SELinux relabel API
by Richard W.M. Jones
[
I realized that we were discussing adding this feature, in various
private email, IRC, and this long bugzilla thread:
https://bugzilla.redhat.com/show_bug.cgi?id=1060423
That's not how we should do things. Let's discuss it on the
mailing list.
]
One thing that virt-customize/virt-sysprep/virt-builder have to do is
relabel SELinux guests.
What we do at the moment is run:
if load_policy && fixfiles restore; then
rm -f /.autorelabel
else
touch /.autorelabel
echo '%s: SELinux relabelling failed, will relabel at boot instead.'
fi
while chrooted into the guest (using the 'guestfs_sh' API).
This has a number of problems:
- It has to load the policy using 'load_policy', but this doesn't
work sometimes:
* RHEL 5 load_policy takes a parameter.
* Doesn't work if appliance kernel is significantly different from
guest kernel version, because the binary policy format changes
irregularly and is not backwards compatible.
* Requires the appliance [host] kernel to be compiled with
LSM/SELinux support.
- Touching /.autorelabel is often broken, eg. it's broken in Fedora 20
because of systemd (RHBZ#1049656).
- /etc/resolv.conf will not be relabelled if guestfs network is on,
because of resolv.conf shenanigans in libguestfs.git/daemon/command.c
- It requires running guest code, which we'd like to avoid.
What would be nice would be to have an API to just do this
relabelling. Libguestfs could change this API as required to handle
different guests.
Dan Walsh helpfully pointed out to us that we've been doing it wrong
all along :-) A much better way to relabel is to run:
setfiles /etc/selinux/targeted/contexts/files/file_contexts DIR
where 'file_contexts' is a file which contains the default labels for
files (a set of regexps), and 'DIR' is the directory at which
relabelling starts. Note that 'setfiles' would be the libguestfs
appliance binary, so no guest binary needs to be run.
A simple API could just look like this:
guestfs_selinux_relabel (g);
which would always use the 'targeted' policy from the guest, and
always start relabelling at the root. This would work fine for
virt-builder.
For Colin's requirements for Project Atomic, I suspect he will want to
be able to set the file_contexts file and the root directory, but I'll
leave him to describe what would be useful.
A couple of notes:
- I'd like to avoid baking in assumptions from the 'setfiles' command
as far as possible. libguestfs APIs last for many years and some
have caused us many years of regret (but that's our job) :-/
- Is it a good idea to tie this into inspection in some way -- for
example, inspection could provide us with the path to the current or
default SELinux policy.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
8 years, 11 months
virt-resize: support to MBR logical partitions and some question
by Hu Tao
Hi,
I'm adding support to resizing logical partitions(patch is in progess).
But encounter an error when adding a logical partition in dest image:
virt-resize: libguestfs error: part_add: parted: /dev/sdb: Warning: The resulting partition is not properly aligned for best performance.
Error: Error informing the kernel about modifications to partition /dev/sdb5 -- Device or resource busy. This means Linux won't know about any changes you made to /dev/sdb5 until you reboot -- so you shouldn't mount it or use it in any way before rebooting.
Error: Failed to add partition 5 (Device or resource busy)
The error is actually no harm since the logical partition has been added
successfully, and I don't want to inform kernel at all. But it prevents
virt-resize from adding further logical partitions.
I can ignore the error when adding logical partitions manually using parted.
The question is, is there any way to ignore such errors in virt-resize?
Regards,
Hu Tao
10 years, 2 months
Re: [Libguestfs] [PATCH 2/2] Use setfiles from the appliance for the SELinux relabel (RHBZ#1089100).
by Richard W.M. Jones
[Including libguestfs mailing list this time]
On Tue, May 27, 2014 at 06:05:15AM -0700, Colin Walters wrote:
> On Tue, May 27, 2014, at 02:04 AM, Richard W.M. Jones wrote:
> >
> > I'm still anxious for Colin to tell us if this API is suitable for his
> > needs.
>
> I'd like an API that allows me to only relabel *unlabeled* files.
> The use case here is: I have an existing disk image with an OS,
> I want to inject e.g. a systemd service into it. If I do this offline
> from libguestfs, the injected /usr/libexec/mydaemon and
> /usr/lib/systemd/system/mydaemon.service
> won't be labeled, but everything else will be.
