]>
Commit | Line | Data |
---|---|---|
7395ab25 | 1 | From 2b4c8a851ae299a840af3e5e0cdf128ea205b5a4 Mon Sep 17 00:00:00 2001 |
308c8a3e WB |
2 | From: Wolfgang Bumiller <w.bumiller@proxmox.com> |
3 | Date: Wed, 16 Nov 2016 09:53:42 +0100 | |
7395ab25 | 4 | Subject: [PATCH 6/8] start/initutils: make cgroupns separation level |
308c8a3e WB |
5 | configurable |
6 | ||
7 | Adds a new global config variable `lxc.cgroup.separate` | |
8 | which controls whether a separation directory for cgroup | |
9 | namespaces should be used. | |
10 | Can be empty, "privileged", "unprivileged" or "both". | |
11 | ||
12 | Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
13 | --- | |
07288e64 | 14 | src/lxc/initutils.c | 17 +++++++++-------- |
308c8a3e WB |
15 | src/lxc/initutils.h | 1 + |
16 | src/lxc/start.c | 28 ++++++++++++++++------------ | |
07288e64 | 17 | 3 files changed, 26 insertions(+), 20 deletions(-) |
308c8a3e WB |
18 | |
19 | diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c | |
7395ab25 | 20 | index 8d9016cd..06302935 100644 |
308c8a3e WB |
21 | --- a/src/lxc/initutils.c |
22 | +++ b/src/lxc/initutils.c | |
07288e64 WB |
23 | @@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p) |
24 | const char *lxc_global_config_value(const char *option_name) | |
25 | { | |
26 | static const char * const options[][2] = { | |
27 | - { "lxc.bdev.lvm.vg", DEFAULT_VG }, | |
28 | - { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL }, | |
29 | - { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT }, | |
30 | - { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL }, | |
31 | - { "lxc.lxcpath", NULL }, | |
32 | - { "lxc.default_config", NULL }, | |
33 | - { "lxc.cgroup.pattern", NULL }, | |
34 | - { "lxc.cgroup.use", NULL }, | |
35 | + { "lxc.bdev.lvm.vg", DEFAULT_VG }, | |
36 | + { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL }, | |
37 | + { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT }, | |
38 | + { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL }, | |
39 | + { "lxc.lxcpath", NULL }, | |
40 | + { "lxc.default_config", NULL }, | |
41 | + { "lxc.cgroup.pattern", NULL }, | |
42 | + { "lxc.cgroup.use", NULL }, | |
43 | + { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT }, | |
308c8a3e WB |
44 | { NULL, NULL }, |
45 | }; | |
46 | ||
47 | diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h | |
7395ab25 | 48 | index c021fd61..443ad026 100644 |
308c8a3e WB |
49 | --- a/src/lxc/initutils.h |
50 | +++ b/src/lxc/initutils.h | |
51 | @@ -43,6 +43,7 @@ | |
52 | #define DEFAULT_THIN_POOL "lxc" | |
53 | #define DEFAULT_ZFSROOT "lxc" | |
54 | #define DEFAULT_RBDPOOL "lxc" | |
07288e64 | 55 | +#define DEFAULT_CGPROTECT "privileged" |
308c8a3e WB |
56 | |
57 | extern void lxc_setup_fs(void); | |
58 | extern const char *lxc_global_config_value(const char *option_name); | |
59 | diff --git a/src/lxc/start.c b/src/lxc/start.c | |
7395ab25 | 60 | index 2d7df0e7..a909c631 100644 |
308c8a3e WB |
61 | --- a/src/lxc/start.c |
62 | +++ b/src/lxc/start.c | |
7395ab25 | 63 | @@ -1061,6 +1061,7 @@ static int lxc_spawn(struct lxc_handler *handler) |
308c8a3e WB |
64 | int saved_ns_fd[LXC_NS_MAX]; |
65 | int preserve_mask = 0, i, flags; | |
66 | int netpipepair[2], nveths; | |
07288e64 | 67 | + bool privileged = lxc_list_empty(&handler->conf->id_map); |
308c8a3e WB |
68 | |
69 | netpipe = -1; | |
70 | ||
7395ab25 | 71 | @@ -1124,7 +1125,7 @@ static int lxc_spawn(struct lxc_handler *handler) |
da73bbc6 WB |
72 | * it readonly. |
73 | * If the container is unprivileged then skip rootfs pinning. | |
308c8a3e WB |
74 | */ |
75 | - if (lxc_list_empty(&handler->conf->id_map)) { | |
07288e64 | 76 | + if (privileged) { |
308c8a3e WB |
77 | handler->pinfd = pin_rootfs(handler->conf->rootfs.path); |
78 | if (handler->pinfd == -1) | |
da73bbc6 | 79 | INFO("Failed to pin the rootfs for container \"%s\".", handler->name); |
7395ab25 | 80 | @@ -1249,17 +1250,20 @@ static int lxc_spawn(struct lxc_handler *handler) |
308c8a3e WB |
81 | } |
82 | ||
83 | if (cgns_supported()) { | |
84 | - if (!cgroup_create(handler, true)) { | |
85 | - ERROR("failed to create inner cgroup separation layer"); | |
86 | - goto out_delete_net; | |
87 | - } | |
88 | - if (!cgroup_enter(handler, true)) { | |
89 | - ERROR("failed to enter inner cgroup separation layer"); | |
90 | - goto out_delete_net; | |
91 | - } | |
92 | - if (!cgroup_chown(handler, true)) { | |
93 | - ERROR("failed chown inner cgroup separation layer"); | |
94 | - goto out_delete_net; | |
07288e64 | 95 | + const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits"); |
308c8a3e WB |
96 | + if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) { |
97 | + if (!cgroup_create(handler, true)) { | |
98 | + ERROR("failed to create inner cgroup separation layer"); | |
99 | + goto out_delete_net; | |
100 | + } | |
101 | + if (!cgroup_enter(handler, true)) { | |
102 | + ERROR("failed to enter inner cgroup separation layer"); | |
103 | + goto out_delete_net; | |
104 | + } | |
105 | + if (!cgroup_chown(handler, true)) { | |
106 | + ERROR("failed chown inner cgroup separation layer"); | |
107 | + goto out_delete_net; | |
108 | + } | |
109 | } | |
110 | } | |
111 | ||
112 | -- | |
7395ab25 | 113 | 2.11.0 |
308c8a3e | 114 |