Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libcontainer: improve "kernel.{domainname,hostname}" sysctl handling #1827

Merged
merged 1 commit into from
Jun 25, 2018
Merged

libcontainer: improve "kernel.{domainname,hostname}" sysctl handling #1827

merged 1 commit into from
Jun 25, 2018

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Jun 18, 2018

These sysctls are namespaced by CLONE_NEWUTS, and we need to use
"kernel.domainname" if we want users to be able to set an NIS domainname
on Linux. However we disallow "kernel.hostname" because it would
conflict with the "hostname" field and cause confusion (but we include a
helpful message to make it clearer to the user).

Signed-off-by: Aleksa Sarai asarai@suse.de

@cyphar
libcontainer: improve "kernel.{domainname,hostname}" sysctl handling
823c06e 
These sysctls are namespaced by CLONE_NEWUTS, and we need to use
"kernel.domainname" if we want users to be able to set an NIS domainname
on Linux. However we disallow "kernel.hostname" because it would
conflict with the "hostname" field and cause confusion (but we include a
helpful message to make it clearer to the user).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
This was referenced Jun 18, 2018
Merged
Closed
Closed
@cyphar
Copy link
Member Author

cyphar commented Jun 18, 2018

This is a part of moby/moby#37302.

dqminh
dqminh reviewed Jun 19, 2018
View reviewed changes
libcontainer/configs/validate/validator.go
switch s {
case "kernel.domainname":
// This is namespaced and there's no explicit OCI field for it.
continue
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont think we need to explicitly single out kernel.domainname here since its not a TODO for OCI either right ?

Copy link
Member Author

@cyphar cyphar Jun 19, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is allowing kernel.domainname -- which is why it needs to be singled out (the comment explains why it's allowed and kernel.hostname isn't). If you try to use kernel.domainname without this patch it will fail because runc thinks its not namespaced and fails container creation.

We also can't enable everything under kernel..

@dqminh
Copy link
Contributor

dqminh commented Jun 19, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@cyphar
Copy link
Member Author

cyphar commented Jun 24, 2018

/cc @opencontainers/runc-maintainers

@hqhq
Copy link
Contributor

hqhq commented Jun 25, 2018
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@hqhq hqhq merged commit 3ccfa2f into opencontainers:master Jun 25, 2018
@cyphar cyphar deleted the domainname-sysctl-validator branch June 25, 2018 23:57
@thaJeztah thaJeztah mentioned this pull request Aug 23, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dqminh dqminh dqminh left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cyphar @dqminh @hqhq