[Devel] [PATCH RHEL COMMIT] ve/sysctl/net: allow net.ipv4.vs.* in CT init userns

Tue Sep 28 19:31:09 MSK 2021

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 7fdd3a7b529513bb93cd5fc65f42e4992ed816f2
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Tue Sep 28 19:31:08 2021 +0300

    ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
    
    Patchset description:
    net/ipvs: allow IPVS in CT
    
    Allowing IPVS to CT root may be unsafe, we still need to check it,
    it is about 20k lines of code. If ip_vs module is not loaded on host
    ipvs will not work in CT as all other modules depend on it. So in
    default situation this changes nothing.
    
    We need it for docker-swarm for cluster network balansing to work.
    
    https://jira.sw.ru/browse/PSBM-63883
    
    Pavel Tikhomirov (3):
      ve/sysctl/net: allow net.ipv4.vs.* in CT init userns
      netlink: allow IPVS netlink messages to CT init userns
      net/ipvs: allow IPVS modules autoload in CT
    
    =============================================
    This patch description:
    
    Swarm uses ipvs to route and balance external traffic to cluster nodes.
    Swarm wants to enable /proc/sys/net/ipv4/vs/conntrack in CT for it's
    packets being SNATed by ipvs.
    
    https://jira.sw.ru/browse/PSBM-63883
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Reviewed-by: Andrew Vagin <avagin at virtuozzo.com>
    
    (cherry picked from commit d204aa680e3d15cccc1edde8852eba0c576f971f)
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    +++
    ve/sysctl/net: Include ve.h header in net/netfilter/ipvs/ip_vs_ctl.c
    
    It's needed for ve_net_hide_sysctl() declaration.
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    (cherry picked from vz8 commit 2448ea28a99953f55e0830d99883840bf5ba0fc0)
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 21e6d704ebbc..93d1c5ff5562 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -31,6 +31,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/mutex.h>
+#include <linux/ve.h>
 
 #include <net/net_namespace.h>
 #include <linux/nsproxy.h>
@@ -4038,7 +4039,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
 			return -ENOMEM;
 
 		/* Don't export sysctls to unprivileged users */
-		if (net->user_ns != &init_user_ns)
+		if (ve_net_hide_sysctl(net))
 			tbl[0].procname = NULL;
 	} else
 		tbl = vs_vars;
