From af72260927efd412210ec85842e1ef70ccc0c5e8 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 16 Nov 2016 09:53:42 +0100 Subject: [PATCH 6/9] start/initutils: make cgroupns separation level configurable Adds a new global config variable `lxc.cgroup.separate` which controls whether a separation directory for cgroup namespaces should be used. Can be empty, "privileged", "unprivileged" or "both". Signed-off-by: Wolfgang Bumiller --- src/lxc/initutils.c | 17 +++++++++-------- src/lxc/initutils.h | 1 + src/lxc/start.c | 28 ++++++++++++++++------------ 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c index 8d9016c..0630293 100644 --- a/src/lxc/initutils.c +++ b/src/lxc/initutils.c @@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p) const char *lxc_global_config_value(const char *option_name) { static const char * const options[][2] = { - { "lxc.bdev.lvm.vg", DEFAULT_VG }, - { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL }, - { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT }, - { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL }, - { "lxc.lxcpath", NULL }, - { "lxc.default_config", NULL }, - { "lxc.cgroup.pattern", NULL }, - { "lxc.cgroup.use", NULL }, + { "lxc.bdev.lvm.vg", DEFAULT_VG }, + { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL }, + { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT }, + { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL }, + { "lxc.lxcpath", NULL }, + { "lxc.default_config", NULL }, + { "lxc.cgroup.pattern", NULL }, + { "lxc.cgroup.use", NULL }, + { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT }, { NULL, NULL }, }; diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h index c021fd6..443ad02 100644 --- a/src/lxc/initutils.h +++ b/src/lxc/initutils.h @@ -43,6 +43,7 @@ #define DEFAULT_THIN_POOL "lxc" #define DEFAULT_ZFSROOT "lxc" #define DEFAULT_RBDPOOL "lxc" +#define DEFAULT_CGPROTECT "privileged" extern void lxc_setup_fs(void); extern const char *lxc_global_config_value(const char *option_name); diff --git a/src/lxc/start.c b/src/lxc/start.c index e889421..4217c5d 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -1050,6 +1050,7 @@ static int lxc_spawn(struct lxc_handler *handler) int saved_ns_fd[LXC_NS_MAX]; int preserve_mask = 0, i, flags; int netpipepair[2], nveths; + bool privileged = lxc_list_empty(&handler->conf->id_map); netpipe = -1; @@ -1113,7 +1114,7 @@ static int lxc_spawn(struct lxc_handler *handler) * it readonly. * If the container is unprivileged then skip rootfs pinning. */ - if (lxc_list_empty(&handler->conf->id_map)) { + if (privileged) { handler->pinfd = pin_rootfs(handler->conf->rootfs.path); if (handler->pinfd == -1) INFO("Failed to pin the rootfs for container \"%s\".", handler->name); @@ -1238,17 +1239,20 @@ static int lxc_spawn(struct lxc_handler *handler) } if (cgns_supported()) { - if (!cgroup_create(handler, true)) { - ERROR("failed to create inner cgroup separation layer"); - goto out_delete_net; - } - if (!cgroup_enter(handler, true)) { - ERROR("failed to enter inner cgroup separation layer"); - goto out_delete_net; - } - if (!cgroup_chown(handler, true)) { - ERROR("failed chown inner cgroup separation layer"); - goto out_delete_net; + const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits"); + if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) { + if (!cgroup_create(handler, true)) { + ERROR("failed to create inner cgroup separation layer"); + goto out_delete_net; + } + if (!cgroup_enter(handler, true)) { + ERROR("failed to enter inner cgroup separation layer"); + goto out_delete_net; + } + if (!cgroup_chown(handler, true)) { + ERROR("failed chown inner cgroup separation layer"); + goto out_delete_net; + } } } -- 2.1.4