Re: [libvirt] [PATCHv2] lxc: give RW access to /proc/sys/net/ipv[46] to containers
On Tue, Dec 09, 2014 at 10:47:24AM +0100, Cédric Bosdonnat wrote:
Some programs want to change some values for the network interfaces
configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
allows wicked to work on openSUSE 13.2+.
In order to mount those folders RW but keep the rest of /proc/sys RO,
we add temporary mounts for these folders before bind-mounting
/proc/sys. Those mounts will be skipped if the container doesn't have
its own network namespace.
It may happen that one of the temporary mounts in /proc/ filesystem
isn't available due to a missing kernel feature. We need not to fail
in that case.
---
Diffs to v1:
* Only mount the /proc/sys/net/ipv[46] if the container has its own netns
* Don't test for the existence of files in /proc before mounting them: they
may not be ready when checking. Instead try to mount them and skip them if
the source doesn't exist.
* Use existing lxcNeedNetworkNamespace to tell lxcContainerMountBasicFS if we
have our own netns: at least we now have the proper value.
src/lxc/lxc_container.c | 153 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 121 insertions(+), 32 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 3b08b86..140d54f 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -800,15 +800,21 @@ typedef struct {
int mflags;
bool skipUserNS;
bool skipUnmounted;
+ bool skipNoPrivNet;
+ bool temporary;
} virLXCBasicMountInfo;
static const virLXCBasicMountInfo lxcBasicMounts[] = {
- { "proc", "/proc", "proc",
MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
- { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false,
false },
- { "sysfs", "/sys", "sysfs",
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
- { "securityfs", "/sys/kernel/security", "securityfs",
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
+ { "proc", "/proc", "proc",
MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false, false },
+ { "/proc/sys/net/ipv4", "TMP1", NULL, MS_BIND, false, false,
true, true },
+ { "/proc/sys/net/ipv6", "TMP2", NULL, MS_BIND, false, false,
true, true },
+ { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false,
false, false, false },
+ { "TMP1", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false,
true, false },
+ { "TMP2", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false,
true, false },
+ { "sysfs", "/sys", "sysfs",
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false, false },
+ { "securityfs", "/sys/kernel/security", "securityfs",
MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false, false },
I'm wondering if we can avoid the use of temporary mounts here.
You are trying to get this sequence
mount --bind /proc/sys/net/ipv6 /tmp/foo
mount --bind /proc/sys /proc/sys -o ro
mount --bind /tmp/foo /proc/sys/net/ipv6
So the latter ends up read-write still
IIUC, we still have /.oldroot available though, so is it possible
for us to make use of that to avoid the temp dir eg
mount --bind /proc/sys /proc/sys -o ro
mount --bind /.oldroot/proc/sys/net/ipv6 /proc/sys/net/ipv6
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|