The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.8.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-229.7.2.vz7.8.8 ------> commit 855b8c1c6ed83b8e491d8534277f2441dd658aa9 Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> Date: Tue Oct 20 15:44:20 2015 +0400
ve/device_cgroup: fake allowing all devices for docker inside VZCT This is a port from pcs6, patch diff-device_cgroup-fake-allowing-all-devices-for-docker-inside-VZCT https://jira.sw.ru/browse/PSBM-34529 =========== Docker from 1.7.0 tries to add "a" to devices.allow for newly created privileged container device_cgroup, and thus to allow all devices in docker container. Docker fails to do so because not all devices are allowed in parent VZ6CT cgroup. To support docker we must allow writing "a" to devices.allow in CT. With this patch if we get "a", we will silently exit without EPERM. https://jira.sw.ru/browse/PSBM-38691 v2: fix bug link, fix comment stile Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- security/device_cgroup.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/security/device_cgroup.c b/security/device_cgroup.c index 531e40c..0a6d9c4 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c @@ -689,8 +689,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup, if (has_children(devcgroup)) return -EINVAL; - if (!may_allow_all(parent)) - return -EPERM; + if (!may_allow_all(parent)) { + if (ve_is_super(get_exec_env())) + return -EPERM; + else + /* Fooling docker in CT - silently exit */ + return 0; + } dev_exception_clean(devcgroup); devcgroup->behavior = DEVCG_DEFAULT_ALLOW; if (!parent) _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel