[lxc.git] / debian / patches / 0006-start-initutils-make-cgroupns-separation-level-confi.patch

From 2b4c8a851ae299a840af3e5e0cdf128ea205b5a4 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 16 Nov 2016 09:53:42 +0100
Subject: [PATCH 6/8] start/initutils: make cgroupns separation level
 configurable

Adds a new global config variable `lxc.cgroup.separate`
which controls whether a separation directory for cgroup
namespaces should be used.
Can be empty, "privileged", "unprivileged" or "both".

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/lxc/initutils.c | 17 +++++++++--------
 src/lxc/initutils.h |  1 +
 src/lxc/start.c     | 28 ++++++++++++++++------------
 3 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 8d9016cd..06302935 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p)
 const char *lxc_global_config_value(const char *option_name)
 {
 	static const char * const options[][2] = {
-		{ "lxc.bdev.lvm.vg",        DEFAULT_VG      },
-		{ "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
-		{ "lxc.bdev.zfs.root",      DEFAULT_ZFSROOT },
-		{ "lxc.bdev.rbd.rbdpool",   DEFAULT_RBDPOOL },
-		{ "lxc.lxcpath",            NULL            },
-		{ "lxc.default_config",     NULL            },
-		{ "lxc.cgroup.pattern",     NULL            },
-		{ "lxc.cgroup.use",         NULL            },
+		{ "lxc.bdev.lvm.vg",           DEFAULT_VG      },
+		{ "lxc.bdev.lvm.thin_pool",    DEFAULT_THIN_POOL },
+		{ "lxc.bdev.zfs.root",         DEFAULT_ZFSROOT },
+		{ "lxc.bdev.rbd.rbdpool",      DEFAULT_RBDPOOL },
+		{ "lxc.lxcpath",               NULL            },
+		{ "lxc.default_config",        NULL            },
+		{ "lxc.cgroup.pattern",        NULL            },
+		{ "lxc.cgroup.use",            NULL            },
+		{ "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
 		{ NULL, NULL },
 	};
 
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
index c021fd61..443ad026 100644
--- a/src/lxc/initutils.h
+++ b/src/lxc/initutils.h
@@ -43,6 +43,7 @@
 #define DEFAULT_THIN_POOL "lxc"
 #define DEFAULT_ZFSROOT "lxc"
 #define DEFAULT_RBDPOOL "lxc"
+#define DEFAULT_CGPROTECT "privileged"
 
 extern void lxc_setup_fs(void);
 extern const char *lxc_global_config_value(const char *option_name);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2d7df0e7..a909c631 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1061,6 +1061,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	int saved_ns_fd[LXC_NS_MAX];
 	int preserve_mask = 0, i, flags;
 	int netpipepair[2], nveths;
+	bool privileged = lxc_list_empty(&handler->conf->id_map);
 
 	netpipe = -1;
 
@@ -1124,7 +1125,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 * it readonly.
 	 * If the container is unprivileged then skip rootfs pinning.
 	 */
-	if (lxc_list_empty(&handler->conf->id_map)) {
+	if (privileged) {
 		handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
 		if (handler->pinfd == -1)
 			INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
@@ -1249,17 +1250,20 @@ static int lxc_spawn(struct lxc_handler *handler)
 	}
 
 	if (cgns_supported()) {
-		if (!cgroup_create(handler, true)) {
-			ERROR("failed to create inner cgroup separation layer");
-			goto out_delete_net;
-		}
-		if (!cgroup_enter(handler, true)) {
-			ERROR("failed to enter inner cgroup separation layer");
-			goto out_delete_net;
-		}
-		if (!cgroup_chown(handler, true)) {
-			ERROR("failed chown inner cgroup separation layer");
-			goto out_delete_net;
+		const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
+		if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) {
+			if (!cgroup_create(handler, true)) {
+				ERROR("failed to create inner cgroup separation layer");
+				goto out_delete_net;
+			}
+			if (!cgroup_enter(handler, true)) {
+				ERROR("failed to enter inner cgroup separation layer");
+				goto out_delete_net;
+			}
+			if (!cgroup_chown(handler, true)) {
+				ERROR("failed chown inner cgroup separation layer");
+				goto out_delete_net;
+			}
 		}
 	}
 
