update cgroup namespace separation patches

2025-03-17 14:50:29 +03:00 · 2017-09-19 10:04:57 +02:00 · 2017-09-19 10:04:57 +02:00 · f81e43ae79
commit f81e43ae79
parent 10490c1476
11 changed files with 56 additions and 9 deletions
--- a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch
+++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch
@ -1,7 +1,7 @@
 From 674c54165393b3ad0059f4a5c5d1e1505eea9114 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH 1/9] lxc.service: start after a potential syslog.service
+Subject: [PATCH 01/10] lxc.service: start after a potential syslog.service

 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
--- a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
+++ b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch
@ -1,7 +1,8 @@
 From a5ee14df834c008294b790d96982a1fea36c807a Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:14:55 +0100
-Subject: [PATCH 2/9] jessie/systemd: remove Delegate flag to silence warnings
+Subject: [PATCH 02/10] jessie/systemd: remove Delegate flag to silence
+ warnings

 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
--- a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch
+++ b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch
@ -1,7 +1,7 @@
 From 84da55875d3a9468957fe0f0012ea2b39b9f7785 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 09:15:37 +0100
-Subject: [PATCH 3/9] pve: run lxcnetaddbr when instantiating veths
+Subject: [PATCH 03/10] pve: run lxcnetaddbr when instantiating veths

 FIXME: Why aren't we using regular up-scripts?

--- a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch
+++ b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch
@ -1,7 +1,7 @@
 From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
 Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH 4/9] deny rw mounting of /sys and /proc
+Subject: [PATCH 04/10] deny rw mounting of /sys and /proc

 this would allow root in a privileged container to change
 the permissions of /sys on the host, which could lock out
--- a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
+++ b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch
@ -1,7 +1,7 @@
 From 9152a996a7413e1dc7dc3cb6c64af20cdf0389be Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Tue, 15 Nov 2016 09:20:24 +0100
-Subject: [PATCH 5/9] separate the limiting from the namespaced cgroup root
+Subject: [PATCH 05/10] separate the limiting from the namespaced cgroup root

 When cgroup namespaces are enabled a privileged container
 with mixed cgroups has full write access to its own root
--- a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch
+++ b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch
@ -1,7 +1,7 @@
 From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Wed, 16 Nov 2016 09:53:42 +0100
-Subject: [PATCH 6/9] start/initutils: make cgroupns separation level
+Subject: [PATCH 06/10] start/initutils: make cgroupns separation level
 configurable

 Adds a new global config variable `lxc.cgroup.separate`
--- a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch
+++ b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch
@ -1,7 +1,7 @@
 From d80258c750c52470389056c212a0eb5f0901dd7b Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 23 Dec 2016 15:57:24 +0100
-Subject: [PATCH 7/9] rename cgroup namespace directory to ns
+Subject: [PATCH 07/10] rename cgroup namespace directory to ns

 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
--- a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
+++ b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
@ -1,7 +1,7 @@
 From 9f5dc10171f3546530a326b8d427683109fd2818 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Fri, 10 Feb 2017 10:23:36 +0100
-Subject: [PATCH 8/9] possibility to run lxc-monitord as a regular daemon
+Subject: [PATCH 08/10] possibility to run lxc-monitord as a regular daemon

 This includes an lxc-monitord.service, required by
 lxc@.service which is now of Type=forking.
--- a/debian/patches/0009-network-add-missing-checks-for-empty-links.patch
+++ b/debian/patches/0009-network-add-missing-checks-for-empty-links.patch
@ -1,7 +1,7 @@
 From c1c1e55305a06786ee3dd938e421ca413db73dd1 Mon Sep 17 00:00:00 2001
 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
 Date: Wed, 6 Sep 2017 11:51:03 +0200
-Subject: [PATCH 9/9] network: add missing checks for empty links
+Subject: [PATCH 09/10] network: add missing checks for empty links

 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
 ---
--- a/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch
+++ b/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch
@ -0,0 +1,45 @@
+From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 19 Sep 2017 10:00:43 +0200
+Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits
+
+Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)"
+introduced another sync step before the cgroup device
+limits, but in order for cgroup namespace separation to work
+these limits must be setup before creating the separation
+directory, which means we need to move the unshare to after
+setting up the limits.
+
+Fixup-for: separate the limiting from the namespaced cgroup root
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/start.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index 4fec27b9..7715f64f 100644
+--- a/src/lxc/start.c
+++ b/src/lxc/start.c
+@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ 	}
+ 
+-	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+-		goto out_delete_net;
+-
+ 	if (!cgroup_setup_limits(handler, true)) {
+ 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
+ 		goto out_delete_net;
+@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		}
+ 	}
+ 
+	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+		goto out_delete_net;
+
+ 	cgroup_disconnect();
+ 	cgroups_connected = false;
+ 
+-- 
+2.11.0
+
--- a/debian/patches/series
+++ b/debian/patches/series
@ -7,3 +7,4 @@
 0007-rename-cgroup-namespace-directory-to-ns.patch
 0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch
 0009-network-add-missing-checks-for-empty-links.patch
+0010-start-unshare-cgroup-after-setting-up-device-limits.patch