Quoting j...@linux.vnet.ibm.com (j...@linux.vnet.ibm.com):
> From: Jian Xiao <j...@linux.vnet.ibm.com>
>
> Signed-off-by: Jian Xiao <j...@linux.vnet.ibm.com>
Two issues below.
> ---
> src/lxc/conf.c | 123
> +++++++++++++++++++++++++++++++++++++++++++++++++++++
> src/lxc/conf.h | 2 +
> src/lxc/confile.c | 32 ++++++++++++++
> 3 files changed, 157 insertions(+), 0 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index e8088bb..d59731c 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1285,6 +1285,119 @@ static int setup_caps(struct lxc_list *caps)
> return 0;
> }
>
> +static int setup_shmmax(unsigned long shmmax)
setup_shmmax and setup_shmall are identical except for the shmmax/shmall
strings. Can you use one function for both and pass in the string to
use?
> +{
> + int rc, fd;
> + uid_t euid = geteuid();
> + char shmmax_str[64];
> +
> + if (!shmmax)
> + return 0;
> +
> + snprintf(shmmax_str, sizeof(shmmax_str), "%lu", shmmax);
> +
> + /* Process has all the capabilities set, but cannot open shmmax
> + * to write. Temporarily set euid to root to get around this.
> + * This is only done for non-root uid.
> + */
> + if (euid && seteuid(0)) {
> + SYSERROR("failed to change euid to 0\n");
> + return -1;
> + }
> +
> + fd = open("/proc/sys/kernel/shmmax", O_WRONLY);
> + if (fd < 0) {
> + SYSERROR("fail to open /proc/sys/kernel/shmmax");
> + return -1;
> + }
> +
> + rc = write(fd, shmmax_str, strlen(shmmax_str));
> + if (rc < 0) {
> + SYSERROR("fail to write /proc/sys/kernel/shmmax");
> + close(fd);
> + return -1;
> + }
> +
> + close(fd);
> +
> + /* set euid back */
> + if (euid) {
> + if (seteuid(euid)) {
> + ERROR("failed to change euid to '%d': %m", euid);
> + return -1;
> + }
> +
> + /* seteuid() to non-zero clears effective capabilities
> + * so we need to restore them
> + */
> + if (lxc_caps_up()) {
> + ERROR("failed to restore capabilities: %m");
> + return -1;
> + }
> + }
> +
> + DEBUG("shmmax has been setup to %lu\n", shmmax);
> +
> + return 0;
> +}
> +
> +static int setup_shmall(unsigned long shmall)
> +{
> + int rc, fd;
> + uid_t euid = geteuid();
> + char shmall_str[64];
> +
> + if (!shmall)
> + return 0;
> +
> + snprintf(shmall_str, sizeof(shmall_str), "%lu", shmall);
> +
> + /* Process has all the capabilities set, but cannot open shmall
> + * to write. Temporarily set euid to root to get around this.
> + * This is only done for non-root uid.
> + */
> + if (euid && seteuid(0)) {
> + SYSERROR("failed to change euid to 0\n");
> + return -1;
> + }
> +
> + fd = open("/proc/sys/kernel/shmall", O_WRONLY);
> + if (fd < 0) {
> + SYSERROR("fail to open /proc/sys/kernel/shmall");
> + return -1;
> + }
> +
> + rc = write(fd, shmall_str, strlen(shmall_str));
> + if (rc < 0) {
> + SYSERROR("fail to write /proc/sys/kernel/shmall");
> + close(fd);
> + return -1;
> + }
> +
> + close(fd);
> +
> + /* set euid back */
> + if (euid) {
> + if (seteuid(euid)) {
> + ERROR("failed to change euid to '%d': %m", euid);
> + return -1;
> + }
> +
> + /* seteuid() to non-zero clears effective capabilities
> + * so we need to restore them
> + */
> + if (lxc_caps_up()) {
> + ERROR("failed to restore capabilities: %m");
> + return -1;
> + }
> + }
> +
> + DEBUG("shmall has been setup to %lu\n", shmall);
> +
> + return 0;
> +}
> +
> +
> static int setup_hw_addr(char *hwaddr, const char *ifname)
> {
> struct sockaddr sockaddr;
> @@ -2047,6 +2160,16 @@ int lxc_setup(const char *name, struct lxc_conf
> *lxc_conf)
> return -1;
> }
>
> + if (setup_shmmax(lxc_conf->shmmax)) {
> + ERROR("failed to set shmmax");
> + return -1;
> + }
> +
> + if (setup_shmall(lxc_conf->shmall)) {
> + ERROR("failed to set shmall");
> + return -1;
> + }
> +
You should move this up before the pivot_root(), as it's possible that
/proc won't yet be mounted in the container.
Other than that,
Acked-by: Serge Hallyn <serge.hal...@ubuntu.com>
> NOTICE("'%s' is setup.", name);
>
> return 0;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 09f55cb..347521e 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -216,6 +216,8 @@ struct lxc_conf {
> struct lxc_rootfs rootfs;
> char *ttydir;
> int close_all_fds;
> + unsigned long shmmax;
> + unsigned long shmall;
> };
>
> /*
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index b305aef..f71f4c7 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -71,6 +71,8 @@ static int config_network_ipv6(const char *, char *, struct
> lxc_conf *);
> static int config_network_ipv6_gateway(const char *, char *, struct lxc_conf
> *);
> static int config_cap_drop(const char *, char *, struct lxc_conf *);
> static int config_console(const char *, char *, struct lxc_conf *);
> +static int config_shmmax(const char *, char *, struct lxc_conf *);
> +static int config_shmall(const char *, char *, struct lxc_conf *);
>
> typedef int (*config_cb)(const char *, char *, struct lxc_conf *);
>
> @@ -107,6 +109,8 @@ static struct config config[] = {
> { "lxc.network.ipv6", config_network_ipv6 },
> { "lxc.cap.drop", config_cap_drop },
> { "lxc.console", config_console },
> + { "lxc.shmmax", config_shmmax },
> + { "lxc.shmall", config_shmall },
> };
>
> static const size_t config_size = sizeof(config)/sizeof(struct config);
> @@ -876,6 +880,34 @@ static int config_utsname(const char *key, char *value,
> struct lxc_conf *lxc_con
> return 0;
> }
>
> +static int config_shmmax(const char *key, char *value, struct lxc_conf
> *lxc_conf)
> +{
> + if (!strlen(value))
> + return -1;
> +
> + errno = 0;
> + lxc_conf->shmmax = strtoul(value, NULL, 0);
> + if (errno) {
> + SYSERROR("failed to strtoul '%s'", value);
> + return -1;
> + }
> + return 0;
> +}
> +
> +static int config_shmall(const char *key, char *value, struct lxc_conf
> *lxc_conf)
> +{
> + if (!strlen(value))
> + return -1;
> +
> + errno = 0;
> + lxc_conf->shmall = strtoul(value, NULL, 0);
> + if (errno) {
> + SYSERROR("failed to strtoul '%s'", value);
> + return -1;
> + }
> + return 0;
> +}
> +
> static int parse_line(char *buffer, void *data)
> {
> struct config *config;
> --
> 1.7.1
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
