[Devel] [PATCH rh7] fs: make overlayfs disabled in CT by default

Maxim Patlasov Tue, 28 Jun 2016 15:52:30 -0700

Overlayfs is in "TECH PREVIEW" state right now. Letting CT users to freely
mount and exercise overlayfs, we risk to have the whole node crashed.


Let's disable it for CT users by default. Customers who need it (e.g. to
run Docker in CT) may enable it like this:

# echo 1 > /proc/sys/fs/experimental_fs_enable

The patch is a temporary (awkward) workaround until we make overlayfs
production-ready. Then we'll roll back the patch.

https://jira.sw.ru/browse/PSBM-47981

Signed-off-by: Maxim Patlasov <mpatla...@virtuozzo.com>
---
 fs/filesystems.c     |    7 ++++++-
 fs/overlayfs/super.c |    2 +-
 include/linux/fs.h   |    2 ++
 include/linux/ve.h   |    1 +
 kernel/sysctl.c      |    7 +++++++
 kernel/ve/ve.c       |    1 +
 6 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/fs/filesystems.c b/fs/filesystems.c
index beaba56..38fe4e0 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -15,6 +15,7 @@
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <asm/uaccess.h>
+#include <linux/ve.h>
 
 /*
  * Handling of filesystem drivers list.
@@ -219,7 +220,11 @@ int __init get_filesystem_list(char *buf)
 
 static inline bool filesystem_permitted(const struct file_system_type *fs)
 {
-       return ve_is_super(get_exec_env()) || (fs->fs_flags & FS_VIRTUALIZED);
+       return ve_is_super(get_exec_env()) ||
+               (fs->fs_flags & FS_VIRTUALIZED) ||
+               ((fs->fs_flags & FS_EXPERIMENTAL) &&
+                get_exec_env()->experimental_fs_enable &&
+                get_ve0()->experimental_fs_enable);
 }
 
 #ifdef CONFIG_PROC_FS
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index c20cfe9..d5c57b4 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1129,7 +1129,7 @@ static struct file_system_type ovl_fs_type = {
        .name           = "overlay",
        .mount          = ovl_mount,
        .kill_sb        = kill_anon_super,
-       .fs_flags       = FS_VIRTUALIZED,
+       .fs_flags       = FS_EXPERIMENTAL,
 };
 MODULE_ALIAS_FS("overlay");
 
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 7203dba..6c91e4b 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2108,6 +2108,8 @@ struct file_system_type {
 #define FS_USERNS_MOUNT                8       /* Can be mounted by userns 
root */
 #define FS_USERNS_DEV_MOUNT    16 /* A userns mount does not imply MNT_NODEV */
 #define FS_VIRTUALIZED         64      /* Can mount this fstype inside ve */
+#define FS_EXPERIMENTAL                128     /* Ability to mount this fstype 
inside ve
+                                        * is governed by 
experimental_fs_enable */
 #define FS_HAS_RM_XQUOTA       256     /* KABI: fs has the rm_xquota quota op 
*/
 #define FS_HAS_INVALIDATE_RANGE        512     /* FS has new ->invalidatepage 
with length arg */
 #define FS_RENAME_DOES_D_MOVE  32768   /* FS will handle d_move() during 
rename() internally. */
diff --git a/include/linux/ve.h b/include/linux/ve.h
index 247cadb..1fc6eb5 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -101,6 +101,7 @@ struct ve_struct {
 
        int                     odirect_enable;
        int                     fsync_enable;
+       int                     experimental_fs_enable;
 
        u64                     _uevent_seqnum;
        struct nsproxy __rcu    *ve_ns;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c8f7bc3..c1c410f 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1774,6 +1774,13 @@ static struct ctl_table fs_table[] = {
                .proc_handler   = proc_dointvec_virtual,
        },
        {
+               .procname       = "experimental_fs_enable",
+               .data           = &ve0.experimental_fs_enable,
+               .maxlen         = sizeof(int),
+               .mode           = 0644 | S_ISVTX,
+               .proc_handler   = proc_dointvec_virtual,
+       },
+       {
                .procname       = "pipe-max-size",
                .data           = &pipe_max_size,
                .maxlen         = sizeof(int),
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index d196e3e..0a2892f 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -643,6 +643,7 @@ static struct cgroup_subsys_state *ve_create(struct cgroup 
*cg)
 
        ve->odirect_enable = 2;
        ve->fsync_enable = 2;
+       ve->experimental_fs_enable = 2;
 
 #ifdef CONFIG_VE_IPTABLES
        ve->ipt_mask = ve_setup_iptables_mask(VE_IP_DEFAULT);

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH rh7] fs: make overlayfs disabled in CT by default

Reply via email to