openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

LXC: create a bind mount for sysfs when enable userns but disable netns 

kernel commit 7dc5dbc879bd0779924b5132a48b731a0bc04a1e
forbid us doing a fresh mount for sysfs
when enable userns but disable netns.
This patch will create a bind mount in this senario.

Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
This commit is contained in:
Chen Hanxiao 2014-07-14 18:01:51 +08:00 committed by Gao feng
parent 692016f790
commit a86b6215a7
1 changed files with 33 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
src/lxc/lxc_container.c
View File

@ -837,10 +837,13 @@ static int lxcContainerSetReadOnly(void)
}
static int lxcContainerMountBasicFS(bool userns_enabled)
static int lxcContainerMountBasicFS(bool userns_enabled,
bool netns_disabled)
{
size_t i;
int rc = -1;
char* mnt_src = NULL;
int mnt_mflags;
VIR_DEBUG("Mounting basic filesystems");
@ -848,8 +851,25 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
bool bindOverReadonly;
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
/* When enable userns but disable netns, kernel will
* forbid us doing a new fresh mount for sysfs.
* So we had to do a bind mount for sysfs instead.
*/
if (userns_enabled && netns_disabled &&
STREQ(mnt->src, "sysfs")) {
if (VIR_STRDUP(mnt_src, "/sys") < 0) {
goto cleanup;
}
mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND;
} else {
if (VIR_STRDUP(mnt_src, mnt->src) < 0) {
goto cleanup;
}
mnt_mflags = mnt->mflags;
}
VIR_DEBUG("Processing %s -> %s",
mnt->src, mnt->dst);
mnt_src, mnt->dst);
if (mnt->skipUnmounted) {
char *hostdir;
@ -878,7 +898,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
if (virFileMakePath(mnt->dst) < 0) {
virReportSystemError(errno,
_("Failed to mkdir %s"),
mnt->src);
mnt_src);
goto cleanup;
}
@ -889,24 +909,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
* we mount the filesystem in read-write mode initially, and then do a
* separate read-only bind mount on top of that.
*/
bindOverReadonly = !!(mnt->mflags & MS_RDONLY);
bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
VIR_DEBUG("Mount %s on %s type=%s flags=%x",
mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY);
if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY, NULL) < 0) {
mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to mount %s on %s type %s flags=%x"),
mnt->src, mnt->dst, NULLSTR(mnt->type),
mnt->mflags & ~MS_RDONLY);
mnt_src, mnt->dst, NULLSTR(mnt->type),
mnt_mflags & ~MS_RDONLY);
goto cleanup;
}
if (bindOverReadonly &&
mount(mnt->src, mnt->dst, NULL,
mount(mnt_src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to re-mount %s on %s flags=%x"),
mnt->src, mnt->dst,
mnt_src, mnt->dst,
MS_BIND|MS_REMOUNT|MS_RDONLY);
goto cleanup;
}
@ -915,6 +935,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
rc = 0;
cleanup:
VIR_FREE(mnt_src);
VIR_DEBUG("rc=%d", rc);
return rc;
}
@ -1665,7 +1686,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
goto cleanup;
/* Mounts the core /proc, /sys, etc filesystems */
if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap,
!vmDef->nnets) < 0)
goto cleanup;
/* Ensure entire root filesystem (except /.oldroot) is readonly */