>
> > I'm guessing that OStree does not have /etc/selinux/config,
>
> Right, it's in the "deployment root" of
> /ostree/deploy/$osname/deploy/$checksum/etc/selinux/config
Got it:
><fs> ll /ostree/deploy/project-atomic-controller/deploy/afc1794b4b42df77edf1988897b167573b99e299fa39a15b07b235a0e7387d02.0/etc/selinux/targeted/contexts/files/file_contexts
-rw-r--r--. 1 root root 352240 Apr 14 20:14 /sysroot/ostree/deploy/project-atomic-controller/deploy/afc1794b4b42df77edf1988897b167573b99e299fa39a15b07b235a0e7387d02.0/etc/selinux/targeted/contexts/files/file_contexts
> To figure that out you'd want to use the OSTree APIs; and then it
> introduces
> further questions around *which* deployments you want to relabel. All?
> Only
> one (the default?).
>
> What I do currently in my scripts is only relabel the default, and that
> would
> be the best default for an API.
>
> But a totally valid thing to do with OSTree is - say you're running
> RHEL7,
> and you want to check whether the latest Fedora kernel fixes an issue
> you're seeing. You can use ostree to dynamically parallel install
> Fedora content in a new deployment root, try it with near-total
> safety[1],
> and then if it doesn't work, just delete it and free up the space.
So I think an API which looks like this ...
required params:
None
optional params:
path =>
Either a directory to be relabelled recursively, or a single
file (defaults to "/").
root =>
Inspection root of guest. Optional, only makes sense when
'contexts' param is *omitted*.
contexts =>
The `file_contexts' file. Defaults to
/etc/selinux/$selinux_type/contexts/files/file_contexts
OSTree would probably want to pass:
/ostree/deploy/$osname/deploy/$checksum/etc/selinux/targeted/contexts/files/file_contexts
Inspection could be updated to parse /etc/selinux/config in order to
get the default SELinux policy and pass it back through an API such as
`inspect-get-selinux-type'.
If 'contexts' is omitted, 'root' must be supplied, and it causes an
internal call to guestfs_inspect_get_selinux_type (g, root) in order
to get the default policy.
What do you think?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
10 years, 3 months
Adventures in building libguestfs on non-x86 architectures for Debian
by Hilko Bengen
Hi,
things are progressing slowly, but I feel that eventually I'll be
getting there: supermin can be built on all Linux-based architectures
that are part of Debian/unstable[1] -- (except for sparc, but I'll
ignore that for now.) libguestfs on the other hand currently fails
launching the appliance (necessary for running tests) on everything but
x86 and mips.
Apparently, qemu-system-arm 2.0 as currently available through
Debian/unstable doesn't want to tell us anything about available devices
unless we specify a machine type. The patch below works around that
issue, but I haven't been able to run qemu-system-arm with a supermin
appliance on Debian's armhf porterbox so far: 100% CPU usage, no output
from the kernel.
For armel, there's no kernel with device tree blobs, so I think that I'll
need to use linux-image-versatile there or ignore armel altogether.
powerpc: qemu-system-ppc does not know about the "pseries" machine, I
have figured out that I need to use qemu-system-ppc64 for that. So far,
I haven't been able to manually boot a Supermin appliance using
qemu-system-ppc, either, though.
s390x does not seem to know about virtio-blk-pci.
Cheers,
-Hilko
[1] https://buildd.debian.org/status/package.php?p=supermin
[2] https://buildd.debian.org/status/package.php?p=libguestfs
diff --git a/src/launch-direct.c b/src/launch-direct.c
index 1460c56..2332368 100644
--- a/src/launch-direct.c
+++ b/src/launch-direct.c
@@ -1020,6 +1020,10 @@ test_qemu (guestfs_h *g, struct backend_direct_data *data)
guestfs___cmd_add_arg (cmd3, g->hv);
guestfs___cmd_add_arg (cmd3, "-display");
guestfs___cmd_add_arg (cmd3, "none");
+#ifdef MACHINE_TYPE
+ guestfs___cmd_add_arg (cmd3, "-M");
+ guestfs___cmd_add_arg (cmd3, MACHINE_TYPE);
+#endif
guestfs___cmd_add_arg (cmd3, "-machine");
guestfs___cmd_add_arg (cmd3, "accel=kvm:tcg");
guestfs___cmd_add_arg (cmd3, "-device");
10 years, 4 months
IRC question: Does using two handles to write cause disk corruption?
by Richard W.M. Jones
>From IRC yesterday:
19:38 < sr_> i wanted to ask you , if i launch 2 handle writing to
the same disk images, does this cause disk corruption ?
