[pve-devel] applied: [PATCH v2 container] close #1785: whitelist namespaced lxc.sysfs.* entries
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Jan 7 14:11:32 CET 2019
On 1/4/19 12:35 PM, Wolfgang Bumiller wrote:
> According do namespaces(7) these should be namespaced (iow.
> changing these values on the host they are not propagated to
> running containers), so it makes sense to whitelist them.
>
> Note that these only work when also using
> 'lxc.mount.auto: proc:rw'
>
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> Link: https://github.com/lxc/lxc/issues/989
> ---
> Changes to v2:
> * lxc.sysfs -> lxc.sysctl
> * Added a note about the required lxc.mount.auto entry to the commit
> message
>
> src/PVE/LXC/Config.pm | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 56082dd..061ec8e 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
> 'lxc.start.order' => 1,
> 'lxc.group' => 1,
> 'lxc.environment' => 1,
> +
> + # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
> + 'lxc.sysctl.fs.mqueue' => 1,
> + 'lxc.sysctl.kernel.msgmax' => 1,
> + 'lxc.sysctl.kernel.msgmnb' => 1,
> + 'lxc.sysctl.kernel.msgmni' => 1,
> + 'lxc.sysctl.kernel.sem' => 1,
> + 'lxc.sysctl.kernel.shmall' => 1,
> + 'lxc.sysctl.kernel.shmmax' => 1,
> + 'lxc.sysctl.kernel.shmmni' => 1,
> + 'lxc.sysctl.kernel.shm_rmid_forced' => 1,
> };
>
> my $deprecated_lxc_conf_keys = {
>
applied, thanks!
More information about the pve-devel
mailing list