join(',', @$optlist);
> my $readonly = $mountpoint->{ro};
>
> my @extra_opts;
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 8dcd73c..d796a45 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -236,6 +236,32 @@ my $rootfs_desc = {
> description => 'Explicitly enable or disable ACL support.',
> optional => 1,
> },
> + atime => {
> + type => 'string',
> + description => 'Option for atime',
> + optional => 1,
> + enum => [qw(noatime nodiratime relatime strictatime)],
> + },
> + nosuid => {
> + type => 'boolean',
> + description => 'Disable suid.',
> + optional => 1,
> + },
> + noexec => {
> + type => 'boolean',
> + description => 'Disable ability to execute.',
> + optional => 1,
> + },
> + nodev => {
> + type => 'boolean',
> + description => 'Disable devices.',
> + optional => 1,
> + },
> + nobarrier => {
> + type => 'boolean',
> + description => 'Disable write barriers.',
> + optional => 1,
> + },
> ro => {
> type => 'boolean',
> description => 'Read-only mount point',
>
More information about the pve-devel
mailing list