On Tue, Dec 09, 2014 at 10:47:24AM +0100, Cédric Bosdonnat wrote:
Some programs want to change some values for the network interfaces configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them allows wicked to work on openSUSE 13.2+.
In order to mount those folders RW but keep the rest of /proc/sys RO, we add temporary mounts for these folders before bind-mounting /proc/sys. Those mounts will be skipped if the container doesn't have its own network namespace.
It may happen that one of the temporary mounts in /proc/ filesystem isn't available due to a missing kernel feature. We need not to fail in that case. ---
Diffs to v1:
* Only mount the /proc/sys/net/ipv[46] if the container has its own netns * Don't test for the existence of files in /proc before mounting them: they may not be ready when checking. Instead try to mount them and skip them if the source doesn't exist. * Use existing lxcNeedNetworkNamespace to tell lxcContainerMountBasicFS if we have our own netns: at least we now have the proper value.
src/lxc/lxc_container.c | 153 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 121 insertions(+), 32 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 3b08b86..140d54f 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -800,15 +800,21 @@ typedef struct { int mflags; bool skipUserNS; bool skipUnmounted; + bool skipNoPrivNet; + bool temporary; } virLXCBasicMountInfo;
static const virLXCBasicMountInfo lxcBasicMounts[] = { - { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, - { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false }, - { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false }, - { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, + { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false, false }, + { "/proc/sys/net/ipv4", "TMP1", NULL, MS_BIND, false, false, true, true }, + { "/proc/sys/net/ipv6", "TMP2", NULL, MS_BIND, false, false, true, true }, + { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false, false }, + { "TMP1", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true, false }, + { "TMP2", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true, false }, + { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false, false }, + { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false, false },
I'm wondering if we can avoid the use of temporary mounts here. You are trying to get this sequence mount --bind /proc/sys/net/ipv6 /tmp/foo mount --bind /proc/sys /proc/sys -o ro mount --bind /tmp/foo /proc/sys/net/ipv6 So the latter ends up read-write still IIUC, we still have /.oldroot available though, so is it possible for us to make use of that to avoid the temp dir eg mount --bind /proc/sys /proc/sys -o ro mount --bind /.oldroot/proc/sys/net/ipv6 /proc/sys/net/ipv6 Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|