The short answer is: yes, in many cases.
- - - -
The longer answer is a bit more nuanced ...
In the physical world you can wire up two computers to a single SCSI
disk which would look like this (although more often done using
FC/iSCSI):
+---------------+ +---------------+
| host A | | host B |
| | | |
+----------+----+ +----+----------+
| |
| +----------+ |
+----+ SCSI +----+
| |
+----------+
If both hosts write to the same filesystem on the SCSI LUN then with a
regular filesystem like ext4 you would get instant, massive disk
corruption.
However there are other filesystems which can handle this like
Clustered LVM / GFS2.
If the two hosts are writing to different LUNs, then everything is
fine.
- - - -
In terms of virtual machines:
+---------------+ +---------------+
| qemu A | | qemu B |
| | | |
+----------+----+ +----+----------+
| |
| +----------+ |
+----+ raw +----+
| file |
+----------+
If the libguestfs handles / virtual machines are talking to different
filesystems, *and the disk format is raw*, then it should work. Of
course any attempt to modify the partition table or other shared parts
of the disk image will cause corruption, because the qemu processes
won't see all changes made by each other.
If you are using the non-default libvirt backend it will probably
prevent you from doing this. Use the 'direct' backend instead.
It is *not* possible, in the libguestfs API, to set up CLVM or use
GFS2 in shared mode.
- - - -
This setup will definitely cause disk corruption:
+---------------+ +---------------+
| qemu A | | qemu B |
| | | |
+----------+----+ +----+----------+
| |
| +----------+ |
+----+ qcow2 +----+
| file |
+----------+
This is because qemu assumes it has exclusive access to the qcow2
metadata, and if two processes try to modify it at the same time they
will corrupt each other.
- - - -
A corollary is whether you can open two or more libguestfs handles
to the same appliance, ie:
+---------------+ +---------------+
| libguestfs --------- qemu |
| program --------- |
+---------------+ +-----+---------+
|
|
+---+-----+
| qcow2 |
| file |
+---------+
This lets you exploit more parallelism in qemu.
You cannot do this at the moment, but we intend to add this capability
in libguestfs 1.28 if time permits.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
10 years, 4 months
[PATCH WIP] Can't generate argv variant
by Maros Zatko
Hi everyone,
lately I've been getting familiar with library and working on slight
re-layering of the library. It's about having locking layer in public API and
tracing one layer below that (let's call it __t_ layer. I'm not very good at
making up names, so this is temporary:) ). Then making sure that all generated
public stuff call __t_ layer and all other internal stuff doesn't use public
API since it would deadlock otherwise.
Now the problem - an example:
Generator creates guestfs_copy_device_to_device_argv, but not
guestfs_copy_device_to_device_argv version.
Other issue:
generated declaration for guestfs__internal_test in guestfs-internal-actions.h
looks like this:
extern int guestfs__internal_test (guestfs_h *g, const char *str,
const char *optstr, char *const *strlist, int b, int integer,
int64_t integer64, const char *filein, const char *fileout,
const char *bufferin, size_t bufferin_size, ...);
but, it's type in bindtests.c looks different:
int
guestfs__internal_test (guestfs_h *g,
const char *str,
const char *optstr,
char *const *strlist,
int b,
int integer,
int64_t integer64,
const char *filein,
const char *fileout,
const char *bufferin,
size_t bufferin_size,
const struct guestfs_internal_test_argv *optargs)
Any ideas, please? I'd very grateful for any :)
- maros
n.b.: please ignore some rubbish in sources, it's still WIP
Maros Zatko (1):
WIP locking/tracing layer split
generator/c.ml | 165 +++++++++++++++++++++++++++++++++++++++++++------
src/fuse.c | 14 +++++
src/guestfs-internal.h | 3 +
src/handle.c | 29 +++++----
src/inspect-fs.c | 10 +--
src/inspect-icon.c | 7 +++
src/tmpdirs.c | 2 +-
7 files changed, 193 insertions(+), 37 deletions(-)
--
1.8.5.3
10 years, 4 months
[PATCH] The license metadata must be a list
by Petr Písař
CPAN::Meta::Spec defines the license value must be an array reference.
