lxc: Fail if /var is nosuid

2022-02-17 16:25:20 +01:00 · 2022-02-17 16:25:20 +01:00 · e79141d2d2
parent 799466788f
commit e79141d2d2
2 changed files with 3 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Changed

 * elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
+* lxc: Fail if /var is nosuid
 * openvpn: make it compatible with OpenBSD and add some improvements

 ### Fixed
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@ -43,8 +43,8 @@
    - lxc_unprivilegied_containers | bool
    - root_subuids.rc != 0

- name: Check if /var has not mount options nodev or noexec
-  shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec
+- name: Check if /var has not mount options or nosuid or nodev or noexec
+  shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec -e nosuid
  register: check_var
  changed_when: false
  failed_when: "check_var.rc == 0"