Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-23 10:50:23 +03:00
Code Releases Activity

update cgroup namespace separation patches

Browse Source
This commit is contained in:
Wolfgang Bumiller 2016-12-22 12:23:39 +01:00
parent 91b2548e8e
commit 07288e64fa
2 changed files with 331 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

343
debian/patches/0001-separate-the-limiting-from-the-namespaced-cgroup-roo.patch vendored
View File

@ -1,4 +1,4 @@
From a3743ab2816d54fbe9854a5a9f31cc62b01b5339 Mon Sep 17 00:00:00 2001
From ae0e051a843f17ab721fc43ee5ce72a1052080e0 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 15 Nov 2016 09:20:24 +0100
Subject: [PATCH 1/2] separate the limiting from the namespaced cgroup root
@ -14,17 +14,19 @@ being used in order to combat this.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/cgroups/cgfs.c | 15 +++++++--
src/lxc/cgroups/cgfsng.c | 76 ++++++++++++++++++++++++++++++++++++---------
src/lxc/cgroups/cgmanager.c | 15 +++++++--
src/lxc/cgroups/cgroup.c | 12 +++----
src/lxc/cgroups/cgroup.h | 12 +++----
src/lxc/criu.c | 2 +-
src/lxc/start.c | 21 +++++++++++--
7 files changed, 116 insertions(+), 37 deletions(-)
src/lxc/cgroups/cgfs.c | 19 ++++++--
src/lxc/cgroups/cgfsng.c | 80 ++++++++++++++++++++++++++++------
src/lxc/cgroups/cgmanager.c | 19 ++++++--
src/lxc/cgroups/cgroup.c | 16 +++----
src/lxc/cgroups/cgroup.h | 16 +++----
src/lxc/commands.c | 103 +++++++++++++++++++++++++++++++++++---------
src/lxc/commands.h | 3 ++
src/lxc/criu.c | 4 +-
src/lxc/start.c | 21 +++++++--
9 files changed, 219 insertions(+), 62 deletions(-)
diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
index 8499200..0152477 100644
index 8499200..b78b78d 100644
--- a/src/lxc/cgroups/cgfs.c
+++ b/src/lxc/cgroups/cgfs.c
@@ -2383,12 +2383,15 @@ static void cgfs_destroy(void *hdata, struct lxc_conf *conf)
@ -61,7 +63,21 @@ index 8499200..0152477 100644
if (!d)
return false;
i = d->info;
@@ -2646,13 +2652,16 @@ static bool do_cgfs_chown(char *cgroup_path, struct lxc_conf *conf)
@@ -2428,10 +2434,12 @@ static inline bool cgfs_create_legacy(void *hdata, pid_t pid)
return true;
}
-static const char *cgfs_get_cgroup(void *hdata, const char *subsystem)
+static const char *cgfs_get_cgroup(void *hdata, const char *subsystem, bool inner)
{
struct cgfs_data *d = hdata;
+ (void)inner;
+
if (!d)
return NULL;
return lxc_cgroup_get_hierarchy_path_data(subsystem, d);
@@ -2646,13 +2654,16 @@ static bool do_cgfs_chown(char *cgroup_path, struct lxc_conf *conf)
return true;
}
@ -80,10 +96,35 @@ index 8499200..0152477 100644
return false;
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index d3215d7..123c67c 100644
index 2b772e2..c1cc3ad 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1303,18 +1303,24 @@ struct cgroup_ops *cgfsng_ops_init(void)
@@ -72,6 +72,7 @@ struct hierarchy {
char *mountpoint;
char *base_cgroup;
char *fullcgpath;
+ char *innercgpath;
};
/*
@@ -814,6 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
new->mountpoint = mountpoint;
new->base_cgroup = base_cgroup;
new->fullcgpath = NULL;
+ new->innercgpath = false;
newentry = append_null_to_list((void ***)&hierarchies);
hierarchies[newentry] = new;
@@ -1286,6 +1288,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
free(h->fullcgpath);
h->fullcgpath = NULL;
}
+ free(h->innercgpath);
+ h->innercgpath = NULL;
}
}
@@ -1299,18 +1303,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
return &cgfsng_ops;
}
