Conversation
Execute the is-file check only for bind mounts; they might trigger e.g. for loop mounts too which is unwanted. As src is located in host filesystem, we can allow symlinks there. To prevent symlink attacks (which were possible with the previous dst-check too) we have to verify the mount destination. Although the patch allows races when executed for running guests, it is safe in the 'vserver start' case. Signed-off-by: Enrico Scholz <enrico.scholz@ensc.de>
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Run the programs in the guest's netns (when enabled). Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Setting a default route is a very common task when working with netns. This patch adds a new 'gw' parameter, so that no extra pre-scripts are needed for vservers with simple networking. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Some interface setup options must be run in netns context. This patch runs them through a new CMD_IP_NETNS command. Later patches will modify this variable. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
record the network namespace for later patches Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
required for later patches; noop atm Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
'ip netns' related commands require special mounts; skip them in _namespaceCleanup. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Due to later patches, 'del' must remove macvlan interfaces in guest context so we need knowledge about device names. Unified add/del operations. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
'shift' seems to be more reliable then 'unset'. Use it. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
It is sometimes (e.g. for updating iptables setup) useful to have markers in the kernel log. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Because entering the netns of a running vserver is not trivial, 'exec-netns' and 'reload-iptables' options were added. Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Patchset allows to do create a netns enabled vserver without extra scripts.
Example: