[pve-devel] [PATCH container] close #1785: whitelist namespaced lxc.sysfs.* entries
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Jan 4 11:29:20 CET 2019
According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Link: https://github.com/lxc/lxc/issues/989
---
src/PVE/LXC/Config.pm | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 56082dd..610adf3 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
'lxc.start.order' => 1,
'lxc.group' => 1,
'lxc.environment' => 1,
+
+ # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
+ 'lxc.sysfs.fs.mqueue' => 1,
+ 'lxc.sysfs.kernel.msgmax' => 1,
+ 'lxc.sysfs.kernel.msgmnb' => 1,
+ 'lxc.sysfs.kernel.msgmni' => 1,
+ 'lxc.sysfs.kernel.sem' => 1,
+ 'lxc.sysfs.kernel.shmall' => 1,
+ 'lxc.sysfs.kernel.shmmax' => 1,
+ 'lxc.sysfs.kernel.shmmni' => 1,
+ 'lxc.sysfs.kernel.shm_rmid_forced' => 1,
};
my $deprecated_lxc_conf_keys = {
--
2.11.0
More information about the pve-devel
mailing list