@ -93,32 +134,29 @@ index d3215d7..123c67c 100644
- h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
- if (dir_exists(h->fullcgpath)) { // it must not already exist
- ERROR("Path \"%s\" already existed.", h->fullcgpath);
- return false;
- }
- if (!handle_cpuset_hierarchy(h, cgname)) {
- ERROR("Failed to handle cgroupfs v1 cpuset controller.");
- return false;
+ char *path;
+ if (inner) {
+ path = must_make_path(h->fullcgpath, "ns", NULL);
+ h->innercgpath = path;
+ } else {
+ path = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
+ h->fullcgpath = path;
+ if (dir_exists(h->fullcgpath)) { // it must not already exist
+ ERROR("Path \"%s\" already existed.", h->fullcgpath);
+ return false;
+ }
+ if (!handle_cpuset_hierarchy(h, cgname)) {
+ ERROR("Failed to handle cgroupfs v1 cpuset controller.");
+ return false;
+ }
+ }
+ if (dir_exists(path)) { // it must not already exist
+ ERROR("Path \"%s\" already existed.", path);
return false;
}
- if (!handle_cpuset_hierarchy(h, cgname)) {
+ if (!inner && !handle_cpuset_hierarchy(h, cgname)) {
ERROR("Failed to handle cgroupfs v1 cpuset controller.");
return false;
}
- return mkdir_p(h->fullcgpath, 0755) == 0;
+ return mkdir_p(path, 0755) == 0;
}
static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
@@ -1329,7 +1335,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
@@ -1325,7 +1336,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
* Try to create the same cgroup in all hierarchies.
* Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999
*/
@ -128,7 +166,7 @@ index d3215d7..123c67c 100644
{
struct cgfsng_handler_data *d = hdata;
char *tmp, *cgname, *offset;
@@ -1339,9 +1346,15 @@ static inline bool cgfsng_create(void *hdata)
@@ -1335,9 +1347,15 @@ static inline bool cgfsng_create(void *hdata)
if (!d)
return false;
if (d->container_cgroup) {
@ -144,7 +182,7 @@ index d3215d7..123c67c 100644
tmp = lxc_string_replace("%n", d->name, d->cgroup_pattern);
if (!tmp) {
@@ -1362,7 +1375,7 @@ again:
@@ -1358,7 +1376,7 @@ again:
if (idx)
snprintf(offset, 5, "-%d", idx);
for (i = 0; hierarchies[i]; i++) {
@ -153,7 +191,7 @@ index d3215d7..123c67c 100644
int j;
SYSERROR("Failed to create %s: %s", hierarchies[i]->fullcgpath, strerror(errno));
free(hierarchies[i]->fullcgpath);
@@ -1382,7 +1395,24 @@ out_free:
@@ -1378,7 +1396,24 @@ out_free:
return false;
}
@ -179,7 +217,7 @@ index d3215d7..123c67c 100644
{
char pidstr[25];
int i, len;
@@ -1392,7 +1422,12 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
@@ -1388,7 +1423,12 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
return false;
for (i = 0; hierarchies[i]; i++) {
@ -193,7 +231,7 @@ index d3215d7..123c67c 100644
"cgroup.procs", NULL);
if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) {
SYSERROR("Failed to enter %s", fullpath);
@@ -1408,6 +1443,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
@@ -1404,6 +1444,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
struct chown_data {
struct cgfsng_handler_data *d;
uid_t origuid; // target uid in parent namespace
@ -201,7 +239,7 @@ index d3215d7..123c67c 100644
};
/*
@@ -1436,13 +1472,20 @@ static int chown_cgroup_wrapper(void *data)
@@ -1432,13 +1473,20 @@ static int chown_cgroup_wrapper(void *data)
for (i = 0; hierarchies[i]; i++) {
char *fullpath, *path = hierarchies[i]->fullcgpath;
@ -222,7 +260,7 @@ index d3215d7..123c67c 100644
return -1;
}
@@ -1466,12 +1509,14 @@ static int chown_cgroup_wrapper(void *data)
@@ -1462,12 +1510,14 @@ static int chown_cgroup_wrapper(void *data)
