1 From 1623287e7370989d554149a1e2ac28afcde96dbb Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Wed, 16 Nov 2016 09:53:42 +0100
4 Subject: [PATCH 2/2] start/initutils: make cgroupns separation level
7 Adds a new global config variable `lxc.cgroup.separate`
8 which controls whether a separation directory for cgroup
9 namespaces should be used.
10 Can be empty, "privileged", "unprivileged" or "both".
12 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
14 src/lxc/initutils.c | 1 +
15 src/lxc/initutils.h | 1 +
16 src/lxc/start.c | 28 ++++++++++++++++------------
17 3 files changed, 18 insertions(+), 12 deletions(-)
19 diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
20 index b611b5e..cc22991 100644
21 --- a/src/lxc/initutils.c
22 +++ b/src/lxc/initutils.c
23 @@ -96,6 +96,7 @@ const char *lxc_global_config_value(const char *option_name)
24 { "lxc.default_config", NULL },
25 { "lxc.cgroup.pattern", NULL },
26 { "lxc.cgroup.use", NULL },
27 + { "lxc.cgroup.separate", DEFAULT_CGSEPARATE },
31 diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
32 index c021fd6..55fb8d9 100644
33 --- a/src/lxc/initutils.h
34 +++ b/src/lxc/initutils.h
36 #define DEFAULT_THIN_POOL "lxc"
37 #define DEFAULT_ZFSROOT "lxc"
38 #define DEFAULT_RBDPOOL "lxc"
39 +#define DEFAULT_CGSEPARATE "privileged"
41 extern void lxc_setup_fs(void);
42 extern const char *lxc_global_config_value(const char *option_name);
43 diff --git a/src/lxc/start.c b/src/lxc/start.c
44 index c9d78b7..d4603f7 100644
47 @@ -1067,6 +1067,7 @@ static int lxc_spawn(struct lxc_handler *handler)
48 int saved_ns_fd[LXC_NS_MAX];
49 int preserve_mask = 0, i, flags;
50 int netpipepair[2], nveths;
51 + bool privileged = !!lxc_list_empty(&handler->conf->id_map);
55 @@ -1130,7 +1131,7 @@ static int lxc_spawn(struct lxc_handler *handler)
57 * If the container is unprivileged then skip rootfs pinning.
59 - if (lxc_list_empty(&handler->conf->id_map)) {
61 handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
62 if (handler->pinfd == -1)
63 INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
64 @@ -1255,17 +1256,20 @@ static int lxc_spawn(struct lxc_handler *handler)
67 if (cgns_supported()) {
68 - if (!cgroup_create(handler, true)) {
69 - ERROR("failed to create inner cgroup separation layer");
70 - goto out_delete_net;
72 - if (!cgroup_enter(handler, true)) {
73 - ERROR("failed to enter inner cgroup separation layer");
74 - goto out_delete_net;
76 - if (!cgroup_chown(handler, true)) {
77 - ERROR("failed chown inner cgroup separation layer");
78 - goto out_delete_net;
79 + const char *tmp = lxc_global_config_value("lxc.cgroup.separate");
80 + if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) {
81 + if (!cgroup_create(handler, true)) {
82 + ERROR("failed to create inner cgroup separation layer");
83 + goto out_delete_net;
85 + if (!cgroup_enter(handler, true)) {
86 + ERROR("failed to enter inner cgroup separation layer");
87 + goto out_delete_net;
89 + if (!cgroup_chown(handler, true)) {
90 + ERROR("failed chown inner cgroup separation layer");
91 + goto out_delete_net;