-- 
2.11.0
Commit	Line	Data
7395ab25	1	From 2b4c8a851ae299a840af3e5e0cdf128ea205b5a4 Mon Sep 17 00:00:00 2001
308c8a3e WB	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
308c8a3e WB	3	Date: Wed, 16 Nov 2016 09:53:42 +0100
7395ab25	4	Subject: [PATCH 6/8] start/initutils: make cgroupns separation level
308c8a3e WB	5	configurable
	6
	7	Adds a new global config variable `lxc.cgroup.separate`
	8	which controls whether a separation directory for cgroup
	9	namespaces should be used.
	10	Can be empty, "privileged", "unprivileged" or "both".
	11
	12	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	13	---
07288e64	14	src/lxc/initutils.c \| 17 +++++++++--------
308c8a3e WB	15	src/lxc/initutils.h \| 1 +
308c8a3e WB	16	src/lxc/start.c \| 28 ++++++++++++++++------------
07288e64	17	3 files changed, 26 insertions(+), 20 deletions(-)
308c8a3e WB	18
308c8a3e WB	19	diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
7395ab25	20	index 8d9016cd..06302935 100644
308c8a3e WB	21	--- a/src/lxc/initutils.c
308c8a3e WB	22	+++ b/src/lxc/initutils.c
07288e64 WB	23	@@ -88,14 +88,15 @@ static char copy_global_config_value(char p)
	24	const char lxc_global_config_value(const char option_name)
	25	{
	26	static const char * const options[][2] = {
	27	- { "lxc.bdev.lvm.vg", DEFAULT_VG },
	28	- { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
	29	- { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
	30	- { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
	31	- { "lxc.lxcpath", NULL },
	32	- { "lxc.default_config", NULL },
	33	- { "lxc.cgroup.pattern", NULL },
	34	- { "lxc.cgroup.use", NULL },
	35	+ { "lxc.bdev.lvm.vg", DEFAULT_VG },
	36	+ { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
	37	+ { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
	38	+ { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
	39	+ { "lxc.lxcpath", NULL },
	40	+ { "lxc.default_config", NULL },
	41	+ { "lxc.cgroup.pattern", NULL },
	42	+ { "lxc.cgroup.use", NULL },
	43	+ { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
308c8a3e WB	44	{ NULL, NULL },
	45	};
	46
	47	diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
7395ab25	48	index c021fd61..443ad026 100644
308c8a3e WB	49	--- a/src/lxc/initutils.h
	50	+++ b/src/lxc/initutils.h
	51	@@ -43,6 +43,7 @@
	52	#define DEFAULT_THIN_POOL "lxc"
	53	#define DEFAULT_ZFSROOT "lxc"
	54	#define DEFAULT_RBDPOOL "lxc"
07288e64	55	+#define DEFAULT_CGPROTECT "privileged"
308c8a3e WB	56
	57	extern void lxc_setup_fs(void);
	58	extern const char lxc_global_config_value(const char option_name);
	59	diff --git a/src/lxc/start.c b/src/lxc/start.c
7395ab25	60	index 2d7df0e7..a909c631 100644
308c8a3e WB	61	--- a/src/lxc/start.c
308c8a3e WB	62	+++ b/src/lxc/start.c
7395ab25	63	@@ -1061,6 +1061,7 @@ static int lxc_spawn(struct lxc_handler *handler)
308c8a3e WB	64	int saved_ns_fd[LXC_NS_MAX];
	65	int preserve_mask = 0, i, flags;
	66	int netpipepair[2], nveths;
07288e64	67	+ bool privileged = lxc_list_empty(&handler->conf->id_map);
308c8a3e WB	68
	69	netpipe = -1;
	70
7395ab25	71	@@ -1124,7 +1125,7 @@ static int lxc_spawn(struct lxc_handler *handler)
da73bbc6 WB	72	* it readonly.
da73bbc6 WB	73	* If the container is unprivileged then skip rootfs pinning.
308c8a3e WB	74	*/
308c8a3e WB	75	- if (lxc_list_empty(&handler->conf->id_map)) {
07288e64	76	+ if (privileged) {
308c8a3e WB	77	handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
308c8a3e WB	78	if (handler->pinfd == -1)
da73bbc6	79	INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
7395ab25	80	@@ -1249,17 +1250,20 @@ static int lxc_spawn(struct lxc_handler *handler)
308c8a3e WB	81	}
	82
	83	if (cgns_supported()) {
	84	- if (!cgroup_create(handler, true)) {
	85	- ERROR("failed to create inner cgroup separation layer");
	86	- goto out_delete_net;
	87	- }
	88	- if (!cgroup_enter(handler, true)) {
	89	- ERROR("failed to enter inner cgroup separation layer");
	90	- goto out_delete_net;
	91	- }
	92	- if (!cgroup_chown(handler, true)) {
	93	- ERROR("failed chown inner cgroup separation layer");
	94	- goto out_delete_net;
07288e64	95	+ const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
308c8a3e WB	96	+ if (!strcmp(tmp, "both") \|\| !strcmp(tmp, privileged ? "privileged" : "unprivileged")) {
	97	+ if (!cgroup_create(handler, true)) {
	98	+ ERROR("failed to create inner cgroup separation layer");
	99	+ goto out_delete_net;
	100	+ }
	101	+ if (!cgroup_enter(handler, true)) {
	102	+ ERROR("failed to enter inner cgroup separation layer");
	103	+ goto out_delete_net;
	104	+ }
	105	+ if (!cgroup_chown(handler, true)) {
	106	+ ERROR("failed chown inner cgroup separation layer");
	107	+ goto out_delete_net;
	108	+ }
	109	}
	110	}
	111
	112	--
7395ab25	113	2.11.0
308c8a3e	114