if (chmod(fullpath, 0664) < 0)
WARN("Error chmoding %s: %m", path);
free(fullpath);
@ -238,7 +276,7 @@ index d3215d7..123c67c 100644
{
struct cgfsng_handler_data *d = hdata;
struct chown_data wrap;
@@ -1484,6 +1529,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
@@ -1480,6 +1530,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
wrap.d = d;
wrap.origuid = geteuid();
@ -246,8 +284,34 @@ index d3215d7..123c67c 100644
if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap) < 0) {
ERROR("Error requesting cgroup chown in new namespace");
@@ -1774,12 +1825,15 @@ static bool cgfsng_unfreeze(void *hdata)
return true;
}
-static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem)
+static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem, bool inner)
{
struct hierarchy *h = get_hierarchy(subsystem);
if (!h)
return NULL;
+ if (inner && h->innercgpath)
+ return h->innercgpath + strlen(h->mountpoint);
+
return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL;
}
@@ -1814,7 +1868,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
char *path, *fullpath;
struct hierarchy *h = hierarchies[i];
- path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]);
+ path = lxc_cmd_get_attach_cgroup_path(name, lxcpath, h->controllers[0]);
if (!path) // not running
continue;
diff --git a/src/lxc/cgroups/cgmanager.c b/src/lxc/cgroups/cgmanager.c
index f2756b0..86a9a1f 100644
index f2756b0..ac966b6 100644
--- a/src/lxc/cgroups/cgmanager.c
+++ b/src/lxc/cgroups/cgmanager.c
@@ -609,7 +609,7 @@ static inline void cleanup_cgroups(char *path)
@ -287,7 +351,21 @@ index f2756b0..86a9a1f 100644
if (!d || !d->cgroup_path)
return false;
@@ -1541,10 +1547,13 @@ out:
@@ -737,10 +743,12 @@ out:
return ret;
}
-static const char *cgm_get_cgroup(void *hdata, const char *subsystem)
+static const char *cgm_get_cgroup(void *hdata, const char *subsystem, bool inner)
{
struct cgm_data *d = hdata;
+ (void)inner;
+
if (!d || !d->cgroup_path)
return NULL;
return d->cgroup_path;
@@ -1541,10 +1549,13 @@ out:
return ret;
}
@ -303,7 +381,7 @@ index f2756b0..86a9a1f 100644
return false;
if (!cgm_dbus_connect()) {
diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
index 78472d4..9f4e15f 100644
index 78472d4..4d26e72 100644
--- a/src/lxc/cgroups/cgroup.c
+++ b/src/lxc/cgroups/cgroup.c
@@ -80,10 +80,10 @@ void cgroup_destroy(struct lxc_handler *handler)
@ -332,6 +410,19 @@ index 78472d4..9f4e15f 100644
return false;
}
@@ -105,10 +105,10 @@ bool cgroup_create_legacy(struct lxc_handler *handler)
return true;
}
-const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem)
+const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem, bool inner)
{
if (ops)
- return ops->get_cgroup(handler->cgroup_data, subsystem);
+ return ops->get_cgroup(handler->cgroup_data, subsystem, inner);
return NULL;
}
@@ -150,10 +150,10 @@ bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices)
return false;
}
@ -346,10 +437,10 @@ index 78472d4..9f4e15f 100644
}
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
index 11b251e..4a2b070 100644
index 11b251e..3b5cad9 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -43,8 +43,8 @@ struct cgroup_ops {
@@ -43,10 +43,10 @@ struct cgroup_ops {
void *(*init)(const char *name);
void (*destroy)(void *hdata, struct lxc_conf *conf);
@ -358,8 +449,11 @@ index 11b251e..4a2b070 100644
+ bool (*create)(void *hdata, bool inner);
+ bool (*enter)(void *hdata, pid_t pid, bool inner);
bool (*create_legacy)(void *hdata, pid_t pid);
