debian/patches/pve/0002-introduce-lxc.cgroup.dir.-monitor-container-containe.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Thu, 2 Apr 2020 10:01:37 +0200
   4 Subject: [PATCH lxc] introduce
   5  lxc.cgroup.dir.{monitor,container,container.inner}
   6
   7 This is a new approach to #1302 with a container-side
   8 configuration instead of a global boolean flag.
   9
  10 Contrary to the previous PR using an optional additional
  11 parameter for the get-cgroup command, this introduces two
  12 new additional commands to get the limiting cgroup path and
  13 cgroup2 file descriptor. If the limiting option is not in
  14 use, these behave identical to their full-path counterparts.
  15
  16 If these variables are used the payload will end up in the
  17 concatenation of lxc.cgroup.dir.container and
  18 lxc.cgroup.dir.container.inner (which may be empty), and the
  19 monitor will end up in lxc.cgruop.dir.monitor. The
  20 directories are fixed, no retry count logic is applied,
  21 failing to create these directories will simply be a hard
  22 error.
  23
  24 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
  25 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
  26 ---
  27  doc/lxc.container.conf.sgml.in |  47 +++++++++++++
  28  src/lxc/confile.c              | 124 +++++++++++++++++++++++++++++++++
  29  2 files changed, 171 insertions(+)
  30
  31 diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
  32 index c1054ddbc..0fda37b5e 100644
  33 --- a/doc/lxc.container.conf.sgml.in
  34 +++ b/doc/lxc.container.conf.sgml.in
  35 @@ -1801,6 +1801,53 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  36              </para>
  37            </listitem>
  38          </varlistentry>
  39 +        <varlistentry>
  40 +          <term>
  41 +            <option>lxc.cgroup.dir.container</option>
  42 +          </term>
  43 +          <listitem>
  44 +            <para>
  45 +              This is similar to <option>lxc.cgroup.dir</option>, but must be
  46 +              used together with <option>lxc.cgroup.dir.monitor</option> and
  47 +              affects only the container's cgroup path. This option is mutually
  48 +              exclusive with <option>lxc.cgroup.dir</option>.
  49 +              Note that the final path the container attaches to may be
  50 +              extended further by the
  51 +              <option>lxc.cgroup.dir.container.namespace</option> option.
  52 +            </para>
  53 +          </listitem>
  54 +        </varlistentry>
  55 +        <varlistentry>
  56 +          <term>
  57 +            <option>lxc.cgroup.dir.monitor</option>
  58 +          </term>
  59 +          <listitem>
  60 +            <para>
  61 +              This is the monitor process counterpart to
  62 +              <option>lxc.cgroup.dir.container</option>.
  63 +            </para>
  64 +          </listitem>
  65 +        </varlistentry>
  66 +        <varlistentry>
  67 +          <term>
  68 +            <option>lxc.cgroup.dir.container.namespace</option>
  69 +          </term>
  70 +          <listitem>
  71 +            <para>
  72 +              Specify an additional subdirectory where the cgroup namespace
  73 +              will be created. With this option, the cgroup limits will be
  74 +              applied to the outer path specified in
  75 +              <option>lxc.cgroup.dir.container</option>, which is not accessible
  76 +              from within the container, making it possible to better enforce
  77 +              limits for privileged containers in a way they cannot override
  78 +              them.
  79 +              This only works in conjunction with the
  80 +              <option>lxc.cgroup.dir.container</option> and
  81 +              <option>lxc.cgroup.dir.monitor</option> options and has otherwise
  82 +              no effect.
  83 +            </para>
  84 +          </listitem>
  85 +        </varlistentry>
  86          <varlistentry>
  87            <term>
  88              <option>lxc.cgroup.relative</option>
  89 diff --git a/src/lxc/confile.c b/src/lxc/confile.c
  90 index 5cb3ecfac..0929ba165 100644
  91 --- a/src/lxc/confile.c
  92 +++ b/src/lxc/confile.c
  93 @@ -67,6 +67,9 @@ lxc_config_define(cap_keep);
  94  lxc_config_define(cgroup_controller);
  95  lxc_config_define(cgroup2_controller);
  96  lxc_config_define(cgroup_dir);
  97 +lxc_config_define(cgroup_monitor_dir);
  98 +lxc_config_define(cgroup_container_dir);
  99 +lxc_config_define(cgroup_container_inner_dir);
 100  lxc_config_define(cgroup_relative);
 101  lxc_config_define(console_buffer_size);
 102  lxc_config_define(console_logfile);
 103 @@ -187,6 +190,9 @@ static struct lxc_config_t config_jump_table[] = {
 104         { "lxc.cap.drop",                   true,  set_config_cap_drop,                   get_config_cap_drop,                   clr_config_cap_drop,                   },
 105         { "lxc.cap.keep",                   true,  set_config_cap_keep,                   get_config_cap_keep,                   clr_config_cap_keep,                   },
 106         { "lxc.cgroup2",                    false, set_config_cgroup2_controller,         get_config_cgroup2_controller,         clr_config_cgroup2_controller,         },
 107 +       { "lxc.cgroup.dir.monitor",         true,  set_config_cgroup_monitor_dir,         get_config_cgroup_monitor_dir,         clr_config_cgroup_monitor_dir,         },
 108 +       { "lxc.cgroup.dir.container.inner", true,  set_config_cgroup_container_inner_dir, get_config_cgroup_container_inner_dir, clr_config_cgroup_container_inner_dir, },
 109 +       { "lxc.cgroup.dir.container",       true,  set_config_cgroup_container_dir,       get_config_cgroup_container_dir,       clr_config_cgroup_container_dir,       },
 110         { "lxc.cgroup.dir",                 true,  set_config_cgroup_dir,                 get_config_cgroup_dir,                 clr_config_cgroup_dir,                 },
