From 5a8ff0e61dd8094b2b5d0b35df2ca13b489e0dfa Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 26 Jul 2016 16:49:15 +0200 Subject: nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces. --- src/nspawn/nspawn-mount.c | 5 +++-- src/nspawn/nspawn-mount.h | 2 +- src/nspawn/nspawn.c | 17 +++++++++++++---- 3 files changed, 17 insertions(+), 7 deletions(-) (limited to 'src/nspawn') diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index ac93357ef4..803caef3dd 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -916,11 +916,12 @@ int mount_cgroups( const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, - const char *selinux_apifs_context) { + const char *selinux_apifs_context, + bool use_cgns) { if (unified_requested) return mount_unified_cgroups(dest); - else if (cg_ns_supported()) + else if (use_cgns && cg_ns_supported()) return mount_legacy_cgns_supported(userns, uid_shift, uid_range, selinux_apifs_context); return mount_legacy_cgns_unsupported(dest, userns, uid_shift, uid_range, selinux_apifs_context); diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h index 0daf145412..0eff8e1006 100644 --- a/src/nspawn/nspawn-mount.h +++ b/src/nspawn/nspawn-mount.h @@ -58,7 +58,7 @@ int custom_mount_compare(const void *a, const void *b); int mount_all(const char *dest, bool use_userns, bool in_userns, bool use_netns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context); int mount_sysfs(const char *dest); -int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context); +int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context, bool use_cgns); int mount_systemd_cgroup_writable(const char *dest, bool unified_requested); int mount_custom(const char *dest, CustomMount *mounts, unsigned n, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index f8a43d89a2..6cc1b9177d 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -194,6 +194,7 @@ static int arg_settings_trusted = -1; static char **arg_parameters = NULL; static const char *arg_container_service_name = "systemd-nspawn"; static bool arg_notify_ready = false; +static bool arg_use_cgns = true; static void help(void) { printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n" @@ -1104,6 +1105,12 @@ static int parse_argv(int argc, char *argv[]) { if (e) arg_container_service_name = e; + r = getenv_bool("SYSTEMD_NSPAWN_USE_CGNS"); + if (r < 0) + arg_use_cgns = cg_ns_supported(); + else + arg_use_cgns = r; + return 1; } @@ -2628,7 +2635,7 @@ static int inner_child( return -ESRCH; } - if (cg_ns_supported()) { + if (arg_use_cgns && cg_ns_supported()) { r = unshare(CLONE_NEWCGROUP); if (r < 0) return log_error_errno(errno, "Failed to unshare cgroup namespace"); @@ -2638,7 +2645,8 @@ static int inner_child( arg_userns_mode != USER_NAMESPACE_NO, arg_uid_shift, arg_uid_range, - arg_selinux_apifs_context); + arg_selinux_apifs_context, + arg_use_cgns); if (r < 0) return r; } else { @@ -3029,14 +3037,15 @@ static int outer_child( if (r < 0) return r; - if (!cg_ns_supported()) { + if (!arg_use_cgns || !cg_ns_supported()) { r = mount_cgroups( directory, arg_unified_cgroup_hierarchy, arg_userns_mode != USER_NAMESPACE_NO, arg_uid_shift, arg_uid_range, - arg_selinux_apifs_context); + arg_selinux_apifs_context, + arg_use_cgns); if (r < 0) return r; } -- cgit v1.2.3-54-g00ecf