const char *(*get_cgroup)(void *hdata, const char *subsystem);
- const char *(*get_cgroup)(void *hdata, const char *subsystem);
+ const char *(*get_cgroup)(void *hdata, const char *subsystem, bool inner);
bool (*escape)();
int (*num_hierarchies)();
bool (*get_hierarchies)(int n, char ***out);
@@ -54,7 +54,7 @@ struct cgroup_ops {
int (*get)(const char *filename, char *value, size_t len, const char *name, const char *lxcpath);
bool (*unfreeze)(void *hdata);
@ -369,7 +463,7 @@ index 11b251e..4a2b070 100644
bool (*attach)(const char *name, const char *lxcpath, pid_t pid);
bool (*mount_cgroup)(void *hdata, const char *root, int type);
int (*nrtasks)(void *hdata);
@@ -66,10 +66,10 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid);
@@ -66,14 +66,14 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid);
extern bool cgroup_mount(const char *root, struct lxc_handler *handler, int type);
extern void cgroup_destroy(struct lxc_handler *handler);
extern bool cgroup_init(struct lxc_handler *handler);
@ -383,10 +477,173 @@ index 11b251e..4a2b070 100644
extern void cgroup_cleanup(struct lxc_handler *handler);
extern bool cgroup_create_legacy(struct lxc_handler *handler);
extern int cgroup_nrtasks(struct lxc_handler *handler);
-extern const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem);
+extern const char *cgroup_get_cgroup(struct lxc_handler *handler, const char *subsystem, bool inner);
extern bool cgroup_escape();
extern int cgroup_num_hierarchies();
extern bool cgroup_get_hierarchies(int i, char ***out);
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index b17879b..0bf786b 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -128,15 +128,16 @@ static int fill_sock_name(char *path, int len, const char *name,
static const char *lxc_cmd_str(lxc_cmd_t cmd)
{
static const char * const cmdname[LXC_CMD_MAX] = {
- [LXC_CMD_CONSOLE] = "console",
- [LXC_CMD_STOP] = "stop",
- [LXC_CMD_GET_STATE] = "get_state",
- [LXC_CMD_GET_INIT_PID] = "get_init_pid",
- [LXC_CMD_GET_CLONE_FLAGS] = "get_clone_flags",
- [LXC_CMD_GET_CGROUP] = "get_cgroup",
- [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item",
- [LXC_CMD_GET_NAME] = "get_name",
- [LXC_CMD_GET_LXCPATH] = "get_lxcpath",
+ [LXC_CMD_CONSOLE] = "console",
+ [LXC_CMD_STOP] = "stop",
+ [LXC_CMD_GET_STATE] = "get_state",
+ [LXC_CMD_GET_INIT_PID] = "get_init_pid",
+ [LXC_CMD_GET_CLONE_FLAGS] = "get_clone_flags",
+ [LXC_CMD_GET_CGROUP] = "get_cgroup",
+ [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item",
+ [LXC_CMD_GET_NAME] = "get_name",
+ [LXC_CMD_GET_LXCPATH] = "get_lxcpath",
+ [LXC_CMD_GET_ATTACH_CGROUP] = "get_attach_cgroup",
};
if (cmd >= LXC_CMD_MAX)
@@ -480,7 +481,68 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
if (req->datalen < 1)
return -1;
- path = cgroup_get_cgroup(handler, req->data);
+ path = cgroup_get_cgroup(handler, req->data, false);
+ if (!path)
+ return -1;
+ rsp.datalen = strlen(path) + 1,
+ rsp.data = (char *)path;
+ rsp.ret = 0;
+
+ return lxc_cmd_rsp_send(fd, &rsp);
+}
+
+/*
+ * lxc_cmd_get_attach_cgroup_path: Calculate a container's inner cgroup path
+ * for a particular subsystem. This is the cgroup path relative to the root
+ * of the cgroup filesystem.
+ *
+ * @name : name of container to connect to
+ * @lxcpath : the lxcpath in which the container is running
+ * @subsystem : the subsystem being asked about
+ *
+ * Returns the path on success, NULL on failure. The caller must free() the
+ * returned path.
