]> git.proxmox.com Git - lxc.git/blob - debian/patches/0002-start-initutils-make-cgroupns-separation-level-confi.patch
projects / lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update to lxc-2.0.6
[lxc.git] / debian / patches / 0002-start-initutils-make-cgroupns-separation-level-confi.patch
1 From 1623287e7370989d554149a1e2ac28afcde96dbb Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Wed, 16 Nov 2016 09:53:42 +0100
4 Subject: [PATCH 2/2] start/initutils: make cgroupns separation level
5 configurable
6
7 Adds a new global config variable `lxc.cgroup.separate`
8 which controls whether a separation directory for cgroup
9 namespaces should be used.
10 Can be empty, "privileged", "unprivileged" or "both".
11
12 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
13 ---
14 src/lxc/initutils.c | 1 +
15 src/lxc/initutils.h | 1 +
16 src/lxc/start.c | 28 ++++++++++++++++------------
17 3 files changed, 18 insertions(+), 12 deletions(-)
18
19 diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
20 index b611b5e..cc22991 100644
21 --- a/src/lxc/initutils.c
22 +++ b/src/lxc/initutils.c
23 @@ -96,6 +96,7 @@ const char *lxc_global_config_value(const char *option_name)
24 { "lxc.default_config", NULL },
25 { "lxc.cgroup.pattern", NULL },
26 { "lxc.cgroup.use", NULL },
27 + { "lxc.cgroup.separate", DEFAULT_CGSEPARATE },
28 { NULL, NULL },
29 };
30
31 diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
32 index c021fd6..55fb8d9 100644
33 --- a/src/lxc/initutils.h
34 +++ b/src/lxc/initutils.h
35 @@ -43,6 +43,7 @@
36 #define DEFAULT_THIN_POOL "lxc"
37 #define DEFAULT_ZFSROOT "lxc"
38 #define DEFAULT_RBDPOOL "lxc"
39 +#define DEFAULT_CGSEPARATE "privileged"
40
41 extern void lxc_setup_fs(void);
42 extern const char *lxc_global_config_value(const char *option_name);
43 diff --git a/src/lxc/start.c b/src/lxc/start.c
44 index c9d78b7..d4603f7 100644
45 --- a/src/lxc/start.c
46 +++ b/src/lxc/start.c
47 @@ -1067,6 +1067,7 @@ static int lxc_spawn(struct lxc_handler *handler)
48 int saved_ns_fd[LXC_NS_MAX];
49 int preserve_mask = 0, i, flags;
50 int netpipepair[2], nveths;
51 + bool privileged = !!lxc_list_empty(&handler->conf->id_map);
52
53 netpipe = -1;
54
55 @@ -1130,7 +1131,7 @@ static int lxc_spawn(struct lxc_handler *handler)
56 * it readonly.
57 * If the container is unprivileged then skip rootfs pinning.
58 */
59 - if (lxc_list_empty(&handler->conf->id_map)) {
60 + if (!privileged) {
61 handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
62 if (handler->pinfd == -1)
63 INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
64 @@ -1255,17 +1256,20 @@ static int lxc_spawn(struct lxc_handler *handler)
65 }
66
67 if (cgns_supported()) {
68 - if (!cgroup_create(handler, true)) {
69 - ERROR("failed to create inner cgroup separation layer");
70 - goto out_delete_net;
71 - }
72 - if (!cgroup_enter(handler, true)) {
73 - ERROR("failed to enter inner cgroup separation layer");
74 - goto out_delete_net;
75 - }
76 - if (!cgroup_chown(handler, true)) {
77 - ERROR("failed chown inner cgroup separation layer");
78 - goto out_delete_net;
79 + const char *tmp = lxc_global_config_value("lxc.cgroup.separate");
80 + if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) {
81 + if (!cgroup_create(handler, true)) {
82 + ERROR("failed to create inner cgroup separation layer");
83 + goto out_delete_net;
84 + }
85 + if (!cgroup_enter(handler, true)) {
86 + ERROR("failed to enter inner cgroup separation layer");
87 + goto out_delete_net;
88 + }
89 + if (!cgroup_chown(handler, true)) {
90 + ERROR("failed chown inner cgroup separation layer");
91 + goto out_delete_net;
92 + }
93 }
94 }
95
96 --
97 2.1.4
98
latest lxc for pve (jessie)