On 01/30/2014 04:38 PM, Daniel P. Berrange wrote: [. . .]
>> >> Despite reading from the `systemd-nspawn` man page: >> >> ". . .kernel modules may not be loaded from within the container." >> >> I purposefully tried from inside the container: > > With container based virt there is only one kernel image, Noted, that's one of the main aspects, right, of containers: single Kernel (also a single point of attack-surface; no custom Kernels, etc)[1] But I see the use-case of systemd-nspawn: quick development/debugging just like chroot, but better. > so any > modules you want must be loaded in the host. Libvirt "passthrough" > of char/block devices simply involves libvirt doing mknod in the > /dev tmpfs it sets up. The container itself is blocked from doing > any 'mknod' calls since that'd be a security risk. Hence you must > list any desired device nodes in the XML config. Thanks for the explanation. I have to try libvirt-lxc tools next. Also on my todo-list to try: $ virt-sandbox mock [Build a package] I see that the above provides a default SELinux 'seclabel' element. Have to test yet. Meanwhile, I stumbled across an upstream thread[2][3] of yours this morning & learnt re: a regression with user namespaces containers [1] http://rwmj.wordpress.com/2013/06/19/the-boring-truth-full-virtualization-and-containerization-both-have-their-place/ [2] https://lists.linuxfoundation.org/pipermail/containers/2013-November/033635.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=917708 -- /kashyap _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
