[libvirt] [PATCHv2] lxc: give RW access to /proc/sys/net/ipv[46] to containers
Daniel P. Berrange
berrange at redhat.com
Tue Dec 9 16:34:17 UTC 2014
On Tue, Dec 09, 2014 at 10:47:24AM +0100, Cédric Bosdonnat wrote:
> Some programs want to change some values for the network interfaces
> configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
> allows wicked to work on openSUSE 13.2+.
>
> In order to mount those folders RW but keep the rest of /proc/sys RO,
> we add temporary mounts for these folders before bind-mounting
> /proc/sys. Those mounts will be skipped if the container doesn't have
> its own network namespace.
>
> It may happen that one of the temporary mounts in /proc/ filesystem
> isn't available due to a missing kernel feature. We need not to fail
> in that case.
> ---
>
> Diffs to v1:
>
> * Only mount the /proc/sys/net/ipv[46] if the container has its own netns
> * Don't test for the existence of files in /proc before mounting them: they
> may not be ready when checking. Instead try to mount them and skip them if
> the source doesn't exist.
> * Use existing lxcNeedNetworkNamespace to tell lxcContainerMountBasicFS if we
> have our own netns: at least we now have the proper value.
>
> src/lxc/lxc_container.c | 153 ++++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 121 insertions(+), 32 deletions(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 3b08b86..140d54f 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -800,15 +800,21 @@ typedef struct {
> int mflags;
> bool skipUserNS;
> bool skipUnmounted;
> + bool skipNoPrivNet;
> + bool temporary;
> } virLXCBasicMountInfo;
>
> static const virLXCBasicMountInfo lxcBasicMounts[] = {
> - { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
> - { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false },
> - { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
> - { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
> + { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false, false },
> + { "/proc/sys/net/ipv4", "TMP1", NULL, MS_BIND, false, false, true, true },
> + { "/proc/sys/net/ipv6", "TMP2", NULL, MS_BIND, false, false, true, true },
> + { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false, false },
> + { "TMP1", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true, false },
> + { "TMP2", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true, false },
> + { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false, false },
> + { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false, false },
I'm wondering if we can avoid the use of temporary mounts here.
You are trying to get this sequence
mount --bind /proc/sys/net/ipv6 /tmp/foo
mount --bind /proc/sys /proc/sys -o ro
mount --bind /tmp/foo /proc/sys/net/ipv6
So the latter ends up read-write still
IIUC, we still have /.oldroot available though, so is it possible
for us to make use of that to avoid the temp dir eg
mount --bind /proc/sys /proc/sys -o ro
mount --bind /.oldroot/proc/sys/net/ipv6 /proc/sys/net/ipv6
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list