On Thu, Jan 30, 2014 at 05:07:23PM +0530, Kashyap Chamarthy wrote: > On 01/30/2014 04:38 PM, Daniel P. Berrange wrote: > > [. . .] > > >> > >> Despite reading from the `systemd-nspawn` man page: > >> > >> ". . .kernel modules may not be loaded from within the container." > >> > >> I purposefully tried from inside the container: > > > > With container based virt there is only one kernel image, > > Noted, that's one of the main aspects, right, of containers: single > Kernel (also a single point of attack-surface; no custom Kernels, etc)[1] > > But I see the use-case of systemd-nspawn: quick development/debugging > just like chroot, but better. > > > so any > > modules you want must be loaded in the host. Libvirt "passthrough" > > of char/block devices simply involves libvirt doing mknod in the > > /dev tmpfs it sets up. The container itself is blocked from doing > > any 'mknod' calls since that'd be a security risk. Hence you must > > list any desired device nodes in the XML config. > > Thanks for the explanation. I have to try libvirt-lxc tools next. Also > on my todo-list to try: > > $ virt-sandbox mock > > [Build a package] > > I see that the above provides a default SELinux 'seclabel' element. Have > to test yet. > > Meanwhile, I stumbled across an upstream thread[2][3] of yours this > morning & learnt re: a regression with user namespaces containers
Nb user namespaces aren't relevant here. Nothing you're using / trying here involves user namespaces at all. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
