File System Mount Points on Linux
You can create and mount a file system on an IDT GuardPoint. CTE imposes one restriction on the mount point pathname selected for a device. Once you mount the device on a pathname, you cannot change the mount point to a different pathname. This restriction is enforced to allow the file system mount point to be guarded using a separate policy to enforce access control rules on the mounted file system namespace. For a use case involving a directory GuardPoint guarded over a mounted IDT GuardPoint, see Use Case 3: Directory-Level GuardPoints.
The following example shows the mount point of the IDT GuardPoint as the /xfs
directory. The example also shows a failed attempt to mount the file system on a different directory pathname.
Auto Mount Options for File System Devices on Linux
IDT GuardPoints containing file systems can also be added to the /etc/fstab
configuration file for auto mount at startup or unmount at shutdown. An entry can be for an IDT GuardPoint configured for Auto Guard or Manual Guard. For more information about Auto and Manual Guard options, see Guard the Linux Device with an IDT GuardPoint.
Use the device path corresponding to an IDT GuardPoint device when specifying fstab
entries, such as /dev/secvm/dev/sdh
. Do not use the native device pathnames, such as /dev/sdh
, or device mapper device names. You must also include several settings in the fstab
entry for each IDT GuardPoint, as shown in the following table:
Option | Description |
---|---|
x-systemd.requires = secvm-barrier.service |
Ensure that the IDT GuardPoint is enabled before the device is mounted at startup and disabled after the device is unmounted at shutdown. The secvm-barrier.service service is a proxy for all the services that make up CTE. |
nofail |
The system boot will proceed without waiting for the IDT GuardPoint device if it can’t be mounted successfully. |
x-systemd.wanted-by = <IDT device>.device |
Required for Linux distributions running system 242 or later.Instructs systemd to add a Wants= dependency on the ES device to ensure that, when the device becomes available, this mount operation is executed.<es device>.device is the name of the device specified in fstab with the '/' replaced with '-'. For example, /dev/secvm/dev/sdb becomes dev-secvm-dev-sdb.device . |
This is an example of an entry in /etc/fstab
for an IDT GuardPoint with an xfs file system that is mounted on /xfs
:
/dev/secvm/dev/sdh /xfs xfs x-systemd.requires=secvm-barrier.service, \
x-systemd.wanted-by=dev-secvm-dev-sdh.device,nofail 0 0
For information about configuring systemd for CTE, see CTE and systemd.