nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809)

SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index ac93357ef46d96ada85e3e4276b3ed2967ec52e7..803caef3dd3396ba6700218b8a5d0ab69869a17c 100644 (file)
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -916,11 +916,12 @@ int mount_cgroups(
                 const char *dest,
                 bool unified_requested,
                 bool userns, uid_t uid_shift, uid_t uid_range,
-                const char *selinux_apifs_context) {
+                const char *selinux_apifs_context,
+                bool use_cgns) {
 
         if (unified_requested)
                 return mount_unified_cgroups(dest);
-        else if (cg_ns_supported())
+        else if (use_cgns && cg_ns_supported())
                 return mount_legacy_cgns_supported(userns, uid_shift, uid_range, selinux_apifs_context);
 
         return mount_legacy_cgns_unsupported(dest, userns, uid_shift, uid_range, selinux_apifs_context);

diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
index 0daf145412bf0fceb4f04e0fe5d32f3929203206..0eff8e10062173650aa4cf2d907c012285c421c1 100644 (file)
--- a/src/nspawn/nspawn-mount.h
+++ b/src/nspawn/nspawn-mount.h
@@ -58,7 +58,7 @@ int custom_mount_compare(const void *a, const void *b);
 int mount_all(const char *dest, bool use_userns, bool in_userns, bool use_netns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
 int mount_sysfs(const char *dest);
 
-int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);
+int mount_cgroups(const char *dest, bool unified_requested, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context, bool use_cgns);
 int mount_systemd_cgroup_writable(const char *dest, bool unified_requested);
 
 int mount_custom(const char *dest, CustomMount *mounts, unsigned n, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index f8a43d89a23fc32f3513b4fcc6786b6ccb25da22..6cc1b9177d828fc53a3c6b9a7a632c3544c35f15 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -194,6 +194,7 @@ static int arg_settings_trusted = -1;
 static char **arg_parameters = NULL;
 static const char *arg_container_service_name = "systemd-nspawn";
 static bool arg_notify_ready = false;
+static bool arg_use_cgns = true;
 
 static void help(void) {
         printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
@@ -1104,6 +1105,12 @@ static int parse_argv(int argc, char *argv[]) {
         if (e)
                 arg_container_service_name = e;
 
+        r = getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
+        if (r < 0)
+                arg_use_cgns = cg_ns_supported();
+        else
+                arg_use_cgns = r;
+
         return 1;
 }
 
@@ -2628,7 +2635,7 @@ static int inner_child(
                 return -ESRCH;
         }
 
-        if (cg_ns_supported()) {
+        if (arg_use_cgns && cg_ns_supported()) {
                 r = unshare(CLONE_NEWCGROUP);
                 if (r < 0)
                         return log_error_errno(errno, "Failed to unshare cgroup namespace");
@@ -2638,7 +2645,8 @@ static int inner_child(
                                 arg_userns_mode != USER_NAMESPACE_NO,
                                 arg_uid_shift,
                                 arg_uid_range,
-                                arg_selinux_apifs_context);
+                                arg_selinux_apifs_context,
+                                arg_use_cgns);
                 if (r < 0)
                         return r;
         } else {
@@ -3029,14 +3037,15 @@ static int outer_child(
         if (r < 0)
                 return r;
 
-        if (!cg_ns_supported()) {
+        if (!arg_use_cgns || !cg_ns_supported()) {
                 r = mount_cgroups(
                                 directory,
                                 arg_unified_cgroup_hierarchy,
                                 arg_userns_mode != USER_NAMESPACE_NO,
                                 arg_uid_shift,
                                 arg_uid_range,
-                                arg_selinux_apifs_context);
+                                arg_selinux_apifs_context,
+                                arg_use_cgns);
                 if (r < 0)
                         return r;
         }