proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 05:47:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

conf: handle partially functional device nodes

Browse Source 
This improves handling kernels which allow userspace to create partially
functional devices nodes.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2018-07-12 12:43:34 +02:00
parent f2c0c2bf9a
commit 5067e4dd85
No known key found for this signature in database
GPG Key ID: 8EB056D53EECB12D
1 changed files with 47 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
src/lxc/conf.c
View File

@ -1260,12 +1260,20 @@ static const struct lxc_device_node lxc_devices[] = {
{ "zero", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 }, { "zero", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 },
}; };
enum {
LXC_DEVNODE_BIND,
LXC_DEVNODE_MKNOD,
LXC_DEVNODE_PARTIAL,
LXC_DEVNODE_OPEN,
};
static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) static int lxc_fill_autodev(const struct lxc_rootfs *rootfs)
{ {
int i, ret; int i, ret;
char path[MAXPATHLEN]; char path[MAXPATHLEN];
mode_t cmask; mode_t cmask;
int can_mknod = 1; int use_mknod = LXC_DEVNODE_MKNOD;
ret = snprintf(path, MAXPATHLEN, "%s/dev", ret = snprintf(path, MAXPATHLEN, "%s/dev",
rootfs->path ? rootfs->mount : ""); rootfs->path ? rootfs->mount : "");
@ -1288,34 +1296,52 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs)
if (ret < 0 || ret >= MAXPATHLEN) if (ret < 0 || ret >= MAXPATHLEN)
return -1; return -1;
/* See if (use_mknod >= LXC_DEVNODE_MKNOD) {
* - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55956b59df336f6738da916dbb520b6e37df9fbd
* - https://lists.linuxfoundation.org/pipermail/containers/2018-June/039176.html
*/
if (can_mknod == 2 || (can_mknod == 1 && !am_host_unpriv())) {
ret = mknod(path, device->mode, makedev(device->maj, device->min)); ret = mknod(path, device->mode, makedev(device->maj, device->min));
if (ret == 0 || (ret < 0 && errno == EEXIST)) { if (ret == 0 || (ret < 0 && errno == EEXIST)) {
DEBUG("Created device node \"%s\"", path); DEBUG("Created device node \"%s\"", path);
} else if (ret < 0) {
if (errno != EPERM) {
SYSERROR("Failed to create device node \"%s\"", path);
return -1;
}
use_mknod = LXC_DEVNODE_BIND;
}
/* Device nodes are fully useable. */
if (use_mknod == LXC_DEVNODE_OPEN)
continue; continue;
}
if (errno != EPERM) { if (use_mknod == LXC_DEVNODE_MKNOD) {
SYSERROR("Failed to create device node \"%s\"", path); /* See
return -1; * - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55956b59df336f6738da916dbb520b6e37df9fbd
} * - https://lists.linuxfoundation.org/pipermail/containers/2018-June/039176.html
*/
ret = open(path, O_RDONLY | O_CLOEXEC);
if (ret >= 0) {
close(ret);
/* Device nodes are fully useable. */
use_mknod = LXC_DEVNODE_OPEN;
continue;
}
/* This can e.g. happen when the container is SYSTRACE("Failed to open \"%s\" device", path);
* unprivileged or CAP_MKNOD has been dropped. /* Device nodes are only partially useable. */
*/ use_mknod = LXC_DEVNODE_PARTIAL;
can_mknod = 2; }
} else {
can_mknod = 0;
} }
ret = mknod(path, S_IFREG | 0000, 0); if (use_mknod != LXC_DEVNODE_PARTIAL) {
if (ret < 0 && errno != EEXIST) { /* If we are dealing with partially functional device
SYSERROR("Failed to create file \"%s\"", path); * nodes the prio mknod() call will have created the
return -1; * device node so we can use it as a bind-mount target.
*/
ret = mknod(path, S_IFREG | 0000, 0);
if (ret < 0 && errno != EEXIST) {
SYSERROR("Failed to create file \"%s\"", path);
return -1;
}
} }
/* Fallback to bind-mounting the device from the host. */ /* Fallback to bind-mounting the device from the host. */