Currently we allow to setup new VE features and iptables mask even when container is already running which brings some vague meaning into container state -- from user point of view it's unclean if the @features or @iptables belong the running container or they were modified after and don't really apply to the running instance.
Thus when user space tools modify these members make sure the container is offline. Reported-by: Kirill Tkhai <[email protected]> Signed-off-by: Cyrill Gorcunov <[email protected]> CC: Vladimir Davydov <[email protected]> CC: Konstantin Khorenko <[email protected]> CC: Pavel Emelyanov <[email protected]> CC: Andrey Vagin <[email protected]> --- kernel/ve/ve.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) Index: linux-pcs7.git/kernel/ve/ve.c =================================================================== --- linux-pcs7.git.orig/kernel/ve/ve.c +++ linux-pcs7.git/kernel/ve/ve.c @@ -1108,11 +1108,19 @@ static u64 ve_read_u64(struct cgroup *cg static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value) { + struct ve_struct *ve = cgroup_ve(cg); + if (!ve_is_super(get_exec_env())) return -EPERM; + down_write(&ve->op_sem); + if (ve->is_running || ve->ve_ns) { + up_write(&ve->op_sem); + return -EBUSY; + } + if (cft->private == VE_CF_FEATURES) - cgroup_ve(cg)->features = value; + ve->features = value; else if (cft->private == VE_CF_IPTABLES_MASK) { value &= ~VE_IP_IPTABLES6; value &= ~VE_IP_FILTER6; @@ -1131,9 +1139,10 @@ static int ve_write_u64(struct cgroup *c if (mask_ipt_allow(value, VE_IP_CONNTRACK)) value |= VE_NF_CONNTRACK; - cgroup_ve(cg)->ipt_mask = value; + ve->ipt_mask = value; } + up_write(&ve->op_sem); return 0; } _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
