clh: Update clh driver to use the latest openAPI knobs

We leverage the new openAPI knobs from CLH to set readonly for disk image and we also pass kernel cmd to set guest root filesystem readonly. Signed-off-by: Bo Chen <[email protected]>
kata-containers · Feb 20, 2020 · 12d10eb · 12d10eb
1 parent de8fe25
commit 12d10eb
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/virtcontainers/clh.go b/virtcontainers/clh.go
@@ -120,6 +120,7 @@ var clhKernelParams = []Param{
 	{"no_timer_check", ""}, // do not check broken timer IRQ resources
 	{"noreplace-smp", ""},  // do not replace SMP instructions
 	{"agent.log_vport", fmt.Sprintf("%d", vSockLogsPort)}, // tell the agent where to send the logs
+	{"rootflags", "data=ordered,errors=remount-ro ro"},    // mount the root filesystem as readonly
 }
 
 var clhDebugKernelParams = []Param{
@@ -248,7 +249,8 @@ func (clh *cloudHypervisor) createSandbox(ctx context.Context, id string, networ
 	}
 
 	disk := chclient.DiskConfig{
-		Path: imagePath,
+		Path:     imagePath,
+		Readonly: true,
 	}
 	clh.vmconfig.Disks = append(clh.vmconfig.Disks, disk)