 111         { "lxc.cgroup.relative",            true,  set_config_cgroup_relative,            get_config_cgroup_relative,            clr_config_cgroup_relative,            },
 112         { "lxc.cgroup",                     false, set_config_cgroup_controller,          get_config_cgroup_controller,          clr_config_cgroup_controller,          },
 113 @@ -1840,6 +1846,48 @@ static int set_config_cgroup_dir(const char *key, const char *value,
 114         return set_config_path_item(&lxc_conf->cgroup_meta.dir, value);
 115  }
 116
 117 +static int set_config_cgroup_monitor_dir(const char *key, const char *value,
 118 +                                        struct lxc_conf *lxc_conf, void *data)
 119 +{
 120 +       if (lxc_config_value_empty(value))
 121 +               return clr_config_cgroup_monitor_dir(key, lxc_conf, NULL);
 122 +
 123 +       return set_config_string_item(&lxc_conf->cgroup_meta.monitor_dir,
 124 +                                     value);
 125 +}
 126 +
 127 +static int set_config_cgroup_container_dir(const char *key, const char *value,
 128 +                                          struct lxc_conf *lxc_conf,
 129 +                                          void *data)
 130 +{
 131 +       if (lxc_config_value_empty(value))
 132 +               return clr_config_cgroup_container_dir(key, lxc_conf, NULL);
 133 +
 134 +       return set_config_string_item(&lxc_conf->cgroup_meta.container_dir,
 135 +                                     value);
 136 +}
 137 +
 138 +static int set_config_cgroup_container_inner_dir(const char *key,
 139 +                                                const char *value,
 140 +                                                struct lxc_conf *lxc_conf,
 141 +                                                void *data)
 142 +{
 143 +       if (lxc_config_value_empty(value))
 144 +               return clr_config_cgroup_container_inner_dir(key, lxc_conf,
 145 +                                                            NULL);
 146 +
 147 +       if (strchr(value, '/') ||
 148 +           strcmp(value, ".") == 0 ||
 149 +           strcmp(value, "..") == 0)
 150 +       {
 151 +               ERROR("lxc.cgroup.dir.container.inner must be a single directory name");
 152 +               return -1;
 153 +       }
 154 +
 155 +       return set_config_string_item(&lxc_conf->cgroup_meta.namespace_dir,
 156 +                                     value);
 157 +}
 158 +
 159  static int set_config_cgroup_relative(const char *key, const char *value,
 160                                       struct lxc_conf *lxc_conf, void *data)
 161  {
 162 @@ -3711,6 +3759,58 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
 163         return fulllen;
 164  }
 165
 166 +static int get_config_cgroup_monitor_dir(const char *key, char *retv, int inlen,
 167 +                                        struct lxc_conf *lxc_conf, void *data)
 168 +{
 169 +       int len;
 170 +       int fulllen = 0;
 171 +
 172 +       if (!retv)
 173 +               inlen = 0;
 174 +       else
 175 +               memset(retv, 0, inlen);
 176 +
 177 +       strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.monitor_dir);
 178 +
 179 +       return fulllen;
 180 +}
 181 +
 182 +static int get_config_cgroup_container_dir(const char *key, char *retv,
 183 +                                          int inlen,
 184 +                                          struct lxc_conf *lxc_conf,
 185 +                                          void *data)
 186 +{
 187 +       int len;
 188 +       int fulllen = 0;
 189 +
 190 +       if (!retv)
 191 +               inlen = 0;
 192 +       else
 193 +               memset(retv, 0, inlen);
 194 +
 195 +       strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.container_dir);
 196 +
 197 +       return fulllen;
 198 +}
 199 +
 200 +static int get_config_cgroup_container_inner_dir(const char *key, char *retv,
 201 +                                                int inlen,
 202 +                                                struct lxc_conf *lxc_conf,
 203 +                                                void *data)
 204 +{
 205 +       int len;
 206 +       int fulllen = 0;
 207 +
 208 +       if (!retv)
 209 +               inlen = 0;
 210 +       else
 211 +               memset(retv, 0, inlen);
 212 +
 213 +       strprint(retv, inlen, "%s", lxc_conf->cgroup_meta.namespace_dir);
 214 +
 215 +       return fulllen;
 216 +}
 217 +
 218  static inline int get_config_cgroup_relative(const char *key, char *retv,
 219                                              int inlen, struct lxc_conf *lxc_conf,
 220                                              void *data)
 221 @@ -4572,6 +4672,30 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
 222         return 0;
 223  }
 224
 225 +static int clr_config_cgroup_monitor_dir(const char *key,
 226 +                                        struct lxc_conf *lxc_conf,
 227 +                                        void *data)
 228 +{
 229 +       free_disarm(lxc_conf->cgroup_meta.monitor_dir);
 230 +       return 0;
 231 +}
 232 +
 233 +static int clr_config_cgroup_container_dir(const char *key,
 234 +                                          struct lxc_conf *lxc_conf,
 235 +                                          void *data)
 236 +{
 237 +       free_disarm(lxc_conf->cgroup_meta.container_dir);
 238 +       return 0;
 239 +}
 240 +
 241 +static int clr_config_cgroup_container_inner_dir(const char *key,
 242 +                                                struct lxc_conf *lxc_conf,
 243 +                                                void *data)
 244 +{
 245 +       free_disarm(lxc_conf->cgroup_meta.namespace_dir);
 246 +       return 0;
 247 +}
 248 +
 249  static inline int clr_config_cgroup_relative(const char *key,
 250                                              struct lxc_conf *lxc_conf,
 251                                              void *data)