[Devel] [PATCH RHEL7 COMMIT] ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
Konstantin Khorenko
khorenko at virtuozzo.com
Fri May 5 08:03:42 PDT 2017
The commit is pushed to "branch-rh7-3.10.0-514.16.1.vz7.32.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-514.16.1.vz7.32.1
------>
commit 3177f8674e6cd3e3ab77cd43ba73347d82e0a38e
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Wed Apr 26 12:19:39 2017 +0400
ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
Patchset description:
net/ipvs: allow IPVS in CT
Allowing IPVS to CT root may be unsafe, we still need to check it,
it is about 20k lines of code. If ip_vs module is not loaded on host
ipvs will not work in CT as all other modules depend on it. So in
default situation this changes nothing.
We need it for docker-swarm for cluster network balansing to work.
https://jira.sw.ru/browse/PSBM-63883
Pavel Tikhomirov (3):
ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
netlink: allow IPVS netlink messages to CT init userns
net/ipvs: allow IPVS modules autoload in CT
=============================================
This patch description:
Swarm uses ipvs to route and balance external traffic to cluster nodes.
Swarm wants to enable /proc/sys/net/ipv4/vs/conntrack in CT for it's
packets being SNATed by ipvs.
https://jira.sw.ru/browse/PSBM-63883
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Andrew Vagin <avagin at virtuozzo.com>
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 0d8330f..db4563d 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3723,7 +3723,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
return -ENOMEM;
/* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
+ if (ve_net_hide_sysctl(net))
tbl[0].procname = NULL;
} else
tbl = vs_vars;
More information about the Devel
mailing list