Make tmpfs size configurable
This commit is contained in:
parent
d43c4975ae
commit
8841a08dd3
@ -109,8 +109,8 @@ Options:
|
|||||||
--log|-l [val]
|
--log|-l [val]
|
||||||
Log file (default: stderr)
|
Log file (default: stderr)
|
||||||
--time_limit|-t [val]
|
--time_limit|-t [val]
|
||||||
|
Maximum time that a jail can exist, in seconds (default: 600)
|
||||||
--daemon|-d
|
--daemon|-d
|
||||||
Daemonize after start? (default: false)
|
|
||||||
--verbose|-v
|
--verbose|-v
|
||||||
Verbose output (default: false)
|
Verbose output (default: false)
|
||||||
--keep_env|-e
|
--keep_env|-e
|
||||||
@ -167,4 +167,6 @@ Options:
|
|||||||
List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)
|
List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)
|
||||||
--iface|-I [val]
|
--iface|-I [val]
|
||||||
Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace
|
Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace
|
||||||
|
--tmpfs_size [val]
|
||||||
|
Number of bytes to allocate for tmpfsmounts in bytes (default: 4194304)
|
||||||
```
|
```
|
||||||
|
11
cmdline.c
11
cmdline.c
@ -86,13 +86,15 @@ void cmdlineLogParams(struct nsjconf_t *nsjconf)
|
|||||||
("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', port:%d, "
|
("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', port:%d, "
|
||||||
"max_conns_per_ip:%u, uid:%u, gid:%u, time_limit:%ld, personality:%#lx, daemonize:%s, "
|
"max_conns_per_ip:%u, uid:%u, gid:%u, time_limit:%ld, personality:%#lx, daemonize:%s, "
|
||||||
"clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
|
"clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
|
||||||
"clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s",
|
"clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s, "
|
||||||
|
"tmpfs_size:%u",
|
||||||
nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->port,
|
nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->port,
|
||||||
nsjconf->max_conns_per_ip, nsjconf->uid, nsjconf->gid, nsjconf->tlimit,
|
nsjconf->max_conns_per_ip, nsjconf->uid, nsjconf->gid, nsjconf->tlimit,
|
||||||
nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
|
nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
|
||||||
logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
|
logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
|
||||||
logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
|
logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
|
||||||
logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->apply_sandbox), logYesNo(nsjconf->keep_caps));
|
logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->apply_sandbox),
|
||||||
|
logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size);
|
||||||
|
|
||||||
struct constchar_t *p;
|
struct constchar_t *p;
|
||||||
LIST_FOREACH(p, &nsjconf->robindmountpts, pointers) {
|
LIST_FOREACH(p, &nsjconf->robindmountpts, pointers) {
|
||||||
@ -180,6 +182,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
|
|||||||
.initial_uid = getuid(),
|
.initial_uid = getuid(),
|
||||||
.initial_gid = getgid(),
|
.initial_gid = getgid(),
|
||||||
.max_conns_per_ip = 0,
|
.max_conns_per_ip = 0,
|
||||||
|
.tmpfs_size = 4*1024*1024,
|
||||||
};
|
};
|
||||||
/* *INDENT-OFF* */
|
/* *INDENT-OFF* */
|
||||||
|
|
||||||
@ -236,6 +239,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
|
|||||||
{{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"},
|
{{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"},
|
||||||
{{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)"},
|
{{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)"},
|
||||||
{{"iface", required_argument, NULL, 'I'}, "Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace"},
|
{{"iface", required_argument, NULL, 'I'}, "Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace"},
|
||||||
|
{{"tmpfs_size", required_argument, NULL, 0x0506}, "Number of bytes to allocate for tmpfsmounts in bytes (default: 4194304)"},
|
||||||
{{0, 0, 0, 0}, NULL},
|
{{0, 0, 0, 0}, NULL},
|
||||||
};
|
};
|
||||||
/* *INDENT-ON* */
|
/* *INDENT-ON* */
|
||||||
@ -264,6 +268,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
|
|||||||
case 'i':
|
case 'i':
|
||||||
nsjconf->max_conns_per_ip = strtoul(optarg, NULL, 0);
|
nsjconf->max_conns_per_ip = strtoul(optarg, NULL, 0);
|
||||||
break;
|
break;
|
||||||
|
case 0x0506:
|
||||||
|
nsjconf->tmpfs_size = strtoul(optarg, NULL, 0);
|
||||||
|
break;
|
||||||
case 'u':
|
case 'u':
|
||||||
user = optarg;
|
user = optarg;
|
||||||
break;
|
break;
|
||||||
|
1
common.h
1
common.h
@ -83,6 +83,7 @@ struct nsjconf_t {
|
|||||||
uid_t initial_uid;
|
uid_t initial_uid;
|
||||||
gid_t initial_gid;
|
gid_t initial_gid;
|
||||||
unsigned int max_conns_per_ip;
|
unsigned int max_conns_per_ip;
|
||||||
|
unsigned int tmpfs_size;
|
||||||
LIST_HEAD(pidslist, pids_t) pids;
|
LIST_HEAD(pidslist, pids_t) pids;
|
||||||
LIST_HEAD(rwbindmountptslist, constchar_t) rwbindmountpts;
|
LIST_HEAD(rwbindmountptslist, constchar_t) rwbindmountpts;
|
||||||
LIST_HEAD(robindmountptslist, constchar_t) robindmountpts;
|
LIST_HEAD(robindmountptslist, constchar_t) robindmountpts;
|
||||||
|
@ -297,6 +297,8 @@ bool containMountFS(struct nsjconf_t * nsjconf)
|
|||||||
/* It only makes sense with "--chroot /", so don't worry about errors */
|
/* It only makes sense with "--chroot /", so don't worry about errors */
|
||||||
umount2(destdir, MNT_DETACH);
|
umount2(destdir, MNT_DETACH);
|
||||||
|
|
||||||
|
char tmpfs_size[11+5];
|
||||||
|
snprintf(tmpfs_size, sizeof(tmpfs_size), "size=%u", nsjconf->tmpfs_size);
|
||||||
LIST_FOREACH(p, &nsjconf->tmpfsmountpts, pointers) {
|
LIST_FOREACH(p, &nsjconf->tmpfsmountpts, pointers) {
|
||||||
if (strchr(p->value, ':') != NULL) {
|
if (strchr(p->value, ':') != NULL) {
|
||||||
PLOG_E("invalid tmpfs mount spec. source:dest format unsupported.");
|
PLOG_E("invalid tmpfs mount spec. source:dest format unsupported.");
|
||||||
@ -308,7 +310,7 @@ bool containMountFS(struct nsjconf_t * nsjconf)
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
LOG_D("Mounting (tmpfs) '%s'", p->value);
|
LOG_D("Mounting (tmpfs) '%s'", p->value);
|
||||||
if (mount(NULL, p->value, "tmpfs", 0, "size=4194304") == -1) {
|
if (mount(NULL, p->value, "tmpfs", 0, tmpfs_size) == -1) {
|
||||||
PLOG_E("mount('%s', 'tmpfs')", p->value);
|
PLOG_E("mount('%s', 'tmpfs')", p->value);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user