However current Build.PL uses simple scalar. This breaks generating
META.* files which breaks tests with recent Module::Build 0.4205.
https://bugzilla.redhat.com/show_bug.cgi?id=1083430
Signed-off-by: Petr Písař <ppisar(a)redhat.com>
---
Build.PL | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Build.PL b/Build.PL
index 55cee55..0ccace3 100644
--- a/Build.PL
+++ b/Build.PL
@@ -316,7 +316,7 @@ my $build = $class->new (
script_files => [ 'v2v/virt-v2v.pl', 'p2v/server/virt-p2v-server.pl' ],
meta_add => {
resources => {
- license => "http://www.gnu.org/licenses/gpl.html",
+ license => [ "http://www.gnu.org/licenses/gpl.html" ],
homepage => "http://people.redhat.com/mbooth/virt-v2v/",
repository => "git://git.fedorahosted.org/virt-v2v.git",
MailingList => "http://www.redhat.com/mailman/listinfo/libguestfs",
--
1.9.3
10 years, 5 months
[PATCH] edit: add -m option
by Pino Toscano
Implement the -m/--mount as available in guestfish to override the
automatic introspection and specify which partitions to mount instead.
---
edit/edit.c | 38 +++++++++++++++++++++++++++++++++-----
edit/virt-edit.pod | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 69 insertions(+), 5 deletions(-)
diff --git a/edit/edit.c b/edit/edit.c
index 07790be..7a2603c 100644
--- a/edit/edit.c
+++ b/edit/edit.c
@@ -53,6 +53,7 @@ static const char *backup_extension = NULL;
static const char *perl_expr = NULL;
static void edit_files (int argc, char *argv[]);
+static void edit_files_simple (int argc, char *argv[]);
static void edit (const char *filename, const char *root);
static char *edit_interactively (const char *tmpfile);
static char *edit_non_interactively (const char *tmpfile);
@@ -84,6 +85,8 @@ usage (int status)
" --format[=raw|..] Force disk format for -a option\n"
" --help Display brief help\n"
" --keys-from-stdin Read passphrases from stdin\n"
+ " -m|--mount dev[:mnt[:opts[:fstype]]]\n"
+ " Mount dev on mnt (if omitted, /)\n"
" -v|--verbose Verbose messages\n"
" -V|--version Display version and exit\n"
" -x Trace libguestfs API calls\n"
@@ -106,7 +109,7 @@ main (int argc, char *argv[])
enum { HELP_OPTION = CHAR_MAX + 1 };
- static const char *options = "a:b:c:d:e:vVx";
+ static const char *options = "a:b:c:d:e:m:vVx";
static const struct option long_options[] = {
{ "add", 1, 0, 'a' },
{ "backup", 1, 0, 'b' },
@@ -119,12 +122,16 @@ main (int argc, char *argv[])
{ "help", 0, 0, HELP_OPTION },
{ "keys-from-stdin", 0, 0, 0 },
{ "long-options", 0, 0, 0 },
+ { "mount", 1, 0, 'm' },
{ "verbose", 0, 0, 'v' },
{ "version", 0, 0, 'V' },
{ 0, 0, 0, 0 }
};
struct drv *drvs = NULL;
struct drv *drv;
+ struct mp *mps = NULL;
+ struct mp *mp;
+ char *p;
const char *format = NULL;
int c;
int option_index;
@@ -189,6 +196,11 @@ main (int argc, char *argv[])
perl_expr = optarg;
break;
+ case 'm':
+ OPTION_m;
+ inspector = 0;
+ break;
+
case 'v':
OPTION_v;
break;
@@ -251,7 +263,7 @@ main (int argc, char *argv[])
* values.
*/
assert (read_only == 0);
- assert (inspector == 1);
+ assert (inspector == 1 || mps != NULL);
assert (live == 0);
/* User must specify at least one filename on the command line. */
@@ -268,12 +280,19 @@ main (int argc, char *argv[])
if (guestfs_launch (g) == -1)
exit (EXIT_FAILURE);
- inspect_mount ();
+ if (mps != NULL)
+ mount_mps (mps);
+ else
+ inspect_mount ();
/* Free up data structures, no longer needed after this point. */
free_drives (drvs);
+ free_mps (mps);
- edit_files (argc - optind, &argv[optind]);
+ if (inspector)
+ edit_files (argc - optind, &argv[optind]);
+ else
+ edit_files_simple (argc - optind, &argv[optind]);
/* Cleanly unmount the disks after editing. */
if (guestfs_shutdown (g) == -1)
@@ -304,6 +323,15 @@ edit_files (int argc, char *argv[])
}
static void
+edit_files_simple (int argc, char *argv[])
+{
+ int i;
+
+ for (i = 0; i < argc; ++i)
+ edit (argv[i], NULL);
+}
+
+static void
edit (const char *filename, const char *root)
{
CLEANUP_FREE char *filename_to_free = NULL;
@@ -318,7 +346,7 @@ edit (const char *filename, const char *root)
CLEANUP_FREE char *backupname = NULL;
/* Windows? Special handling is required. */
- if (is_windows (g, root))
+ if (root != NULL && is_windows (g, root))
filename = filename_to_free = windows_path (g, root, filename);
/* Download the file to a temporary. */
diff --git a/edit/virt-edit.pod b/edit/virt-edit.pod
index 4c5ae71..ff72d71 100644
--- a/edit/virt-edit.pod
+++ b/edit/virt-edit.pod
@@ -164,6 +164,42 @@ security problem with malicious guests (CVE-2010-3851).
