mirror of
https://git.proxmox.com/git/lxc
synced 2025-08-16 16:06:25 +00:00
115 lines
4.0 KiB
Diff
115 lines
4.0 KiB
Diff
From af72260927efd412210ec85842e1ef70ccc0c5e8 Mon Sep 17 00:00:00 2001
|
|
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
Date: Wed, 16 Nov 2016 09:53:42 +0100
|
|
Subject: [PATCH 6/9] start/initutils: make cgroupns separation level
|
|
configurable
|
|
|
|
Adds a new global config variable `lxc.cgroup.separate`
|
|
which controls whether a separation directory for cgroup
|
|
namespaces should be used.
|
|
Can be empty, "privileged", "unprivileged" or "both".
|
|
|
|
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
---
|
|
src/lxc/initutils.c | 17 +++++++++--------
|
|
src/lxc/initutils.h | 1 +
|
|
src/lxc/start.c | 28 ++++++++++++++++------------
|
|
3 files changed, 26 insertions(+), 20 deletions(-)
|
|
|
|
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
|
|
index 8d9016c..0630293 100644
|
|
--- a/src/lxc/initutils.c
|
|
+++ b/src/lxc/initutils.c
|
|
@@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p)
|
|
const char *lxc_global_config_value(const char *option_name)
|
|
{
|
|
static const char * const options[][2] = {
|
|
- { "lxc.bdev.lvm.vg", DEFAULT_VG },
|
|
- { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
|
|
- { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
|
|
- { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
|
|
- { "lxc.lxcpath", NULL },
|
|
- { "lxc.default_config", NULL },
|
|
- { "lxc.cgroup.pattern", NULL },
|
|
- { "lxc.cgroup.use", NULL },
|
|
+ { "lxc.bdev.lvm.vg", DEFAULT_VG },
|
|
+ { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
|
|
+ { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
|
|
+ { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
|
|
+ { "lxc.lxcpath", NULL },
|
|
+ { "lxc.default_config", NULL },
|
|
+ { "lxc.cgroup.pattern", NULL },
|
|
+ { "lxc.cgroup.use", NULL },
|
|
+ { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
|
|
{ NULL, NULL },
|
|
};
|
|
|
|
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
|
|
index c021fd6..443ad02 100644
|
|
--- a/src/lxc/initutils.h
|
|
+++ b/src/lxc/initutils.h
|
|
@@ -43,6 +43,7 @@
|
|
#define DEFAULT_THIN_POOL "lxc"
|
|
#define DEFAULT_ZFSROOT "lxc"
|
|
#define DEFAULT_RBDPOOL "lxc"
|
|
+#define DEFAULT_CGPROTECT "privileged"
|
|
|
|
extern void lxc_setup_fs(void);
|
|
extern const char *lxc_global_config_value(const char *option_name);
|
|
diff --git a/src/lxc/start.c b/src/lxc/start.c
|
|
index e889421..4217c5d 100644
|
|
--- a/src/lxc/start.c
|
|
+++ b/src/lxc/start.c
|
|
@@ -1050,6 +1050,7 @@ static int lxc_spawn(struct lxc_handler *handler)
|
|
int saved_ns_fd[LXC_NS_MAX];
|
|
int preserve_mask = 0, i, flags;
|
|
int netpipepair[2], nveths;
|
|
+ bool privileged = lxc_list_empty(&handler->conf->id_map);
|
|
|
|
netpipe = -1;
|
|
|
|
@@ -1113,7 +1114,7 @@ static int lxc_spawn(struct lxc_handler *handler)
|
|
* it readonly.
|
|
* If the container is unprivileged then skip rootfs pinning.
|
|
*/
|
|
- if (lxc_list_empty(&handler->conf->id_map)) {
|
|
+ if (privileged) {
|
|
handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
|
|
if (handler->pinfd == -1)
|
|
INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
|
|
@@ -1238,17 +1239,20 @@ static int lxc_spawn(struct lxc_handler *handler)
|
|
}
|
|
|
|
if (cgns_supported()) {
|
|
- if (!cgroup_create(handler, true)) {
|
|
- ERROR("failed to create inner cgroup separation layer");
|
|
- goto out_delete_net;
|
|
- }
|
|
- if (!cgroup_enter(handler, true)) {
|
|
- ERROR("failed to enter inner cgroup separation layer");
|
|
- goto out_delete_net;
|
|
- }
|
|
- if (!cgroup_chown(handler, true)) {
|
|
- ERROR("failed chown inner cgroup separation layer");
|
|
- goto out_delete_net;
|
|
+ const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
|
|
+ if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) {
|
|
+ if (!cgroup_create(handler, true)) {
|
|
+ ERROR("failed to create inner cgroup separation layer");
|
|
+ goto out_delete_net;
|
|
+ }
|
|
+ if (!cgroup_enter(handler, true)) {
|
|
+ ERROR("failed to enter inner cgroup separation layer");
|
|
+ goto out_delete_net;
|
|
+ }
|
|
+ if (!cgroup_chown(handler, true)) {
|
|
+ ERROR("failed chown inner cgroup separation layer");
|
|
+ goto out_delete_net;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
--
|
|
2.1.4
|
|
|