]> git.proxmox.com Git - lxc.git/blob - debian/patches/0005-start-initutils-make-cgroupns-separation-level-confi.patch
projects / lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 3.0.0-3
[lxc.git] / debian / patches / 0005-start-initutils-make-cgroupns-separation-level-confi.patch
1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
3 Date: Wed, 28 Mar 2018 13:41:46 +0200
4 Subject: [PATCH] start/initutils: make cgroupns separation level configurable
5
6 Adds a new global config variable `lxc.cgroup.separate`
7 which controls whether a separation directory for cgroup
8 namespaces should be used.
9 Can be empty, "privileged", "unprivileged" or "both".
10
11 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
12 ---
13 src/lxc/initutils.c | 17 +++++++++--------
14 src/lxc/initutils.h | 1 +
15 src/lxc/start.c | 25 ++++++++++++++-----------
16 3 files changed, 24 insertions(+), 19 deletions(-)
17
18 diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
19 index 56926fb5..c5f19ca8 100644
20 --- a/src/lxc/initutils.c
21 +++ b/src/lxc/initutils.c
22 @@ -49,14 +49,15 @@ static char *copy_global_config_value(char *p)
23 const char *lxc_global_config_value(const char *option_name)
24 {
25 static const char * const options[][2] = {
26 - { "lxc.bdev.lvm.vg", DEFAULT_VG },
27 - { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
28 - { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
29 - { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
30 - { "lxc.lxcpath", NULL },
31 - { "lxc.default_config", NULL },
32 - { "lxc.cgroup.pattern", NULL },
33 - { "lxc.cgroup.use", NULL },
34 + { "lxc.bdev.lvm.vg", DEFAULT_VG },
35 + { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
36 + { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
37 + { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
38 + { "lxc.lxcpath", NULL },
39 + { "lxc.default_config", NULL },
40 + { "lxc.cgroup.pattern", NULL },
41 + { "lxc.cgroup.use", NULL },
42 + { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
43 { NULL, NULL },
44 };
45
46 diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
47 index ec44554e..6532f301 100644
48 --- a/src/lxc/initutils.h
49 +++ b/src/lxc/initutils.h
50 @@ -42,6 +42,7 @@
51 #define DEFAULT_THIN_POOL "lxc"
52 #define DEFAULT_ZFSROOT "lxc"
53 #define DEFAULT_RBDPOOL "lxc"
54 +#define DEFAULT_CGPROTECT "privileged"
55
56 #ifndef PR_SET_MM
57 #define PR_SET_MM 35
58 diff --git a/src/lxc/start.c b/src/lxc/start.c
59 index 772eacc2..ae13aae9 100644
60 --- a/src/lxc/start.c
61 +++ b/src/lxc/start.c
62 @@ -1721,17 +1721,20 @@ static int lxc_spawn(struct lxc_handler *handler)
63 TRACE("Set up legacy device cgroup controller limits");
64
65 if (cgns_supported()) {
66 - if (!cgroup_create(handler, true)) {
67 - ERROR("failed to create inner cgroup separation layer");
68 - goto out_delete_net;
69 - }
70 - if (!cgroup_enter(handler, true)) {
71 - ERROR("failed to enter inner cgroup separation layer");
72 - goto out_delete_net;
73 - }
74 - if (!cgroup_chown(handler, true)) {
75 - ERROR("failed chown inner cgroup separation layer");
76 - goto out_delete_net;
77 + const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
78 + if (!strcmp(tmp, "both") || !strcmp(tmp, wants_to_map_ids ? "unprivileged" : "privileged")) {
79 + if (!cgroup_create(handler, true)) {
80 + ERROR("failed to create inner cgroup separation layer");
81 + goto out_delete_net;
82 + }
83 + if (!cgroup_enter(handler, true)) {
84 + ERROR("failed to enter inner cgroup separation layer");
85 + goto out_delete_net;
86 + }
87 + if (!cgroup_chown(handler, true)) {
88 + ERROR("failed chown inner cgroup separation layer");
89 + goto out_delete_net;
90 + }
91 }
92 }
93
94 --
95 2.11.0
96
latest lxc for pve (jessie)