[pve-devel] [PATCH container] close #1785: whitelist namespaced lxc.sysfs.* entries

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Jan 4 11:47:21 CET 2019


Actually, this is wrong. (Should be lxc.sysctl.* not lxc.sysfs.*)
sorry

> On January 4, 2019 at 11:29 AM Wolfgang Bumiller <w.bumiller at proxmox.com> wrote:
> 
> 
> According do namespaces(7) these should be namespaced (iow.
> changing these values on the host they are not propagated to
> running containers), so it makes sense to whitelist them.
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> Link: https://github.com/lxc/lxc/issues/989
> ---
>  src/PVE/LXC/Config.pm | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index 56082dd..610adf3 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
>      'lxc.start.order' => 1,
>      'lxc.group' => 1,
>      'lxc.environment' => 1,
> +
> +    # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
> +    'lxc.sysfs.fs.mqueue' => 1,
> +    'lxc.sysfs.kernel.msgmax' => 1,
> +    'lxc.sysfs.kernel.msgmnb' => 1,
> +    'lxc.sysfs.kernel.msgmni' => 1,
> +    'lxc.sysfs.kernel.sem' => 1,
> +    'lxc.sysfs.kernel.shmall' => 1,
> +    'lxc.sysfs.kernel.shmmax' => 1,
> +    'lxc.sysfs.kernel.shmmni' => 1,
> +    'lxc.sysfs.kernel.shm_rmid_forced' => 1,
>  };
>  
>  my $deprecated_lxc_conf_keys = {
> -- 
> 2.11.0
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel




More information about the pve-devel mailing list