Read key or passphrase parameters from stdin. The default is
to try to read passphrases from the user by opening C</dev/tty>.
+=item B<-m dev[:mountpoint[:options[:fstype]]]>
+
+=item B<--mount dev[:mountpoint[:options[:fstype]]]>
+
+Mount the named partition or logical volume on the given mountpoint.
+
+If the mountpoint is omitted, it defaults to C</>.
+
+Specifying any mountpoint disables the inspection of the guest and
+the mount of its root and all of its mountpoints, so make sure
+to mount all the mountpoints needed to work with the filenames
+gives as arguments.
+
+If you don't know what filesystems a disk image contains, you can
+either run guestfish without this option, then list the partitions,
+filesystems and LVs available (see L</list-partitions>,
+L</list-filesystems> and L</lvs> commands), or you can use the
+L<virt-filesystems(1)> program.
+
+The third (and rarely used) part of the mount parameter is the list of
+mount options used to mount the underlying filesystem. If this is not
+given, then the mount options are either the empty string or C<ro>
+(the latter if the I<--ro> flag is used). By specifying the mount
+options, you override this default choice. Probably the only time you
+would use this is to enable ACLs and/or extended attributes if the
+filesystem can support them:
+
+ -m /dev/sda1:/:acl,user_xattr
+
+Using this flag is equivalent to using the C<mount-options> command.
+
+The fourth part of the parameter is the filesystem driver to use, such
+as C<ext3> or C<ntfs>. This is rarely needed, but can be useful if
+multiple drivers are valid for a filesystem (eg: C<ext2> and C<ext3>),
+or if libguestfs misidentifies a filesystem.
+
=item B<-v>
=item B<--verbose>
--
1.9.3
10 years, 5 months
[PATCH] cat: add -m option
by Pino Toscano
Implement the -m/--mount as available in guestfish to override the
automatic introspection and specify which partitions to mount instead.
---
cat/cat.c | 45 ++++++++++++++++++++++++++++++++++++++-------
cat/virt-cat.pod | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 74 insertions(+), 7 deletions(-)
diff --git a/cat/cat.c b/cat/cat.c
index e86ecf3..72bf81b 100644
--- a/cat/cat.c
+++ b/cat/cat.c
@@ -46,6 +46,7 @@ const char *libvirt_uri = NULL;
int inspector = 1;
static int do_cat (int argc, char *argv[]);
+static int do_cat_simple (int argc, char *argv[]);
static int is_windows (guestfs_h *g, const char *root);
static char *windows_path (guestfs_h *g, const char *root, const char *filename);
@@ -70,6 +71,8 @@ usage (int status)
" --format[=raw|..] Force disk format for -a option\n"
" --help Display brief help\n"
" --keys-from-stdin Read passphrases from stdin\n"
+ " -m|--mount dev[:mnt[:opts[:fstype]]]\n"
+ " Mount dev on mnt (if omitted, /)\n"
" -v|--verbose Verbose messages\n"
" -V|--version Display version and exit\n"
" -x Trace libguestfs API calls\n"
@@ -89,7 +92,7 @@ main (int argc, char *argv[])
enum { HELP_OPTION = CHAR_MAX + 1 };
- static const char *options = "a:c:d:vVx";
+ static const char *options = "a:c:d:m:vVx";
static const struct option long_options[] = {
{ "add", 1, 0, 'a' },
{ "connect", 1, 0, 'c' },
@@ -99,12 +102,16 @@ main (int argc, char *argv[])
{ "help", 0, 0, HELP_OPTION },
{ "keys-from-stdin", 0, 0, 0 },
{ "long-options", 0, 0, 0 },
+ { "mount", 1, 0, 'm' },
{ "verbose", 0, 0, 'v' },
{ "version", 0, 0, 'V' },
{ 0, 0, 0, 0 }
};
struct drv *drvs = NULL;
struct drv *drv;
+ struct mp *mps = NULL;
+ struct mp *mp;
+ char *p;
const char *format = NULL;
int c;
int r;
@@ -152,6 +159,11 @@ main (int argc, char *argv[])
OPTION_d;
break;
+ case 'm':
+ OPTION_m;
+ inspector = 0;
+ break;
+
case 'v':
OPTION_v;
break;
@@ -214,7 +226,7 @@ main (int argc, char *argv[])
* values.
