[lxc.git] / debian / patches / 0005-start-initutils-make-cgroupns-separation-level-confi.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 28 Mar 2018 13:41:46 +0200
Subject: [PATCH] start/initutils: make cgroupns separation level configurable

Adds a new global config variable `lxc.cgroup.separate`
which controls whether a separation directory for cgroup
namespaces should be used.
Can be empty, "privileged", "unprivileged" or "both".

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/lxc/initutils.c | 17 +++++++++--------
 src/lxc/initutils.h |  1 +
 src/lxc/start.c     | 25 ++++++++++++++-----------
 3 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 56926fb5..c5f19ca8 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -49,14 +49,15 @@ static char *copy_global_config_value(char *p)
 const char *lxc_global_config_value(const char *option_name)
 {
 	static const char * const options[][2] = {
-		{ "lxc.bdev.lvm.vg",        DEFAULT_VG      },
-		{ "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
-		{ "lxc.bdev.zfs.root",      DEFAULT_ZFSROOT },
-		{ "lxc.bdev.rbd.rbdpool",   DEFAULT_RBDPOOL },
-		{ "lxc.lxcpath",            NULL            },
-		{ "lxc.default_config",     NULL            },
-		{ "lxc.cgroup.pattern",     NULL            },
-		{ "lxc.cgroup.use",         NULL            },
+		{ "lxc.bdev.lvm.vg",           DEFAULT_VG      },
+		{ "lxc.bdev.lvm.thin_pool",    DEFAULT_THIN_POOL },
+		{ "lxc.bdev.zfs.root",         DEFAULT_ZFSROOT },
+		{ "lxc.bdev.rbd.rbdpool",      DEFAULT_RBDPOOL },
+		{ "lxc.lxcpath",               NULL            },
+		{ "lxc.default_config",        NULL            },
+		{ "lxc.cgroup.pattern",        NULL            },
+		{ "lxc.cgroup.use",            NULL            },
+		{ "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
 		{ NULL, NULL },
 	};
 
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
index ec44554e..6532f301 100644
--- a/src/lxc/initutils.h
+++ b/src/lxc/initutils.h
@@ -42,6 +42,7 @@
 #define DEFAULT_THIN_POOL "lxc"
 #define DEFAULT_ZFSROOT "lxc"
 #define DEFAULT_RBDPOOL "lxc"
+#define DEFAULT_CGPROTECT "privileged"
 
 #ifndef PR_SET_MM
 #define PR_SET_MM 35
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 772eacc2..ae13aae9 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1721,17 +1721,20 @@ static int lxc_spawn(struct lxc_handler *handler)
 	TRACE("Set up legacy device cgroup controller limits");
 
 	if (cgns_supported()) {
-		if (!cgroup_create(handler, true)) {
-			ERROR("failed to create inner cgroup separation layer");
-			goto out_delete_net;
-		}
-		if (!cgroup_enter(handler, true)) {
-			ERROR("failed to enter inner cgroup separation layer");
-			goto out_delete_net;
-		}
-		if (!cgroup_chown(handler, true)) {
-			ERROR("failed chown inner cgroup separation layer");
-			goto out_delete_net;
+		const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
+		if (!strcmp(tmp, "both") || !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
+			if (!cgroup_create(handler, true)) {
+				ERROR("failed to create inner cgroup separation layer");
+				goto out_delete_net;
+			}
+			if (!cgroup_enter(handler, true)) {
+				ERROR("failed to enter inner cgroup separation layer");
+				goto out_delete_net;
+			}
+			if (!cgroup_chown(handler, true)) {
+				ERROR("failed chown inner cgroup separation layer");
+				goto out_delete_net;
+			}
 		}
 	}
 
