[Libguestfs] Notes on building libguestfs in a systemd-nspawn container
Daniel P. Berrange
berrange at redhat.com
Thu Jan 30 11:40:58 UTC 2014
On Thu, Jan 30, 2014 at 05:07:23PM +0530, Kashyap Chamarthy wrote:
> On 01/30/2014 04:38 PM, Daniel P. Berrange wrote:
>
> [. . .]
>
> >>
> >> Despite reading from the `systemd-nspawn` man page:
> >>
> >> ". . .kernel modules may not be loaded from within the container."
> >>
> >> I purposefully tried from inside the container:
> >
> > With container based virt there is only one kernel image,
>
> Noted, that's one of the main aspects, right, of containers: single
> Kernel (also a single point of attack-surface; no custom Kernels, etc)[1]
>
> But I see the use-case of systemd-nspawn: quick development/debugging
> just like chroot, but better.
>
> > so any
> > modules you want must be loaded in the host. Libvirt "passthrough"
> > of char/block devices simply involves libvirt doing mknod in the
> > /dev tmpfs it sets up. The container itself is blocked from doing
> > any 'mknod' calls since that'd be a security risk. Hence you must
> > list any desired device nodes in the XML config.
>
> Thanks for the explanation. I have to try libvirt-lxc tools next. Also
> on my todo-list to try:
>
> $ virt-sandbox mock
>
> [Build a package]
>
> I see that the above provides a default SELinux 'seclabel' element. Have
> to test yet.
>
> Meanwhile, I stumbled across an upstream thread[2][3] of yours this
> morning & learnt re: a regression with user namespaces containers
Nb user namespaces aren't relevant here. Nothing you're using / trying
here involves user namespaces at all.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Libguestfs
mailing list