*/
assert (read_only == 1);
- assert (inspector == 1);
+ assert (inspector == 1 || mps != NULL);
assert (live == 0);
/* User must specify at least one filename on the command line. */
@@ -225,20 +237,25 @@ main (int argc, char *argv[])
if (drvs == NULL)
usage (EXIT_FAILURE);
- /* Add drives, inspect and mount. Note that inspector is always true,
- * and there is no -m option.
- */
+ /* Add drives, inspect and mount. */
add_drives (drvs, 'a');
if (guestfs_launch (g) == -1)
exit (EXIT_FAILURE);
- inspect_mount ();
+ if (mps != NULL)
+ mount_mps (mps);
+ else
+ inspect_mount ();
/* Free up data structures, no longer needed after this point. */
free_drives (drvs);
+ free_mps (mps);
- r = do_cat (argc - optind, &argv[optind]);
+ if (inspector)
+ r = do_cat (argc - optind, &argv[optind]);
+ else
+ r = do_cat_simple (argc - optind, &argv[optind]);
guestfs_close (g);
@@ -283,6 +300,20 @@ do_cat (int argc, char *argv[])
}
static int
+do_cat_simple (int argc, char *argv[])
+{
+ unsigned errors = 0;
+ int i;
+
+ for (i = 0; i < argc; ++i) {
+ if (guestfs_download (g, argv[i], "/dev/stdout") == -1)
+ errors++;
+ }
+
+ return errors == 0 ? 0 : -1;
+}
+
+static int
is_windows (guestfs_h *g, const char *root)
{
char *type;
diff --git a/cat/virt-cat.pod b/cat/virt-cat.pod
index 9824a83..e06a961 100644
--- a/cat/virt-cat.pod
+++ b/cat/virt-cat.pod
@@ -126,6 +126,42 @@ security problem with malicious guests (CVE-2010-3851).
Read key or passphrase parameters from stdin. The default is
to try to read passphrases from the user by opening C</dev/tty>.
+=item B<-m dev[:mountpoint[:options[:fstype]]]>
+
+=item B<--mount dev[:mountpoint[:options[:fstype]]]>
+
+Mount the named partition or logical volume on the given mountpoint.
+
+If the mountpoint is omitted, it defaults to C</>.
+
+Specifying any mountpoint disables the inspection of the guest and
+the mount of its root and all of its mountpoints, so make sure
+to mount all the mountpoints needed to work with the filenames
+gives as arguments.
+
+If you don't know what filesystems a disk image contains, you can
+either run guestfish without this option, then list the partitions,
+filesystems and LVs available (see L</list-partitions>,
+L</list-filesystems> and L</lvs> commands), or you can use the
+L<virt-filesystems(1)> program.
+
+The third (and rarely used) part of the mount parameter is the list of
+mount options used to mount the underlying filesystem. If this is not
+given, then the mount options are either the empty string or C<ro>
+(the latter if the I<--ro> flag is used). By specifying the mount
+options, you override this default choice. Probably the only time you
+would use this is to enable ACLs and/or extended attributes if the
+filesystem can support them:
+
+ -m /dev/sda1:/:acl,user_xattr
+
+Using this flag is equivalent to using the C<mount-options> command.
+
+The fourth part of the parameter is the filesystem driver to use, such
+as C<ext3> or C<ntfs>. This is rarely needed, but can be useful if
+multiple drivers are valid for a filesystem (eg: C<ext2> and C<ext3>),
+or if libguestfs misidentifies a filesystem.
+
=item B<-v>
=item B<--verbose>
--
1.9.3
10 years, 5 months