[lxc.git] / debian / patches / pve / 0005-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 28 Mar 2018 13:41:46 +0200
Subject: [PATCH] PVE: [Up] start/initutils: make cgroupns separation level
 configurable

Adds a new global config variable `lxc.cgroup.separate`
which controls whether a separation directory for cgroup
namespaces should be used.
Can be empty, "privileged", "unprivileged" or "both".

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/lxc/initutils.c | 17 +++++++++--------
 src/lxc/initutils.h |  1 +
 src/lxc/start.c     | 25 ++++++++++++++-----------
 3 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index 11c808662..8b5e2542a 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -63,14 +63,15 @@ static char *copy_global_config_value(char *p)
 const char *lxc_global_config_value(const char *option_name)
 {
 	static const char * const options[][2] = {
-		{ "lxc.bdev.lvm.vg",        DEFAULT_VG      },
-		{ "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
-		{ "lxc.bdev.zfs.root",      DEFAULT_ZFSROOT },
-		{ "lxc.bdev.rbd.rbdpool",   DEFAULT_RBDPOOL },
-		{ "lxc.lxcpath",            NULL            },
-		{ "lxc.default_config",     NULL            },
-		{ "lxc.cgroup.pattern",     NULL            },
-		{ "lxc.cgroup.use",         NULL            },
+		{ "lxc.bdev.lvm.vg",           DEFAULT_VG      },
+		{ "lxc.bdev.lvm.thin_pool",    DEFAULT_THIN_POOL },
+		{ "lxc.bdev.zfs.root",         DEFAULT_ZFSROOT },
+		{ "lxc.bdev.rbd.rbdpool",      DEFAULT_RBDPOOL },
+		{ "lxc.lxcpath",               NULL            },
+		{ "lxc.default_config",        NULL            },
+		{ "lxc.cgroup.pattern",        NULL            },
+		{ "lxc.cgroup.use",            NULL            },
+		{ "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
 		{ NULL, NULL },
 	};
 
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
index 6bf23a706..b542e6015 100644
--- a/src/lxc/initutils.h
+++ b/src/lxc/initutils.h
@@ -42,6 +42,7 @@
 #define DEFAULT_THIN_POOL "lxc"
 #define DEFAULT_ZFSROOT "lxc"
 #define DEFAULT_RBDPOOL "lxc"
+#define DEFAULT_CGPROTECT "privileged"
 
 #ifndef PR_SET_MM
 #define PR_SET_MM 35
diff --git a/src/lxc/start.c b/src/lxc/start.c
index f3b29d6cd..1cf792aa2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1820,17 +1820,20 @@ static int lxc_spawn(struct lxc_handler *handler)
 	TRACE("Set up legacy device cgroup controller limits");
 
 	if (cgns_supported()) {
-		if (!cgroup_ops->payload_create(cgroup_ops, handler, true)) {
-			ERROR("failed to create inner cgroup separation layer");
-			goto out_delete_net;
-		}
-		if (!cgroup_ops->payload_enter(cgroup_ops, handler->pid, true)) {
-			ERROR("failed to enter inner cgroup separation layer");
-			goto out_delete_net;
-		}
-		if (!cgroup_ops->chown(cgroup_ops, handler->conf, true)) {
-			ERROR("failed chown inner cgroup separation layer");
-			goto out_delete_net;
+		const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
+		if (!strcmp(tmp, "both") || !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
+			if (!cgroup_ops->payload_create(cgroup_ops, handler, true)) {
+				ERROR("failed to create inner cgroup separation layer");
+				goto out_delete_net;
+			}
+			if (!cgroup_ops->payload_enter(cgroup_ops, handler->pid, true)) {
+				ERROR("failed to enter inner cgroup separation layer");
+				goto out_delete_net;
+			}
+			if (!cgroup_ops->chown(cgroup_ops, handler->conf, true)) {
+				ERROR("failed chown inner cgroup separation layer");
+				goto out_delete_net;
+			}
 		}
 	}
 
