Merge pull request #1390 from devimc/topic/roFS

virtcontainers: improve security and mount the rootfs as read-only fs
2025-08-25 11:13:15 +00:00 · 2019-03-21 09:33:04 +00:00 · 2019-03-21 09:33:04 +00:00 · c70ba4844f
commit c70ba4844f
parent f1ef63e5c6 9b73900ba6
2 changed files with 6 additions and 1 deletions
--- a/pkg/katautils/create.go
+++ b/pkg/katautils/create.go
@ -93,6 +93,11 @@ var noTraceKernelParam = []vc.Param{
 		Key:   "systemd.mask",
 		Value: "tmp.mount",
 	},
+	// No random seed
+	{
+		Key:   "systemd.mask",
+		Value: "systemd-random-seed.service",
+	},
 }

 func getKernelParams(needSystemd, trace bool) []vc.Param {
--- a/virtcontainers/qemu_amd64.go
+++ b/virtcontainers/qemu_amd64.go
@ -32,7 +32,7 @@ var qemuPaths = map[string]string{

 var kernelRootParams = []Param{
 	{"root", "/dev/pmem0p1"},
-	{"rootflags", "dax,data=ordered,errors=remount-ro rw"},
+	{"rootflags", "dax,data=ordered,errors=remount-ro ro"},
 	{"rootfstype", "ext4"},
 }