stratovirt: Append readonly option when get pflash cmdline

All Stratovirt VM shares the same pflash file by default, and file can only be shared readonly for safety. Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
2022-12-20 14:23:10 +08:00 · 2022-12-20 14:23:10 +08:00 · b0545d4297
commit b0545d4297
parent 8c20c60b8d
3 changed files with 54 additions and 8 deletions
--- a/kata-containers.spec
+++ b/kata-containers.spec
@ -2,7 +2,7 @@
 %global debug_package %{nil}

 %define VERSION 2.1.0
-%define RELEASE 31
+%define RELEASE 32

 Name:           kata-containers
 Version:        %{VERSION}
@ -109,6 +109,12 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 %doc

 %changelog
+* Mon Mar 6 2023 zhukeqian <zhukeqian1@huawei.com> - 2.1.0-32
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:append readonly option when get pflash cmdline for stratovirt runtime
+
 * Thu Mar 02 2023 Vanient<xiadanni1@huawei.com> - 2.1.0-31
 - Type:bugfix
 - CVE:NA
@ -145,7 +151,7 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:fix startup failure that adding more than 16 root port devices in stratovirt

-* Tues Mar 2 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-25
+* Wed Mar 2 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-25
 - Type:feature
 - ID:NA
 - SUG:NA
@ -163,13 +169,13 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:add the stratovirt standardVM sandbox type to kata container

-* Thur Jan 13 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-22
+* Thu Jan 13 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-22
 - Type:feature
 - ID:NA
 - SUG:NA
 - DESC:refactor hypervisor type `stratovirt` and its methods

-* Tues Jan 11 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-21
+* Tue Jan 11 2022 Xinle.Guo <guoxinle1@huawei.com> - 2.1.0-21
 - Type:feature
 - ID:NA
 - SUG:NA
@ -235,7 +241,7 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:fix umount container rootfs dir return invalid argument error

-* Fri Nov 24 2021 jikui <jikui2@huawei.com> - 2.1.0-10
+* Wed Nov 24 2021 jikui <jikui2@huawei.com> - 2.1.0-10
 - Type:bugfix
 - ID:NA
 - SUG:NA
@ -247,19 +253,19 @@ strip %{buildroot}/usr/bin/containerd-shim-kata-v2
 - SUG:NA
 - DESC:modify kernel and image path in configuration.toml

-* Tue Oct 16 2021 jikui <jikui2@huawei.com> - 2.1.0-8
+* Sat Oct 16 2021 jikui <jikui2@huawei.com> - 2.1.0-8
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:keep the qemu process name same as the configured path

-* Mon Oct 15 2021 jikui <jikui2@huawei.com> - 2.1.0-7
+* Fri Oct 15 2021 jikui <jikui2@huawei.com> - 2.1.0-7
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC:fix kata-runtime skip read lines in /proc/mounts

-* Fri Oct 5 2021 jikui <jikui2@huawei.com> - 2.1.0-6
+* Tue Oct 5 2021 jikui <jikui2@huawei.com> - 2.1.0-6
 - Type:bugfix
 - ID:NA
 - SUG:NA
--- a/patches/0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch
+++ b/patches/0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch
@ -0,0 +1,39 @@
+From 59cf9bfb95386f123190eff58d50e99ec1ec5ea7 Mon Sep 17 00:00:00 2001
+From: Keqian Zhu <zhukeqian1@huawei.com>
+Date: Tue, 20 Dec 2022 14:14:46 +0800
+Subject: [PATCH] stratovirt: Append readonly option when get pflash cmdline
+
+All Stratovirt VM shares the same pflash file by default, and file can only be
+shared readonly for safety.
+
+Signed-off-by: Keqian Zhu <zhukeqian1@huawei.com>
+---
+ src/runtime/virtcontainers/stratovirt.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/runtime/virtcontainers/stratovirt.go b/src/runtime/virtcontainers/stratovirt.go
+index 98a702a..7b01c76 100644
+--- a/src/runtime/virtcontainers/stratovirt.go
+++ b/src/runtime/virtcontainers/stratovirt.go
+@@ -661,15 +661,15 @@ func (s *stratovirt) getKernelParams(machineType string, initrdPath string) (str
+ func (s *stratovirt) getPFlash(machineType string) ([]string, error) {
+ 	var PFlash []string
+ 	if s.config.FirmwarePath != "" {
+-		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0", s.config.FirmwarePath))
+		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0,readonly=true", s.config.FirmwarePath))
+ 		return PFlash, nil
+ 	}
+ 
+ 	switch machineType {
+ 	case MachineTypeQ35:
+-		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0", Q35PFlashCode))
+		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0,readonly=true", Q35PFlashCode))
+ 	case MachineTypeVirt:
+-		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0", VirtPFlashCode))
+		PFlash = append(PFlash, fmt.Sprintf("file=%s,if=pflash,unit=0,readonly=true", VirtPFlashCode))
+ 	case MachineTypeMicrovm:
+ 		return nil, nil
+ 	default:
+-- 
+2.33.0
+
--- a/series.conf
+++ b/series.conf
@ -31,3 +31,4 @@
 0031-add-explicit-on-after-kernel_irqchip.patch
 0032-qmp-Don-t-use-deprecated-props-field-for-object-add.patch
 0033-optimize-compile-options.patch
+0034-stratovirt-Append-readonly-option-when-get-pflash-cm.patch