]> git.proxmox.com Git - lxc.git/blob - debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch
projects / lxc.git / blob
? search:


ad732c30c1145d96644b235515ecdbd25768221e
[lxc.git] / debian / patches / 0006-start-initutils-make-cgroupns-separation-level-confi.patch
1 From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Wed, 16 Nov 2016 09:53:42 +0100
4 Subject: [PATCH 6/9] start/initutils: make cgroupns separation level
5 configurable
6
7 Adds a new global config variable `lxc.cgroup.separate`
8 which controls whether a separation directory for cgroup
9 namespaces should be used.
10 Can be empty, "privileged", "unprivileged" or "both".
11
12 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
13 ---
14 src/lxc/initutils.c | 17 +++++++++--------
15 src/lxc/initutils.h | 1 +
16 src/lxc/start.c | 25 ++++++++++++++-----------
17 3 files changed, 24 insertions(+), 19 deletions(-)
18
19 diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
20 index c190d6d5..97650e67 100644
21 --- a/src/lxc/initutils.c
22 +++ b/src/lxc/initutils.c
23 @@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p)
24 const char *lxc_global_config_value(const char *option_name)
25 {
26 static const char * const options[][2] = {
27 - { "lxc.bdev.lvm.vg", DEFAULT_VG },
28 - { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
29 - { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
30 - { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
31 - { "lxc.lxcpath", NULL },
32 - { "lxc.default_config", NULL },
33 - { "lxc.cgroup.pattern", NULL },
34 - { "lxc.cgroup.use", NULL },
35 + { "lxc.bdev.lvm.vg", DEFAULT_VG },
36 + { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
37 + { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
38 + { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
39 + { "lxc.lxcpath", NULL },
40 + { "lxc.default_config", NULL },
41 + { "lxc.cgroup.pattern", NULL },
42 + { "lxc.cgroup.use", NULL },
43 + { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
44 { NULL, NULL },
45 };
46
47 diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
48 index c021fd61..443ad026 100644
49 --- a/src/lxc/initutils.h
50 +++ b/src/lxc/initutils.h
51 @@ -43,6 +43,7 @@
52 #define DEFAULT_THIN_POOL "lxc"
53 #define DEFAULT_ZFSROOT "lxc"
54 #define DEFAULT_RBDPOOL "lxc"
55 +#define DEFAULT_CGPROTECT "privileged"
56
57 extern void lxc_setup_fs(void);
58 extern const char *lxc_global_config_value(const char *option_name);
59 diff --git a/src/lxc/start.c b/src/lxc/start.c
60 index b653a157..4fec27b9 100644
61 --- a/src/lxc/start.c
62 +++ b/src/lxc/start.c
63 @@ -1334,17 +1334,20 @@ static int lxc_spawn(struct lxc_handler *handler)
64 TRACE("Set up cgroup device limits");
65
66 if (cgns_supported()) {
67 - if (!cgroup_create(handler, true)) {
68 - ERROR("failed to create inner cgroup separation layer");
69 - goto out_delete_net;
70 - }
71 - if (!cgroup_enter(handler, true)) {
72 - ERROR("failed to enter inner cgroup separation layer");
73 - goto out_delete_net;
74 - }
75 - if (!cgroup_chown(handler, true)) {
76 - ERROR("failed chown inner cgroup separation layer");
77 - goto out_delete_net;
78 + const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
79 + if (!strcmp(tmp, "both") || !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
80 + if (!cgroup_create(handler, true)) {
81 + ERROR("failed to create inner cgroup separation layer");
82 + goto out_delete_net;
83 + }
84 + if (!cgroup_enter(handler, true)) {
85 + ERROR("failed to enter inner cgroup separation layer");
86 + goto out_delete_net;
87 + }
88 + if (!cgroup_chown(handler, true)) {
89 + ERROR("failed chown inner cgroup separation layer");
90 + goto out_delete_net;
91 + }
92 }
93 }
94
95 --
96 2.11.0
97
latest lxc for pve (jessie)