-- 
2.11.0
Commit	Line	Data
1513a0b5	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
308c8a3e	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
1513a0b5 WB	3	Date: Wed, 28 Mar 2018 13:41:46 +0200
1513a0b5 WB	4	Subject: [PATCH] start/initutils: make cgroupns separation level configurable
308c8a3e WB	5
	6	Adds a new global config variable `lxc.cgroup.separate`
	7	which controls whether a separation directory for cgroup
	8	namespaces should be used.
	9	Can be empty, "privileged", "unprivileged" or "both".
	10
	11	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	12	---
07288e64	13	src/lxc/initutils.c \| 17 +++++++++--------
308c8a3e	14	src/lxc/initutils.h \| 1 +
f39a178a WB	15	src/lxc/start.c \| 25 ++++++++++++++-----------
f39a178a WB	16	3 files changed, 24 insertions(+), 19 deletions(-)
308c8a3e WB	17
308c8a3e WB	18	diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
1513a0b5	19	index 56926fb5..c5f19ca8 100644
308c8a3e WB	20	--- a/src/lxc/initutils.c
308c8a3e WB	21	+++ b/src/lxc/initutils.c
1513a0b5	22	@@ -49,14 +49,15 @@ static char copy_global_config_value(char p)
07288e64 WB	23	const char lxc_global_config_value(const char option_name)
	24	{
	25	static const char * const options[][2] = {
	26	- { "lxc.bdev.lvm.vg", DEFAULT_VG },
	27	- { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
	28	- { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
	29	- { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
	30	- { "lxc.lxcpath", NULL },
	31	- { "lxc.default_config", NULL },
	32	- { "lxc.cgroup.pattern", NULL },
	33	- { "lxc.cgroup.use", NULL },
	34	+ { "lxc.bdev.lvm.vg", DEFAULT_VG },
	35	+ { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
	36	+ { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
	37	+ { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
	38	+ { "lxc.lxcpath", NULL },
	39	+ { "lxc.default_config", NULL },
	40	+ { "lxc.cgroup.pattern", NULL },
	41	+ { "lxc.cgroup.use", NULL },
	42	+ { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
308c8a3e WB	43	{ NULL, NULL },
	44	};
	45
	46	diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
1513a0b5	47	index ec44554e..6532f301 100644
308c8a3e WB	48	--- a/src/lxc/initutils.h
308c8a3e WB	49	+++ b/src/lxc/initutils.h
1513a0b5	50	@@ -42,6 +42,7 @@
308c8a3e WB	51	#define DEFAULT_THIN_POOL "lxc"
	52	#define DEFAULT_ZFSROOT "lxc"
	53	#define DEFAULT_RBDPOOL "lxc"
07288e64	54	+#define DEFAULT_CGPROTECT "privileged"
308c8a3e	55
1513a0b5 WB	56	#ifndef PR_SET_MM
1513a0b5 WB	57	#define PR_SET_MM 35
308c8a3e	58	diff --git a/src/lxc/start.c b/src/lxc/start.c
1513a0b5	59	index 772eacc2..ae13aae9 100644
308c8a3e WB	60	--- a/src/lxc/start.c
308c8a3e WB	61	+++ b/src/lxc/start.c
1513a0b5 WB	62	@@ -1721,17 +1721,20 @@ static int lxc_spawn(struct lxc_handler *handler)
1513a0b5 WB	63	TRACE("Set up legacy device cgroup controller limits");
308c8a3e WB	64
	65	if (cgns_supported()) {
	66	- if (!cgroup_create(handler, true)) {
	67	- ERROR("failed to create inner cgroup separation layer");
	68	- goto out_delete_net;
	69	- }
	70	- if (!cgroup_enter(handler, true)) {
	71	- ERROR("failed to enter inner cgroup separation layer");
	72	- goto out_delete_net;
	73	- }
	74	- if (!cgroup_chown(handler, true)) {
	75	- ERROR("failed chown inner cgroup separation layer");
	76	- goto out_delete_net;
07288e64	77	+ const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
f39a178a	78	+ if (!strcmp(tmp, "both") \|\| !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
308c8a3e WB	79	+ if (!cgroup_create(handler, true)) {
	80	+ ERROR("failed to create inner cgroup separation layer");
	81	+ goto out_delete_net;
	82	+ }
	83	+ if (!cgroup_enter(handler, true)) {
	84	+ ERROR("failed to enter inner cgroup separation layer");
	85	+ goto out_delete_net;
	86	+ }
	87	+ if (!cgroup_chown(handler, true)) {
	88	+ ERROR("failed chown inner cgroup separation layer");
	89	+ goto out_delete_net;
	90	+ }
	91	}
	92	}
	93
	94	--
7395ab25	95	2.11.0
308c8a3e	96