Merge pull request #1390 from devimc/topic/roFS

virtcontainers: improve security and mount the rootfs as read-only fs

pkg/katautils/create.go

@@ -93,6 +93,11 @@ var noTraceKernelParam = []vc.Param{
 		Key:   "systemd.mask",
 		Value: "tmp.mount",
 	},
+	// No random seed
+	{
+		Key:   "systemd.mask",
+		Value: "systemd-random-seed.service",
+	},
 }
 
 func getKernelParams(needSystemd, trace bool) []vc.Param {

virtcontainers/qemu_amd64.go

@@ -32,7 +32,7 @@ var qemuPaths = map[string]string{
 
 var kernelRootParams = []Param{
 	{"root", "/dev/pmem0p1"},
-	{"rootflags", "dax,data=ordered,errors=remount-ro rw"},
+	{"rootflags", "dax,data=ordered,errors=remount-ro ro"},
 	{"rootfstype", "ext4"},
 }