close #1785: whitelist namespaced lxc.sysfs.* entries

According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.

Note that these only work when also using
'lxc.mount.auto: proc:rw'

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Link: https://github.com/lxc/lxc/issues/989

diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 56082dd319a4e793d8428682c79bc6485ee4b51e..061ec8e0702ff983d6002eca72c8387b1c2af7d1 100644 (file)
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
     'lxc.start.order' => 1,
     'lxc.group' => 1,
     'lxc.environment' => 1,
+
+    # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
+    'lxc.sysctl.fs.mqueue' => 1,
+    'lxc.sysctl.kernel.msgmax' => 1,
+    'lxc.sysctl.kernel.msgmnb' => 1,
+    'lxc.sysctl.kernel.msgmni' => 1,
+    'lxc.sysctl.kernel.sem' => 1,
+    'lxc.sysctl.kernel.shmall' => 1,
+    'lxc.sysctl.kernel.shmmax' => 1,
+    'lxc.sysctl.kernel.shmmni' => 1,
+    'lxc.sysctl.kernel.shm_rmid_forced' => 1,
 };
 
 my $deprecated_lxc_conf_keys = {