From 5e9cb48b8f313618a7dee9f6c701d3813afae58c Mon Sep 17 00:00:00 2001
From: Manohar Castelino <manohar.r.castelino@intel.com>
Date: Tue, 7 May 2019 15:03:28 -0700
Subject: [PATCH] firecracker: Setup rootfs to be RO

Setup rootfs to be RO both from the VMM point of view and the
VM point of view.

Fixes: #1632

Signed-off-by: Manohar Castelino <manohar.r.castelino@intel.com>
---
 virtcontainers/fc.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/virtcontainers/fc.go b/virtcontainers/fc.go
index 1c323e418e..2f58dccf24 100644
--- a/virtcontainers/fc.go
+++ b/virtcontainers/fc.go
@@ -57,6 +57,8 @@ const (
 var fcKernelParams = []Param{
 	// The boot source is the first partition of the first block device added
 	{"root", "/dev/vda1"},
+	{"rootflags", "data=ordered,errors=remount-ro ro"},
+	{"rootfstype", "ext4"},
 	{"pci", "off"},
 	{"reboot", "k"},
 	{"panic", "1"},
@@ -299,7 +301,7 @@ func (fc *firecracker) fcSetVMRootfs(path string) error {
 	driveID := "rootfs"
 	driveParams := ops.NewPutGuestDriveByIDParams()
 	driveParams.SetDriveID(driveID)
-	isReadOnly := false
+	isReadOnly := true
 	//Add it as a regular block device
 	//This allows us to use a paritioned root block device
 	isRootDevice := false