proxmox-mirrors/lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/lxc synced 2025-08-17 13:28:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
stable-5
lxc/debian/patches/pve/0005-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch
Wolfgang Bumiller 39994e5496 fix issues with shell detection on attach 
Merge: attach: always use getent

Commit message:
In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly.
To avoid this, stick to always using getent.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-08-13 14:41:05 +02:00

98 lines
3.6 KiB
Diff
Raw Permalink Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 28 Mar 2018 13:41:46 +0200
Subject: [PATCH] PVE: [Up] start/initutils: make cgroupns separation level
configurable
Adds a new global config variable `lxc.cgroup.separate`
which controls whether a separation directory for cgroup
namespaces should be used.
Can be empty, "privileged", "unprivileged" or "both".
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/initutils.c | 17 +++++++++--------
src/lxc/initutils.h | 1 +
src/lxc/start.c | 25 ++++++++++++++-----------
3 files changed, 24 insertions(+), 19 deletions(-)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 11c808662..8b5e2542a 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -63,14 +63,15 @@ static char *copy_global_config_value(char *p)
const char *lxc_global_config_value(const char *option_name)
{
static const char * const options[][2] = {
- { "lxc.bdev.lvm.vg", DEFAULT_VG },
- { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
- { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
- { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
- { "lxc.lxcpath", NULL },
- { "lxc.default_config", NULL },
- { "lxc.cgroup.pattern", NULL },
- { "lxc.cgroup.use", NULL },
+ { "lxc.bdev.lvm.vg", DEFAULT_VG },
+ { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
+ { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
+ { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
+ { "lxc.lxcpath", NULL },
+ { "lxc.default_config", NULL },
+ { "lxc.cgroup.pattern", NULL },
+ { "lxc.cgroup.use", NULL },
+ { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
{ NULL, NULL },
};
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
index 6bf23a706..b542e6015 100644
--- a/src/lxc/initutils.h
+++ b/src/lxc/initutils.h
@@ -42,6 +42,7 @@
#define DEFAULT_THIN_POOL "lxc"
#define DEFAULT_ZFSROOT "lxc"
#define DEFAULT_RBDPOOL "lxc"
+#define DEFAULT_CGPROTECT "privileged"
#ifndef PR_SET_MM
#define PR_SET_MM 35
diff --git a/src/lxc/start.c b/src/lxc/start.c
index f3b29d6cd..1cf792aa2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1820,17 +1820,20 @@ static int lxc_spawn(struct lxc_handler *handler)
TRACE("Set up legacy device cgroup controller limits");
if (cgns_supported()) {
- if (!cgroup_ops->payload_create(cgroup_ops, handler, true)) {
- ERROR("failed to create inner cgroup separation layer");
- goto out_delete_net;
- }
- if (!cgroup_ops->payload_enter(cgroup_ops, handler->pid, true)) {
- ERROR("failed to enter inner cgroup separation layer");
- goto out_delete_net;
- }
- if (!cgroup_ops->chown(cgroup_ops, handler->conf, true)) {
- ERROR("failed chown inner cgroup separation layer");
- goto out_delete_net;
+ const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
+ if (!strcmp(tmp, "both") || !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
+ if (!cgroup_ops->payload_create(cgroup_ops, handler, true)) {
+ ERROR("failed to create inner cgroup separation layer");
+ goto out_delete_net;
+ }
+ if (!cgroup_ops->payload_enter(cgroup_ops, handler->pid, true)) {
+ ERROR("failed to enter inner cgroup separation layer");
+ goto out_delete_net;
+ }
+ if (!cgroup_ops->chown(cgroup_ops, handler->conf, true)) {
+ ERROR("failed chown inner cgroup separation layer");
+ goto out_delete_net;
+ }
}
}
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink