[Devel] [PATCH rh7] cgroup: ve -- Guard @features and @iptables with test if VE is inactive
Kirill Tkhai
ktkhai at odin.com
Thu May 28 02:40:07 PDT 2015
В Чт, 28/05/2015 в 12:26 +0300, Cyrill Gorcunov пишет:
> Currently we allow to setup new VE features and iptables mask even
> when container is already running which brings some vague meaning
> into container state -- from user point of view it's unclean if
> the @features or @iptables belong the running container or they
> were modified after and don't really apply to the running
> instance.
>
> Thus when user space tools modify these members make sure
> the container is offline.
>
> Reported-by: Kirill Tkhai <ktkhai at odin.com>
> Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
> CC: Vladimir Davydov <vdavydov at odin.com>
> CC: Konstantin Khorenko <khorenko at odin.com>
> CC: Pavel Emelyanov <xemul at odin.com>
> CC: Andrey Vagin <avagin at odin.com>
Acked-by: Kirill Tkhai <ktkhai at odin.com>
> ---
> kernel/ve/ve.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> Index: linux-pcs7.git/kernel/ve/ve.c
> ===================================================================
> --- linux-pcs7.git.orig/kernel/ve/ve.c
> +++ linux-pcs7.git/kernel/ve/ve.c
> @@ -1108,11 +1108,19 @@ static u64 ve_read_u64(struct cgroup *cg
>
> static int ve_write_u64(struct cgroup *cg, struct cftype *cft, u64 value)
> {
> + struct ve_struct *ve = cgroup_ve(cg);
> +
> if (!ve_is_super(get_exec_env()))
> return -EPERM;
>
> + down_write(&ve->op_sem);
> + if (ve->is_running || ve->ve_ns) {
> + up_write(&ve->op_sem);
> + return -EBUSY;
> + }
> +
> if (cft->private == VE_CF_FEATURES)
> - cgroup_ve(cg)->features = value;
> + ve->features = value;
> else if (cft->private == VE_CF_IPTABLES_MASK) {
> value &= ~VE_IP_IPTABLES6;
> value &= ~VE_IP_FILTER6;
> @@ -1131,9 +1139,10 @@ static int ve_write_u64(struct cgroup *c
> if (mask_ipt_allow(value, VE_IP_CONNTRACK))
> value |= VE_NF_CONNTRACK;
>
> - cgroup_ve(cg)->ipt_mask = value;
> + ve->ipt_mask = value;
> }
>
> + up_write(&ve->op_sem);
> return 0;
> }
>
More information about the Devel
mailing list