From 12d10eb2dc341ceb2c946890812bb6e194f5d330 Mon Sep 17 00:00:00 2001
From: Bo Chen <chen.bo@intel.com>
Date: Thu, 20 Feb 2020 07:42:53 -0800
Subject: [PATCH] clh: Update clh driver to use the latest openAPI knobs

We leverage the new openAPI knobs from CLH to set readonly for disk image
and we also pass kernel cmd to set guest root filesystem readonly.

Signed-off-by: Bo Chen <chen.bo@intel.com>
---
 virtcontainers/clh.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/virtcontainers/clh.go b/virtcontainers/clh.go
index 67ac089c1d..dd5691d1a6 100644
--- a/virtcontainers/clh.go
+++ b/virtcontainers/clh.go
@@ -120,6 +120,7 @@ var clhKernelParams = []Param{
 	{"no_timer_check", ""}, // do not check broken timer IRQ resources
 	{"noreplace-smp", ""},  // do not replace SMP instructions
 	{"agent.log_vport", fmt.Sprintf("%d", vSockLogsPort)}, // tell the agent where to send the logs
+	{"rootflags", "data=ordered,errors=remount-ro ro"},    // mount the root filesystem as readonly
 }
 
 var clhDebugKernelParams = []Param{
@@ -248,7 +249,8 @@ func (clh *cloudHypervisor) createSandbox(ctx context.Context, id string, networ
 	}
 
 	disk := chclient.DiskConfig{
-		Path: imagePath,
+		Path:     imagePath,
+		Readonly: true,
 	}
 	clh.vmconfig.Disks = append(clh.vmconfig.Disks, disk)