-- 
2.20.1
Commit	Line	Data
1513a0b5	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
308c8a3e	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
1513a0b5	3	Date: Wed, 28 Mar 2018 13:41:46 +0200
2d8021b3 WB	4	Subject: [PATCH] PVE: [Up] start/initutils: make cgroupns separation level
2d8021b3 WB	5	configurable
308c8a3e WB	6
	7	Adds a new global config variable `lxc.cgroup.separate`
	8	which controls whether a separation directory for cgroup
	9	namespaces should be used.
	10	Can be empty, "privileged", "unprivileged" or "both".
	11
	12	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	13	---
07288e64	14	src/lxc/initutils.c \| 17 +++++++++--------
308c8a3e	15	src/lxc/initutils.h \| 1 +
f39a178a WB	16	src/lxc/start.c \| 25 ++++++++++++++-----------
f39a178a WB	17	3 files changed, 24 insertions(+), 19 deletions(-)
308c8a3e WB	18
308c8a3e WB	19	diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
8a25e884	20	index 11c808662..8b5e2542a 100644
308c8a3e WB	21	--- a/src/lxc/initutils.c
308c8a3e WB	22	+++ b/src/lxc/initutils.c
834bb4d7	23	@@ -63,14 +63,15 @@ static char copy_global_config_value(char p)
07288e64 WB	24	const char lxc_global_config_value(const char option_name)
	25	{
	26	static const char * const options[][2] = {
	27	- { "lxc.bdev.lvm.vg", DEFAULT_VG },
	28	- { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
	29	- { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
	30	- { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
	31	- { "lxc.lxcpath", NULL },
	32	- { "lxc.default_config", NULL },
	33	- { "lxc.cgroup.pattern", NULL },
	34	- { "lxc.cgroup.use", NULL },
	35	+ { "lxc.bdev.lvm.vg", DEFAULT_VG },
	36	+ { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
	37	+ { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
	38	+ { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
	39	+ { "lxc.lxcpath", NULL },
	40	+ { "lxc.default_config", NULL },
	41	+ { "lxc.cgroup.pattern", NULL },
	42	+ { "lxc.cgroup.use", NULL },
	43	+ { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
308c8a3e WB	44	{ NULL, NULL },
	45	};
	46
	47	diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
8a25e884	48	index 6bf23a706..b542e6015 100644
308c8a3e WB	49	--- a/src/lxc/initutils.h
308c8a3e WB	50	+++ b/src/lxc/initutils.h
1513a0b5	51	@@ -42,6 +42,7 @@
308c8a3e WB	52	#define DEFAULT_THIN_POOL "lxc"
	53	#define DEFAULT_ZFSROOT "lxc"
	54	#define DEFAULT_RBDPOOL "lxc"
07288e64	55	+#define DEFAULT_CGPROTECT "privileged"
308c8a3e	56
1513a0b5 WB	57	#ifndef PR_SET_MM
1513a0b5 WB	58	#define PR_SET_MM 35
308c8a3e	59	diff --git a/src/lxc/start.c b/src/lxc/start.c
8a25e884	60	index f3b29d6cd..1cf792aa2 100644
308c8a3e WB	61	--- a/src/lxc/start.c
308c8a3e WB	62	+++ b/src/lxc/start.c
834bb4d7	63	@@ -1820,17 +1820,20 @@ static int lxc_spawn(struct lxc_handler *handler)
1513a0b5	64	TRACE("Set up legacy device cgroup controller limits");
308c8a3e WB	65
308c8a3e WB	66	if (cgns_supported()) {
834bb4d7	67	- if (!cgroup_ops->payload_create(cgroup_ops, handler, true)) {
308c8a3e WB	68	- ERROR("failed to create inner cgroup separation layer");
	69	- goto out_delete_net;
	70	- }
834bb4d7	71	- if (!cgroup_ops->payload_enter(cgroup_ops, handler->pid, true)) {
308c8a3e WB	72	- ERROR("failed to enter inner cgroup separation layer");
	73	- goto out_delete_net;
	74	- }
2d8021b3	75	- if (!cgroup_ops->chown(cgroup_ops, handler->conf, true)) {
308c8a3e WB	76	- ERROR("failed chown inner cgroup separation layer");
308c8a3e WB	77	- goto out_delete_net;
07288e64	78	+ const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
f39a178a	79	+ if (!strcmp(tmp, "both") \|\| !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
834bb4d7	80	+ if (!cgroup_ops->payload_create(cgroup_ops, handler, true)) {
308c8a3e WB	81	+ ERROR("failed to create inner cgroup separation layer");
	82	+ goto out_delete_net;
	83	+ }
834bb4d7	84	+ if (!cgroup_ops->payload_enter(cgroup_ops, handler->pid, true)) {
308c8a3e WB	85	+ ERROR("failed to enter inner cgroup separation layer");
	86	+ goto out_delete_net;
	87	+ }
2d8021b3	88	+ if (!cgroup_ops->chown(cgroup_ops, handler->conf, true)) {
308c8a3e WB	89	+ ERROR("failed chown inner cgroup separation layer");
	90	+ goto out_delete_net;
	91	+ }
	92	}
	93	}
	94
	95	--
8a25e884	96	2.20.1
308c8a3e	97