+ */
+char *lxc_cmd_get_attach_cgroup_path(const char *name, const char *lxcpath,
+ const char *subsystem)
+{
+ int ret, stopped;
+ struct lxc_cmd_rr cmd = {
+ .req = {
+ .cmd = LXC_CMD_GET_ATTACH_CGROUP,
+ .datalen = strlen(subsystem)+1,
+ .data = subsystem,
+ },
+ };
+
+ ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
+ if (ret < 0)
+ return NULL;
+
+ if (!ret) {
+ WARN("Container \"%s\" has stopped before sending its state.", name);
+ return NULL;
+ }
+
+ if (cmd.rsp.ret < 0 || cmd.rsp.datalen < 0) {
+ ERROR("Command %s failed for container \"%s\": %s.",
+ lxc_cmd_str(cmd.req.cmd), name, strerror(-cmd.rsp.ret));
+ return NULL;
+ }
+
+ return cmd.rsp.data;
+}
+
+static int lxc_cmd_get_attach_cgroup_callback(int fd, struct lxc_cmd_req *req,
+ struct lxc_handler *handler)
+{
+ struct lxc_cmd_rsp rsp;
+ const char *path;
+
+ if (req->datalen < 1)
+ return -1;
+
+ path = cgroup_get_cgroup(handler, req->data, true);
if (!path)
return -1;
rsp.datalen = strlen(path) + 1,
@@ -841,16 +903,17 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
typedef int (*callback)(int, struct lxc_cmd_req *, struct lxc_handler *);
callback cb[LXC_CMD_MAX] = {
- [LXC_CMD_CONSOLE] = lxc_cmd_console_callback,
- [LXC_CMD_CONSOLE_WINCH] = lxc_cmd_console_winch_callback,
- [LXC_CMD_STOP] = lxc_cmd_stop_callback,
- [LXC_CMD_GET_STATE] = lxc_cmd_get_state_callback,
- [LXC_CMD_GET_INIT_PID] = lxc_cmd_get_init_pid_callback,
- [LXC_CMD_GET_CLONE_FLAGS] = lxc_cmd_get_clone_flags_callback,
- [LXC_CMD_GET_CGROUP] = lxc_cmd_get_cgroup_callback,
- [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback,
- [LXC_CMD_GET_NAME] = lxc_cmd_get_name_callback,
- [LXC_CMD_GET_LXCPATH] = lxc_cmd_get_lxcpath_callback,
+ [LXC_CMD_CONSOLE] = lxc_cmd_console_callback,
+ [LXC_CMD_CONSOLE_WINCH] = lxc_cmd_console_winch_callback,
+ [LXC_CMD_STOP] = lxc_cmd_stop_callback,
+ [LXC_CMD_GET_STATE] = lxc_cmd_get_state_callback,
+ [LXC_CMD_GET_INIT_PID] = lxc_cmd_get_init_pid_callback,
+ [LXC_CMD_GET_CLONE_FLAGS] = lxc_cmd_get_clone_flags_callback,
+ [LXC_CMD_GET_CGROUP] = lxc_cmd_get_cgroup_callback,
+ [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback,
+ [LXC_CMD_GET_NAME] = lxc_cmd_get_name_callback,
+ [LXC_CMD_GET_LXCPATH] = lxc_cmd_get_lxcpath_callback,
+ [LXC_CMD_GET_ATTACH_CGROUP] = lxc_cmd_get_attach_cgroup_callback,
};
if (req->cmd >= LXC_CMD_MAX) {
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index 184eefa..bb86e3d 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -43,6 +43,7 @@ typedef enum {
LXC_CMD_GET_CONFIG_ITEM,
LXC_CMD_GET_NAME,
LXC_CMD_GET_LXCPATH,
+ LXC_CMD_GET_ATTACH_CGROUP,
LXC_CMD_MAX,
} lxc_cmd_t;
@@ -77,6 +78,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd,
*/
extern char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
const char *subsystem);
+extern char *lxc_cmd_get_attach_cgroup_path(const char *name,
+ const char *lxcpath, const char *subsystem);
extern int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath);
extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
extern char *lxc_cmd_get_name(const char *hashed_sock);
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 50a7400..8933d9a 100644
index 125e674..5a9e36b 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -284,7 +284,7 @@ static void exec_criu(struct criu_opts *opts)
} else {
const char *p;
- p = cgroup_get_cgroup(opts->handler, controllers[0]);
+ p = cgroup_get_cgroup(opts->handler, controllers[0], false);
if (!p) {
ERROR("failed to get cgroup path for %s", controllers[0]);
goto err;
@@ -797,7 +797,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
goto out_fini_handler;
}

46
debian/patches/0002-start-initutils-make-cgroupns-separation-level-confi.patch vendored
View File

@ -1,4 +1,4 @@
From 1623287e7370989d554149a1e2ac28afcde96dbb Mon Sep 17 00:00:00 2001
From 2422b2caffe3710178dce779daddc2f16463e880 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 16 Nov 2016 09:53:42 +0100
Subject: [PATCH 2/2] start/initutils: make cgroupns separation level
@ -11,44 +11,60 @@ Can be empty, "privileged", "unprivileged" or "both".
