Make tmpfs size configurable

diff --git a/README.md b/README.md
index 646f611fc02d75a54a9e21e84d86ef7194a30781..9aa11345f6d6091548af7a757403fb7eb9f490d5 100644 (file)
--- a/README.md
+++ b/README.md
@@ -109,8 +109,8 @@ Options:
  --log|-l [val]
        Log file (default: stderr)
  --time_limit|-t [val]
+       Maximum time that a jail can exist, in seconds (default: 600)
  --daemon|-d
-       Daemonize after start? (default: false)
  --verbose|-v
        Verbose output (default: false)
  --keep_env|-e
@@ -167,4 +167,6 @@ Options:
        List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)
  --iface|-I [val]
        Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace
+ --tmpfs_size [val]
+       Number of bytes to allocate for tmpfsmounts in bytes (default: 4194304)
 ```

diff --git a/cmdline.c b/cmdline.c
index 85c77d43f370b6330f3fc9a3da50b62e76582083..92ce5a0f7d7110e49effd5bc479ca2c6dd3c7f0a 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -86,13 +86,15 @@ void cmdlineLogParams(struct nsjconf_t *nsjconf)
            ("Jail parameters: hostname:'%s', chroot:'%s', process:'%s', port:%d, "
             "max_conns_per_ip:%u, uid:%u, gid:%u, time_limit:%ld, personality:%#lx, daemonize:%s, "
             "clone_newnet:%s, clone_newuser:%s, clone_newns:%s, clone_newpid:%s, "
-            "clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s",
+            "clone_newipc:%s, clonew_newuts:%s, apply_sandbox:%s, keep_caps:%s, "
+            "tmpfs_size:%u",
             nsjconf->hostname, nsjconf->chroot, nsjconf->argv[0], nsjconf->port,
             nsjconf->max_conns_per_ip, nsjconf->uid, nsjconf->gid, nsjconf->tlimit,
             nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
             logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
             logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
-            logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->apply_sandbox), logYesNo(nsjconf->keep_caps));
+            logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->apply_sandbox),
+            logYesNo(nsjconf->keep_caps), nsjconf->tmpfs_size);
 
        struct constchar_t *p;
        LIST_FOREACH(p, &nsjconf->robindmountpts, pointers) {
@@ -180,6 +182,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                .initial_uid = getuid(),
                .initial_gid = getgid(),
                .max_conns_per_ip = 0,
+               .tmpfs_size = 4*1024*1024,
        };
        /*  *INDENT-OFF* */
 
@@ -236,6 +239,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                {{"bindmount", required_argument, NULL, 'B'}, "List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'. (default: none)"},
                {{"tmpfsmount", required_argument, NULL, 'T'}, "List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax. (default: none)"},
                {{"iface", required_argument, NULL, 'I'}, "Interface which will be cloned (MACVTAP) and put inside the subprocess' namespace"},
+               {{"tmpfs_size", required_argument, NULL, 0x0506}, "Number of bytes to allocate for tmpfsmounts in bytes (default: 4194304)"},
                {{0, 0, 0, 0}, NULL},
        };
         /*  *INDENT-ON* */
@@ -264,6 +268,9 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
                case 'i':
                        nsjconf->max_conns_per_ip = strtoul(optarg, NULL, 0);
                        break;
+               case 0x0506:
+                       nsjconf->tmpfs_size = strtoul(optarg, NULL, 0);
+                       break;
                case 'u':
                        user = optarg;
                        break;

diff --git a/common.h b/common.h
index facbba5299625d2e172af39179ab697c47d039d5..49235371beb8f59f1f8e50418a7e6cf19401dbbf 100644 (file)
--- a/common.h
+++ b/common.h
@@ -83,6 +83,7 @@ struct nsjconf_t {
        uid_t initial_uid;
        gid_t initial_gid;
        unsigned int max_conns_per_ip;
+       unsigned int tmpfs_size;
         LIST_HEAD(pidslist, pids_t) pids;
         LIST_HEAD(rwbindmountptslist, constchar_t) rwbindmountpts;
         LIST_HEAD(robindmountptslist, constchar_t) robindmountpts;

diff --git a/contain.c b/contain.c
index 0719214044bd9cf7adcab21dd065e7af632bfb97..b2231f2f5faf91c0e2e7092361ba3fa6136a1bfb 100644 (file)
--- a/contain.c
+++ b/contain.c
@@ -297,6 +297,8 @@ bool containMountFS(struct nsjconf_t * nsjconf)
        /* It only makes sense with "--chroot /", so don't worry about errors */
        umount2(destdir, MNT_DETACH);
 
+       char tmpfs_size[11+5];
+       snprintf(tmpfs_size, sizeof(tmpfs_size), "size=%u", nsjconf->tmpfs_size);
        LIST_FOREACH(p, &nsjconf->tmpfsmountpts, pointers) {
                if (strchr(p->value, ':') != NULL) {
                        PLOG_E("invalid tmpfs mount spec. source:dest format unsupported.");
@@ -308,7 +310,7 @@ bool containMountFS(struct nsjconf_t * nsjconf)
                        return false;
                }
                LOG_D("Mounting (tmpfs) '%s'", p->value);
-               if (mount(NULL, p->value, "tmpfs", 0, "size=4194304") == -1) {
+               if (mount(NULL, p->value, "tmpfs", 0, tmpfs_size) == -1) {
                        PLOG_E("mount('%s', 'tmpfs')", p->value);
                        return false;
                }