[pve-devel] [PATCH container 2/2] update_lxc_config: mount /sys read-only for CONTAINER_INTERFACE comapt
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Mar 17 07:35:21 CET 2020
CONTAINER_INTERFACE[0] is omething systemd people call their API and
we need to adapt to it a bit, even if it means doing stupid
unnecessary things, as else systemd decides to regress and suddenly
break network stack in CT after an upgrade[1].
This mounts the parent /sys as ro, child mounts can be whatever.
Fixes the system regression introduced by[2].
[0]: https://systemd.io/CONTAINER_INTERFACE/
[1]: https://github.com/systemd/systemd/issues/15101#issuecomment-598607582
[2]: https://github.com/systemd/systemd/commit/bf331d87171b7750d1c72ab0b140a240c0cf32c3
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
I hate it.
Just a POC for commenting or picking up, probably belongs in a LXC config or in
a "per distro, per systemd version" specific thing
src/PVE/LXC.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index f811550..5f1865e 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -720,6 +720,8 @@ sub update_lxc_config {
$raw .= "lxc.rootfs.path = $dir/rootfs\n";
+ $raw .= "lxc.mount.auto = sys:ro\n";
+
foreach my $k (sort keys %$conf) {
next if $k !~ m/^net(\d+)$/;
my $ind = $1;
--
2.20.1
More information about the pve-devel
mailing list