The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.24
------>
commit af1bf9e1a067c1186501ef5415acdb62a33e8c22
Author: Maxim Patlasov <mpatla...@virtuozzo.com>
Date: Wed Jul 13 20:52:37 2016 +0400
fs: make overlayfs disabled in CT by default
Overlayfs is in "TECH PREVIEW" state right now. Letting CT users to freely
mount and exercise overlayfs, we risk to have the whole node crashed.
Let's disable it for CT users by default. Customers who need it (e.g. to
run Docker in CT) may enable it like this:
# echo 1 > /proc/sys/fs/experimental_fs_enable
The patch is a temporary (awkward) workaround until we make overlayfs
production-ready. Then we'll roll back the patch.
https://jira.sw.ru/browse/PSBM-49629
Signed-off-by: Maxim Patlasov <mpatla...@virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavy...@virtuozzo.com>
---
fs/filesystems.c | 8 +++++++-
fs/overlayfs/super.c | 2 +-
include/linux/fs.h | 4 ++++
kernel/sysctl.c | 7 +++++++
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/fs/filesystems.c b/fs/filesystems.c
index beaba560979f..670d228e9c56 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -16,6 +16,9 @@
#include <linux/slab.h>
#include <asm/uaccess.h>
+/* Affects ability of CT users to mount fs marked as FS_EXPERIMENTAL */
+int sysctl_experimental_fs_enable;
+
/*
* Handling of filesystem drivers list.
* Rules:
@@ -219,7 +222,10 @@ int __init get_filesystem_list(char *buf)
static inline bool filesystem_permitted(const struct file_system_type *fs)
{
- return ve_is_super(get_exec_env()) || (fs->fs_flags & FS_VIRTUALIZED);
+ return ve_is_super(get_exec_env()) ||
+ (fs->fs_flags & FS_VIRTUALIZED) ||
+ ((fs->fs_flags & FS_EXPERIMENTAL) &&
+ sysctl_experimental_fs_enable);
}
#ifdef CONFIG_PROC_FS
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index c20cfe977cdf..d5c57b4b5983 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1129,7 +1129,7 @@ static struct file_system_type ovl_fs_type = {
.name = "overlay",
.mount = ovl_mount,
.kill_sb = kill_anon_super,
- .fs_flags = FS_VIRTUALIZED,
+ .fs_flags = FS_EXPERIMENTAL,
};
MODULE_ALIAS_FS("overlay");
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 7203dbadbbf9..f1c3d5be60d8 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -59,6 +59,8 @@ extern struct inodes_stat_t inodes_stat;
extern int leases_enable, lease_break_time;
extern int sysctl_protected_symlinks;
extern int sysctl_protected_hardlinks;
+extern int sysctl_experimental_fs_enable;
+
struct buffer_head;
typedef int (get_block_t)(struct inode *inode, sector_t iblock,
@@ -2108,6 +2110,8 @@ struct file_system_type {
#define FS_USERNS_MOUNT 8 /* Can be mounted by userns
root */
#define FS_USERNS_DEV_MOUNT 16 /* A userns mount does not imply MNT_NODEV */
#define FS_VIRTUALIZED 64 /* Can mount this fstype inside ve */
+#define FS_EXPERIMENTAL 128 /* Ability to mount this fstype
inside ve
+ * is governed by
experimental_fs_enable */
#define FS_HAS_RM_XQUOTA 256 /* KABI: fs has the rm_xquota quota op
*/
#define FS_HAS_INVALIDATE_RANGE 512 /* FS has new ->invalidatepage
with length arg */
#define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during
rename() internally. */
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c8f7bc34c590..e59dd3be92dd 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1781,6 +1781,13 @@ static struct ctl_table fs_table[] = {
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
},
+ {
+ .procname = "experimental_fs_enable",
+ .data = &sysctl_experimental_fs_enable,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
{ }
};
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
