[Devel] [PATCH RH9 09/16] ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Sep 28 15:40:59 MSK 2021
Patchset description:
net/ipvs: allow IPVS in CT
Allowing IPVS to CT root may be unsafe, we still need to check it,
it is about 20k lines of code. If ip_vs module is not loaded on host
ipvs will not work in CT as all other modules depend on it. So in
default situation this changes nothing.
We need it for docker-swarm for cluster network balansing to work.
https://jira.sw.ru/browse/PSBM-63883
Pavel Tikhomirov (3):
ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
netlink: allow IPVS netlink messages to CT init userns
net/ipvs: allow IPVS modules autoload in CT
=============================================
This patch description:
Swarm uses ipvs to route and balance external traffic to cluster nodes.
Swarm wants to enable /proc/sys/net/ipv4/vs/conntrack in CT for it's
packets being SNATed by ipvs.
https://jira.sw.ru/browse/PSBM-63883
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Andrew Vagin <avagin at virtuozzo.com>
(cherry picked from commit d204aa680e3d15cccc1edde8852eba0c576f971f)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
+++
ve/sysctl/net: Include ve.h header in net/netfilter/ipvs/ip_vs_ctl.c
It's needed for ve_net_hide_sysctl() declaration.
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
(cherry picked from vz8 commit 2448ea28a99953f55e0830d99883840bf5ba0fc0)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
net/netfilter/ipvs/ip_vs_ctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 21e6d704ebbc..93d1c5ff5562 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -31,6 +31,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/mutex.h>
+#include <linux/ve.h>
#include <net/net_namespace.h>
#include <linux/nsproxy.h>
@@ -4038,7 +4039,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
return -ENOMEM;
/* Don't export sysctls to unprivileged users */
- if (net->user_ns != &init_user_ns)
+ if (ve_net_hide_sysctl(net))
tbl[0].procname = NULL;
} else
tbl = vs_vars;
--
2.31.1
More information about the Devel
mailing list