Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt

体验新版 GitCode,发现更多精彩内容 >>

提交 a86b6215 编写于 作者: C Chen Hanxiao 提交者: Gao feng
浏览文件
操作

LXC: create a bind mount for sysfs when enable userns but disable netns 

kernel commit 7dc5dbc879bd0779924b5132a48b731a0bc04a1e
forbid us doing a fresh mount for sysfs
when enable userns but disable netns.
This patch will create a bind mount in this senario.
Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
上级 692016f7
隐藏空白更改
内联 并排
Showing with 33 addition and 11 deletion
src/lxc/lxc_container.c
浏览文件 @ a86b6215
...@@ -837,10 +837,13 @@ static int lxcContainerSetReadOnly(void) ...@@ -837,10 +837,13 @@ static int lxcContainerSetReadOnly(void)
} }
static int lxcContainerMountBasicFS(bool userns_enabled) static int lxcContainerMountBasicFS(bool userns_enabled,
bool netns_disabled)
{ {
size_t i; size_t i;
int rc = -1; int rc = -1;
char* mnt_src = NULL;
int mnt_mflags;
VIR_DEBUG("Mounting basic filesystems"); VIR_DEBUG("Mounting basic filesystems");
...@@ -848,8 +851,25 @@ static int lxcContainerMountBasicFS(bool userns_enabled) ...@@ -848,8 +851,25 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
bool bindOverReadonly; bool bindOverReadonly;
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i]; virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
/* When enable userns but disable netns, kernel will
* forbid us doing a new fresh mount for sysfs.
* So we had to do a bind mount for sysfs instead.
*/
if (userns_enabled && netns_disabled &&
STREQ(mnt->src, "sysfs")) {
if (VIR_STRDUP(mnt_src, "/sys") < 0) {
goto cleanup;
}
mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND;
} else {
if (VIR_STRDUP(mnt_src, mnt->src) < 0) {
goto cleanup;
}
mnt_mflags = mnt->mflags;
}
VIR_DEBUG("Processing %s -> %s", VIR_DEBUG("Processing %s -> %s",
mnt->src, mnt->dst); mnt_src, mnt->dst);
if (mnt->skipUnmounted) { if (mnt->skipUnmounted) {
char *hostdir; char *hostdir;
...@@ -878,7 +898,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled) ...@@ -878,7 +898,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
if (virFileMakePath(mnt->dst) < 0) { if (virFileMakePath(mnt->dst) < 0) {
virReportSystemError(errno, virReportSystemError(errno,
_("Failed to mkdir %s"), _("Failed to mkdir %s"),
mnt->src); mnt_src);
goto cleanup; goto cleanup;
} }
...@@ -889,24 +909,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled) ...@@ -889,24 +909,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
* we mount the filesystem in read-write mode initially, and then do a * we mount the filesystem in read-write mode initially, and then do a
* separate read-only bind mount on top of that. * separate read-only bind mount on top of that.
*/ */
bindOverReadonly = !!(mnt->mflags & MS_RDONLY); bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
VIR_DEBUG("Mount %s on %s type=%s flags=%x", VIR_DEBUG("Mount %s on %s type=%s flags=%x",
mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY); mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY, NULL) < 0) { if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL) < 0) {
virReportSystemError(errno, virReportSystemError(errno,
_("Failed to mount %s on %s type %s flags=%x"), _("Failed to mount %s on %s type %s flags=%x"),
mnt->src, mnt->dst, NULLSTR(mnt->type), mnt_src, mnt->dst, NULLSTR(mnt->type),
mnt->mflags & ~MS_RDONLY); mnt_mflags & ~MS_RDONLY);
goto cleanup; goto cleanup;
} }
if (bindOverReadonly && if (bindOverReadonly &&
mount(mnt->src, mnt->dst, NULL, mount(mnt_src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
virReportSystemError(errno, virReportSystemError(errno,
_("Failed to re-mount %s on %s flags=%x"), _("Failed to re-mount %s on %s flags=%x"),
mnt->src, mnt->dst, mnt_src, mnt->dst,
MS_BIND|MS_REMOUNT|MS_RDONLY); MS_BIND|MS_REMOUNT|MS_RDONLY);
goto cleanup; goto cleanup;
} }
...@@ -915,6 +935,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled) ...@@ -915,6 +935,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
rc = 0; rc = 0;
cleanup: cleanup:
VIR_FREE(mnt_src);
VIR_DEBUG("rc=%d", rc); VIR_DEBUG("rc=%d", rc);
return rc; return rc;
} }
...@@ -1665,7 +1686,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, ...@@ -1665,7 +1686,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
goto cleanup; goto cleanup;
/* Mounts the core /proc, /sys, etc filesystems */ /* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0) if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap,
!vmDef->nnets) < 0)
goto cleanup; goto cleanup;
/* Ensure entire root filesystem (except /.oldroot) is readonly */ /* Ensure entire root filesystem (except /.oldroot) is readonly */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册