[Devel] [PATCH rh8 00/28] ve/kmod: Kernel modules autoload from CT feature

Konstantin Khorenko khorenko at virtuozzo.com
Tue Apr 13 11:31:39 MSK 2021 

Applied in 4.18.0-240.1.1.vz8.5.12

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 04/13/2021 11:25 AM, Konstantin Khorenko wrote:
> The patchset basically:
>
> 1. drops per-CT iptables mask functionality, including
>    ve::ve.iptables_mask interface.
>    "NETFILTER=" CT config option to be dropped as well.
>
>    Since now all iptables/nftables/netfilter modules
>    will be always available inside Containers.
>
> 2. introduces a whitelist of modules which are allowed to be autoload
>    upon request from inside a Container.
>
>    Note: modprobe's blacklist is HONORED on indirect modules autoload
>    upon requiest from inside a Container.
>    When a kernel module is indirectly loaded on Host, the blacklist is
>    omitted (generic behavior).
>
> 3. introduces a tweak to disable modules autoload from inside a CT:
>    "kernel.ve_allow_module_load" sysctl (enabled by default).
>
> List of modules for autoload from inside a CT:
> - iptables/nftables/netfilter modules.
>   i might miss some of them, but the intention is make them all in the
>   list.
>
> - subset of netlink modules (for CRIU)
>
> - vxlan, ipvs, nfs, ts_kmp
>
>
> https://jira.sw.ru/browse/PSBM-127525
> https://jira.sw.ru/browse/PSBM-127787
> https://jira.sw.ru/browse/PSBM-128388
>
> Andrey Ryabinin (2):
>   ve/kmod/whitelist: Allow ip6tables_raw modules autoload upon request
>     from CT
>   ve/kmod/whitelist: Allow nf_tables module autoloading on request from
>     CT
>
> Cyrill Gorcunov (1):
>   ve/kmod/whitelist: Add modules to whitelist for c/r sake
>
> Kirill Tkhai (2):
>   ve/kmod/whitelist: Allow conntrack nft-helper-* modules autoloading
>   ve/kmod/whitelist: Allow ts_kmp module autoloading
>
> Konstantin Khorenko (15):
>   Revert "ve/net: Track netfilter modules per net-namespace"
>   Revert "ve: Add support of iptables mask"
>   Revert "ve/netfilter: check per-ve netfilter status on actual
>     operation"
>   Revert "ve/net: Add ipt_mask checks into ip6table_nat"
>   ve/proc/netfilter: Get rid of per-CT iptables mask
>   Revert "ve/net: Add VE_NF_CONNTRACK check in resolve_normal_ct()"
>   ve/sysctl/netfilter: Include ve.h header into
>     net/netfilter/nf_conntrack_standalone.c
>   ve/sysctl/net: Include ve.h header in net/netfilter/ipvs/ip_vs_ctl.c
>   ve/sysctl/kmod: Introduce tweak to allow indirect modules load from CT
>   ve/kmod: Honor modprobe blacklist on indirect modules autoload from CT
>   ve/kmod/whitelist: Infrustructure for list of modules to autoload from
>     CT
>   ve/kmod/whitelist: Allow iptables/netfilter modules for autoload from
>     CT
>   ve/kmod/whitelist: List of allowed to autoload in CT modules
>     (non-netfilters)
>   ve/kmod/whitelist: Allow nfnetlink_queue module autoload from CT
>   ve/kmod/whitelist: Allow "nft_compat" module autoload from inside a
>     Container
>
> Pavel Tikhomirov (6):
>   ve/kmod/whitelist: Allow dummy module autoloading
>   ve/kmod/whitelist: Enable vxlan module autoload from inside a
>     Container
>   ve/kmod/whitelist: Allow IPVS modules autoload in CT
>   ve/kmod/whitelist: Allow netfilter/ipset modules autoload from inside
>     a CT
>   ve/kmod/whitelist: make nfnetlink_log autoloadable upon request from a
>     CT
>   ve/kmod/whitelist: Make fib modules autoloadable from CT
>
> Stanislav Kinsburskiy (1):
>   ve/kmod/whitelist: Allow NFS modules autoload in Containers
>
> Vasily Averin (1):
>   ve/kmod/whitelist: Enable autoload for iptables security tables from
>     inside CT
>
>  include/linux/kmod.h                    |   5 +
>  include/linux/netfilter.h               |  32 ----
>  include/linux/sysctl.h                  |   2 +
>  include/linux/ve.h                      |   4 -
>  include/linux/vziptable_defs.h          |  22 ---
>  include/net/net_namespace.h             |   3 -
>  include/uapi/linux/vziptable_defs.h     |  80 ----------
>  kernel/Kconfig.openvz                   |   8 -
>  kernel/kmod.c                           | 196 ++++++++++++++++++++++--
>  kernel/sysctl.c                         |  16 ++
>  kernel/ve/ve.c                          |  66 --------
>  net/core/net_namespace.c                |   4 -
>  net/ipv4/ip_sockglue.c                  |  10 +-
>  net/ipv6/netfilter/ip6table_nat.c       |   4 -
>  net/netfilter/ipvs/ip_vs_ctl.c          |   1 +
>  net/netfilter/nf_conntrack_core.c       |   3 -
>  net/netfilter/nf_conntrack_standalone.c |   1 +
>  net/netfilter/x_tables.c                |   5 +-
>  18 files changed, 213 insertions(+), 249 deletions(-)
>  delete mode 100644 include/linux/vziptable_defs.h
>  delete mode 100644 include/uapi/linux/vziptable_defs.h
>

More information about the Devel mailing list