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/initutils.c | 1 +
src/lxc/initutils.c | 17 +++++++++--------
src/lxc/initutils.h | 1 +
src/lxc/start.c | 28 ++++++++++++++++------------
3 files changed, 18 insertions(+), 12 deletions(-)
3 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
index b611b5e..cc22991 100644
index 3213bd3..d07fd10 100644
--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -96,6 +96,7 @@ const char *lxc_global_config_value(const char *option_name)
{ "lxc.default_config", NULL },
{ "lxc.cgroup.pattern", NULL },
{ "lxc.cgroup.use", NULL },
+ { "lxc.cgroup.separate", DEFAULT_CGSEPARATE },
@@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p)
const char *lxc_global_config_value(const char *option_name)
{
static const char * const options[][2] = {
- { "lxc.bdev.lvm.vg", DEFAULT_VG },
- { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
- { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
- { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
- { "lxc.lxcpath", NULL },
- { "lxc.default_config", NULL },
- { "lxc.cgroup.pattern", NULL },
- { "lxc.cgroup.use", NULL },
+ { "lxc.bdev.lvm.vg", DEFAULT_VG },
+ { "lxc.bdev.lvm.thin_pool", DEFAULT_THIN_POOL },
+ { "lxc.bdev.zfs.root", DEFAULT_ZFSROOT },
+ { "lxc.bdev.rbd.rbdpool", DEFAULT_RBDPOOL },
+ { "lxc.lxcpath", NULL },
+ { "lxc.default_config", NULL },
+ { "lxc.cgroup.pattern", NULL },
+ { "lxc.cgroup.use", NULL },
+ { "lxc.cgroup.protect_limits", DEFAULT_CGPROTECT },
{ NULL, NULL },
};
diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h
index c021fd6..55fb8d9 100644
index c021fd6..443ad02 100644
--- a/src/lxc/initutils.h
+++ b/src/lxc/initutils.h
@@ -43,6 +43,7 @@
#define DEFAULT_THIN_POOL "lxc"
#define DEFAULT_ZFSROOT "lxc"
#define DEFAULT_RBDPOOL "lxc"
+#define DEFAULT_CGSEPARATE "privileged"
+#define DEFAULT_CGPROTECT "privileged"
extern void lxc_setup_fs(void);
extern const char *lxc_global_config_value(const char *option_name);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index c9d78b7..d4603f7 100644
index c9d78b7..fe2e335 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1067,6 +1067,7 @@ static int lxc_spawn(struct lxc_handler *handler)
int saved_ns_fd[LXC_NS_MAX];
int preserve_mask = 0, i, flags;
int netpipepair[2], nveths;
+ bool privileged = !!lxc_list_empty(&handler->conf->id_map);
+ bool privileged = lxc_list_empty(&handler->conf->id_map);
netpipe = -1;
@ -57,7 +73,7 @@ index c9d78b7..d4603f7 100644
* If the container is unprivileged then skip rootfs pinning.
*/
- if (lxc_list_empty(&handler->conf->id_map)) {
+ if (!privileged) {
+ if (privileged) {
handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
if (handler->pinfd == -1)
INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
@ -76,7 +92,7 @@ index c9d78b7..d4603f7 100644
- if (!cgroup_chown(handler, true)) {
- ERROR("failed chown inner cgroup separation layer");
- goto out_delete_net;
+ const char *tmp = lxc_global_config_value("lxc.cgroup.separate");
+ const char *tmp = lxc_global_config_value("lxc.cgroup.protect_limits");
+ if (!strcmp(tmp, "both") || !strcmp(tmp, privileged ? "privileged" : "unprivileged")) {
+ if (!cgroup_create(handler, true)) {
+ ERROR("failed to create inner cgroup separation layer");