On 01/30/2014 05:10 PM, Daniel P. Berrange wrote: > On Thu, Jan 30, 2014 at 05:07:23PM +0530, Kashyap Chamarthy wrote: >> On 01/30/2014 04:38 PM, Daniel P. Berrange wrote: >> >> [. . .] >> >>>> >>>> Despite reading from the `systemd-nspawn` man page: >>>> >>>> ". . .kernel modules may not be loaded from within the container." >>>> >>>> I purposefully tried from inside the container: >>> >>> With container based virt there is only one kernel image, >> >> Noted, that's one of the main aspects, right, of containers: single >> Kernel (also a single point of attack-surface; no custom Kernels, etc)[1] >> >> But I see the use-case of systemd-nspawn: quick development/debugging >> just like chroot, but better. >> >>> so any >>> modules you want must be loaded in the host. Libvirt "passthrough" >>> of char/block devices simply involves libvirt doing mknod in the >>> /dev tmpfs it sets up. The container itself is blocked from doing >>> any 'mknod' calls since that'd be a security risk. Hence you must >>> list any desired device nodes in the XML config. >> >> Thanks for the explanation. I have to try libvirt-lxc tools next. Also >> on my todo-list to try: >> >> $ virt-sandbox mock >> >> [Build a package] >> >> I see that the above provides a default SELinux 'seclabel' element. Have >> to test yet. >> >> Meanwhile, I stumbled across an upstream thread[2][3] of yours this >> morning & learnt re: a regression with user namespaces containers > > Nb user namespaces aren't relevant here. Nothing you're using / trying > here involves user namespaces at all.
Sorry, didn't mean to imply they both are connected (it was my poor wording). I came across it while I was learning about user namespaces, its current state in Fedora. -- /kashyap _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
