[Devel] [PATCH RHEL7 COMMIT] ve/rtnl: allow move network devices into network namespace in CT

Mon, 06 Jul 2015 06:35:35 -0700 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.24
------>
commit 7faab5defae09da23fd3b18410dd47f7b48fe61f
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Mon Jul 6 17:27:44 2015 +0400

    ve/rtnl: allow move network devices into network namespace in CT
    
    Patchset description:
    
    capability fixes for docker
    
    allow what docker wants, need it to run integration-cli tests
    when we will prohibit CAP_SYS_ADMIN and CAP_NET_ADMIN in CT
    
    * after switching to user namespaces we won't need those patches
      which is planned in the scope of
      https://jira.sw.ru/browse/PSBM-33304
    
    to test without CAP_SYS_ADMIN and CAP_NET_ADMIN:
    vzctl set 206 --capability net_admin:off \
        --capability sys_admin:off --save
    
    Pavel Tikhomirov (3):
      vfs: allow mount/umount, pivot_root with CAP_VE_SYS_ADMIN
      rtnl: allow move network devices into network namespace in CT
      vfs: allow mount proc and mqueue inside container
    
    ################################################################
    This patch description:
    
    need this for docker bridged networking, as we will not allow
    CAP_SYS_ADMIN in container.
    
    * after switching to user namespaces we won't need this patch
    
    fixes error:
    ip link add veth0 type veth peer name veth1
    ip netns add ns1
    ip link set veth1 netns ns1
    RTNETLINK answers: Operation not permitted
    
    https://jira.sw.ru/browse/PSBM-34523
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
 net/core/rtnetlink.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index c50ea72..61facec 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1354,7 +1354,8 @@ static int do_setlink(struct net_device *dev, struct 
ifinfomsg *ifm,
                        err = PTR_ERR(net);
                        goto errout;
                }
-               if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
+               if (!ns_capable(net->user_ns, CAP_NET_ADMIN) &&
+                   !ns_capable(net->user_ns, CAP_VE_NET_ADMIN)) {
                        err = -EPERM;
                        goto errout;
                }
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to