summaryrefslogtreecommitdiff
path: root/src/nspawn
diff options
context:
space:
mode:
authorChristian Brauner <cbrauner@suse.de>2016-07-26 16:49:15 +0200
committerLennart Poettering <lennart@poettering.net>2016-07-26 16:49:15 +0200
commit5a8ff0e61dd8094b2b5d0b35df2ca13b489e0dfa (patch)
tree367e18e5aea7ae38ea4fd0d811a16a62987cbce5 /src/nspawn
parent1d3c86c06fca8311923fcf81af0ab0bbb66e1edd (diff)
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809)
SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
Diffstat (limited to 'src/nspawn')
-rw-r--r--src/nspawn/nspawn-mount.c5
-rw-r--r--src/nspawn/nspawn-mount.h2
-rw-r--r--src/nspawn/nspawn.c17
3 files changed, 17 insertions, 7 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index ac93357ef4..803caef3dd 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -916,11 +916,12 @@ int mount_cgroups(
const char *dest,
bool unified_requested,
bool userns, uid_t uid_shift, uid_t uid_range,
- const char *selinux_apifs_context) {
+ const char *selinux_apifs_context,
+ bool use_cgns) {
if (unified_requested)
return mount_unified_cgroups(dest);
- else if (cg_ns_supported())
+ else if (use_cgns && cg_ns_supported())
return mount_legacy_cgns_supported(userns, uid_shift, uid_range, selinux_apifs_context);
return mount_legacy_cgns_unsupported(dest, userns, uid_shift, uid_range, selinux_apifs_context);
diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
index 0daf145412..0eff8e1006 100644
--- a/src/nspawn/nspawn-mount.h
+++ b/src/nspawn/nspawn-mount.h
@@ -58,7 +58,7 @@ int custom_mount_compare(const void *a, const void *b);
int mount_all(const char *dest, bool use_userns, bool in_userns, bool use_netns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
int mount_sysfs(const char *dest);
-int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
+int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context, bool use_cgns);
int mount_systemd_cgroup_writable(const char *dest, bool unified_requested);
int mount_custom(const char *dest, CustomMount *mounts, unsigned n, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index f8a43d89a2..6cc1b9177d 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -194,6 +194,7 @@ static int arg_settings_trusted = -1;
static char **arg_parameters = NULL;
static const char *arg_container_service_name = "systemd-nspawn";
static bool arg_notify_ready = false;
+static bool arg_use_cgns = true;
static void help(void) {
printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
@@ -1104,6 +1105,12 @@ static int parse_argv(int argc, char *argv[]) {
if (e)
arg_container_service_name = e;
+ r = getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
+ if (r < 0)
+ arg_use_cgns = cg_ns_supported();
+ else
+ arg_use_cgns = r;
+
return 1;
}
@@ -2628,7 +2635,7 @@ static int inner_child(
return -ESRCH;
}
- if (cg_ns_supported()) {
+ if (arg_use_cgns && cg_ns_supported()) {
r = unshare(CLONE_NEWCGROUP);
if (r < 0)
return log_error_errno(errno, "Failed to unshare cgroup namespace");
@@ -2638,7 +2645,8 @@ static int inner_child(
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
- arg_selinux_apifs_context);
+ arg_selinux_apifs_context,
+ arg_use_cgns);
if (r < 0)
return r;
} else {
@@ -3029,14 +3037,15 @@ static int outer_child(
if (r < 0)
return r;
- if (!cg_ns_supported()) {
+ if (!arg_use_cgns || !cg_ns_supported()) {
r = mount_cgroups(
directory,
arg_unified_cgroup_hierarchy,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
- arg_selinux_apifs_context);
+ arg_selinux_apifs_context,
+ arg_use_cgns);
if (r < 0)
return r;
}