Subject: disable sys_reboot when not in init_pid_ns From: Daniel Lezcano <dlezcano@xxxxxxxxxx> This simple patch avoid to shutdown the host within a container. Without this patch a call to the 'halt' inside a container will switch to the right runlevel but finishing with 'shutdown -f' in the last init script with the effect of shutting down the real host. This patch has been tested with the lxc tools and a debian minimal container. The 'init' process running inside the container does correctly call the different shutdown services and the container exits gracefully. I didn't try with the 'init' from the upstart package. It uses an abstract unix socket, that means this patch should work if the container is network isolated too. Signed-off-by: Daniel Lezcano <dlezcano@xxxxxxxxxx> --- kernel/sys.c | 3 +++ 1 file changed, 3 insertions(+) Index: net-next-2.6/kernel/sys.c =================================================================== --- net-next-2.6.orig/kernel/sys.c +++ net-next-2.6/kernel/sys.c @@ -355,6 +355,9 @@ asmlinkage long sys_reboot(int magic1, i if (!capable(CAP_SYS_BOOT)) return -EPERM; + if (current->nsproxy->pid_ns != &init_pid_ns) + return 0; + /* For safety, we require "magic" arguments. */ if (magic1 != LINUX_REBOOT_MAGIC1 || (magic2 != LINUX_REBOOT_MAGIC2 &&
_______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers