Re: [PATCHv2] lxc: give RW access to /proc/sys/net/ipv[46] to containers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Dec 09, 2014 at 10:47:24AM +0100, Cédric Bosdonnat wrote:
> Some programs want to change some values for the network interfaces
> configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
> allows wicked to work on openSUSE 13.2+.
> 
> In order to mount those folders RW but keep the rest of /proc/sys RO,
> we add temporary mounts for these folders before bind-mounting
> /proc/sys. Those mounts will be skipped if the container doesn't have
> its own network namespace.
> 
> It may happen that one of the temporary mounts in /proc/ filesystem
> isn't available due to a missing kernel feature. We need not to fail
> in that case.
> ---
> 
> Diffs to v1:
> 
>  * Only mount the /proc/sys/net/ipv[46] if the container has its own netns
>  * Don't test for the existence of files in /proc before mounting them: they
>    may not be ready when checking. Instead try to mount them and skip them if
>    the source doesn't exist.
>  * Use existing lxcNeedNetworkNamespace to tell lxcContainerMountBasicFS if we
>    have our own netns: at least we now have the proper value.
> 
>  src/lxc/lxc_container.c | 153 ++++++++++++++++++++++++++++++++++++++----------
>  1 file changed, 121 insertions(+), 32 deletions(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 3b08b86..140d54f 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -800,15 +800,21 @@ typedef struct {
>      int mflags;
>      bool skipUserNS;
>      bool skipUnmounted;
> +    bool skipNoPrivNet;
> +    bool temporary;
>  } virLXCBasicMountInfo;
>  
>  static const virLXCBasicMountInfo lxcBasicMounts[] = {
> -    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
> -    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false },
> -    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
> -    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
> +    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false, false },
> +    { "/proc/sys/net/ipv4", "TMP1", NULL, MS_BIND, false, false, true, true },
> +    { "/proc/sys/net/ipv6", "TMP2", NULL, MS_BIND, false, false, true, true },
> +    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false, false },
> +    { "TMP1", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true, false },
> +    { "TMP2", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true, false },
> +    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false, false },
> +    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false, false },

I'm wondering if we can avoid the use of temporary mounts here.
You are trying to get this sequence

    mount --bind /proc/sys/net/ipv6 /tmp/foo
    mount --bind /proc/sys /proc/sys -o ro
    mount --bind /tmp/foo /proc/sys/net/ipv6

So the latter ends up read-write still

IIUC, we still have /.oldroot available though, so is it possible
for us to make use of that to avoid the temp dir eg

   mount --bind /proc/sys /proc/sys -o ro
   mount --bind /.oldroot/proc/sys/net/ipv6 /proc/sys/net/ipv6

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]