clh: Update clh driver to use the latest openAPI knobs

We leverage the new openAPI knobs from CLH to set readonly for disk image and we also pass kernel cmd to set guest root filesystem readonly. Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-08-29 21:03:03 +00:00 · 2020-02-20 07:42:53 -08:00 · 2020-02-20 07:42:53 -08:00 · 12d10eb2dc
commit 12d10eb2dc
parent de8fe25dd5
1 changed files with 3 additions and 1 deletions
--- a/virtcontainers/clh.go
+++ b/virtcontainers/clh.go
@ -120,6 +120,7 @@ var clhKernelParams = []Param{
 	{"no_timer_check", ""}, // do not check broken timer IRQ resources
 	{"noreplace-smp", ""},  // do not replace SMP instructions
 	{"agent.log_vport", fmt.Sprintf("%d", vSockLogsPort)}, // tell the agent where to send the logs
+	{"rootflags", "data=ordered,errors=remount-ro ro"},    // mount the root filesystem as readonly
 }

 var clhDebugKernelParams = []Param{
@ -248,7 +249,8 @@ func (clh *cloudHypervisor) createSandbox(ctx context.Context, id string, networ
 	}

 	disk := chclient.DiskConfig{
-		Path: imagePath,
+		Path:     imagePath,
+		Readonly: true,
 	}
 	clh.vmconfig.Disks = append(clh.vmconfig.Disks, disk)