[pve-devel] [PATCH v2 container] close #1785: whitelist namespaced lxc.sysfs.* entries
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Jan 4 12:35:27 CET 2019
According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.
Note that these only work when also using
'lxc.mount.auto: proc:rw'
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Link: https://github.com/lxc/lxc/issues/989
---
Changes to v2:
* lxc.sysfs -> lxc.sysctl
* Added a note about the required lxc.mount.auto entry to the commit
message
src/PVE/LXC/Config.pm | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 56082dd..061ec8e 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
'lxc.start.order' => 1,
'lxc.group' => 1,
'lxc.environment' => 1,
+
+ # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
+ 'lxc.sysctl.fs.mqueue' => 1,
+ 'lxc.sysctl.kernel.msgmax' => 1,
+ 'lxc.sysctl.kernel.msgmnb' => 1,
+ 'lxc.sysctl.kernel.msgmni' => 1,
+ 'lxc.sysctl.kernel.sem' => 1,
+ 'lxc.sysctl.kernel.shmall' => 1,
+ 'lxc.sysctl.kernel.shmmax' => 1,
+ 'lxc.sysctl.kernel.shmmni' => 1,
+ 'lxc.sysctl.kernel.shm_rmid_forced' => 1,
};
my $deprecated_lxc_conf_keys = {
--
2.11.0
More information about the pve-devel
mailing list