External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-22 04:25:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

lxc: give RW access to /proc/sys/net/ipv[46] to containers

Browse Source 
Some programs want to change some values for the network interfaces
configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
allows wicked to work on openSUSE 13.2+.

Reusing the lxcNeedNetworkNamespace function to tell
lxcContainerMountBasicFS if the netns is disabled. When no netns is
set up, then we don't mount the /proc/sys/net/ipv[46] folder RW as
these would provide full access to the host NICs config.
This commit is contained in:
Cédric Bosdonnat 2014-12-10 10:22:28 +01:00
parent 729251692f
commit ba9b7252ea
1 changed files with 41 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
src/lxc/lxc_container.c
View File

@ -800,15 +800,18 @@ typedef struct {
int mflags; int mflags;
bool skipUserNS; bool skipUserNS;
bool skipUnmounted; bool skipUnmounted;
bool skipNoNetns;
} virLXCBasicMountInfo; } virLXCBasicMountInfo;
static const virLXCBasicMountInfo lxcBasicMounts[] = { static const virLXCBasicMountInfo lxcBasicMounts[] = {
{ "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false },
{ "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false }, { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false },
{ "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false }, { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true },
{ "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true },
{ "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
{ "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false },
#if WITH_SELINUX #if WITH_SELINUX
{ SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false },
#endif #endif
}; };
@ -940,10 +943,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
continue; continue;
} }
/* Skip mounts with missing source without shouting: it may be a
* missing folder in /proc due to the absence of a kernel feature */
if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) {
VIR_DEBUG("Skipping due to missing source: %s", mnt_src);
VIR_FREE(mnt_src);
continue;
}
if (mnt->skipNoNetns && netns_disabled) {
VIR_DEBUG("Skipping due to absence of network namespace");
VIR_FREE(mnt_src);
continue;
}
if (virFileMakePath(mnt->dst) < 0) { if (virFileMakePath(mnt->dst) < 0) {
virReportSystemError(errno, virReportSystemError(errno,
_("Failed to mkdir %s"), _("Failed to mkdir %s"),
mnt_src); mnt->dst);
goto cleanup; goto cleanup;
} }
@ -1697,6 +1714,23 @@ static int lxcContainerUnmountForSharedRoot(const char *stateDir,
} }
static bool
lxcNeedNetworkNamespace(virDomainDefPtr def)
{
size_t i;
if (def->nets != NULL)
return true;
if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON)
return true;
for (i = 0; i < def->nhostdevs; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES &&
def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET)
return true;
}
return false;
}
/* Got a FS mapped to /, we're going the pivot_root /* Got a FS mapped to /, we're going the pivot_root
* approach to do a better-chroot-than-chroot * approach to do a better-chroot-than-chroot
* this is based on this thread http://lkml.org/lkml/2008/3/5/29 * this is based on this thread http://lkml.org/lkml/2008/3/5/29
@ -1741,7 +1775,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
/* Mounts the core /proc, /sys, etc filesystems */ /* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap, if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap,
!vmDef->nnets) < 0) !lxcNeedNetworkNamespace(vmDef)) < 0)
goto cleanup; goto cleanup;
/* Ensure entire root filesystem (except /.oldroot) is readonly */ /* Ensure entire root filesystem (except /.oldroot) is readonly */
@ -2240,22 +2274,6 @@ virArch lxcContainerGetAlt32bitArch(virArch arch)
} }
static bool
lxcNeedNetworkNamespace(virDomainDefPtr def)
{
size_t i;
if (def->nets != NULL)
return true;
if (def->features[VIR_DOMAIN_FEATURE_PRIVNET] == VIR_TRISTATE_SWITCH_ON)
return true;
for (i = 0; i < def->nhostdevs; i++) {
if (def->hostdevs[i]->mode == VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES &&
def->hostdevs[i]->source.caps.type == VIR_DOMAIN_HOSTDEV_CAPS_TYPE_NET)
return true;
}
return false;
}
/** /**
* lxcContainerStart: * lxcContainerStart:
* @def: pointer to virtual machine structure * @def: pointer to virtual machine structure