Группа :: Система/Настройка/Прочее
Пакет: pve-lxc
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: 0005-api-extensions-add-and-document-cgroup_advanced_isol.patch
Скачать
Скачать
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 4 Apr 2020 12:07:43 +0200
Subject: [PATCH lxc] api-extensions: add and document
cgroup_advanced_isolation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
doc/api-extensions.md | 4 ++++
src/lxc/api_extensions.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index cdf82f937..6f9e1621d 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
Whether the seccomp notify proxy sends a long a notify fd file descriptor.
+## cgroup\_advanced\_isolation
+
+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+
## idmapped\_mounts
Whether this LXC instance can handle idmapped mounts for the rootfs.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index c2509207d..ae71ff18e 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -41,6 +41,7 @@ static char *api_extensions[] = {
"devpts_fd",
"seccomp_notify_fd_active",
"seccomp_proxy_send_notify_fd",
+ "cgroup_advanced_isolation",
"idmapped_mounts",
"idmapped_mounts_v2",
"core_scheduling",