proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-25 20:25:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

cgroups: don't escape if lxc.cgroup.keep is true

Browse Source 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Felix Abecassis <fabecassis@nvidia.com>
Cc: Jonathan Calmels <jcalmels@nvidia.com>
This commit is contained in:
Christian Brauner 2018-08-26 18:59:01 +02:00
parent 76f0e2e739
commit 5a087e056f
No known key found for this signature in database
GPG Key ID: 8EB056D53EECB12D
10 changed files with 40 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/lxc/attach.c
View File

@ -1261,7 +1261,7 @@ int lxc_attach(const char *name, const char *lxcpath,
if (options->attach_flags & LXC_ATTACH_MOVE_TO_CGROUP) { if (options->attach_flags & LXC_ATTACH_MOVE_TO_CGROUP) {
struct cgroup_ops *cgroup_ops; struct cgroup_ops *cgroup_ops;
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(conf);
if (!cgroup_ops) if (!cgroup_ops)
goto on_error; goto on_error;

31
src/lxc/cgroups/cgfsng.c
View File

@ -1742,11 +1742,11 @@ static int cgfsng_nrtasks(struct cgroup_ops *ops)
} }
/* Only root needs to escape to the cgroup of its init. */ /* Only root needs to escape to the cgroup of its init. */
static bool cgfsng_escape(const struct cgroup_ops *ops) static bool cgfsng_escape(const struct cgroup_ops *ops, struct lxc_conf *conf)
{ {
int i; int i;
if (geteuid()) if (conf->cgroup_meta.keep || geteuid())
return true; return true;
for (i = 0; ops->hierarchies[i]; i++) { for (i = 0; ops->hierarchies[i]; i++) {
@ -2278,11 +2278,10 @@ static bool cgroup_use_wants_controllers(const struct cgroup_ops *ops,
/* At startup, parse_hierarchies finds all the info we need about cgroup /* At startup, parse_hierarchies finds all the info we need about cgroup
* mountpoints and current cgroups, and stores it in @d. * mountpoints and current cgroups, and stores it in @d.
*/ */
static bool cg_hybrid_init(struct cgroup_ops *ops) static bool cg_hybrid_init(struct cgroup_ops *ops, bool keep)
{ {
int ret; int ret;
char *basecginfo; char *basecginfo;
bool will_escape;
FILE *f; FILE *f;
size_t len = 0; size_t len = 0;
char *line = NULL; char *line = NULL;
@ -2291,8 +2290,7 @@ static bool cg_hybrid_init(struct cgroup_ops *ops)
/* Root spawned containers escape the current cgroup, so use init's /* Root spawned containers escape the current cgroup, so use init's
* cgroups as our base in that case. * cgroups as our base in that case.
*/ */
will_escape = (geteuid() == 0); if (!keep && (geteuid() == 0))
if (will_escape)
basecginfo = read_file("/proc/1/cgroup"); basecginfo = read_file("/proc/1/cgroup");
else else
basecginfo = read_file("/proc/self/cgroup"); basecginfo = read_file("/proc/self/cgroup");
@ -2443,14 +2441,12 @@ static int cg_is_pure_unified(void)
} }
/* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */ /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */
static char *cg_unified_get_current_cgroup(void) static char *cg_unified_get_current_cgroup(bool keep)
{ {
char *basecginfo, *base_cgroup; char *basecginfo, *base_cgroup;
bool will_escape;
char *copy = NULL; char *copy = NULL;
will_escape = (geteuid() == 0); if (!keep && (geteuid() == 0))
if (will_escape)
basecginfo = read_file("/proc/1/cgroup"); basecginfo = read_file("/proc/1/cgroup");
else else
basecginfo = read_file("/proc/self/cgroup"); basecginfo = read_file("/proc/self/cgroup");
@ -2474,7 +2470,7 @@ cleanup_on_err:
return copy; return copy;
} }
static int cg_unified_init(struct cgroup_ops *ops) static int cg_unified_init(struct cgroup_ops *ops, bool keep)
{ {
int ret; int ret;
char *mountpoint, *subtree_path; char *mountpoint, *subtree_path;
@ -2488,7 +2484,7 @@ static int cg_unified_init(struct cgroup_ops *ops)
if (ret != CGROUP2_SUPER_MAGIC) if (ret != CGROUP2_SUPER_MAGIC)
return 0; return 0;
base_cgroup = cg_unified_get_current_cgroup(); base_cgroup = cg_unified_get_current_cgroup(keep);
if (!base_cgroup) if (!base_cgroup)
return -EINVAL; return -EINVAL;
prune_init_scope(base_cgroup); prune_init_scope(base_cgroup);
@ -2520,10 +2516,11 @@ static int cg_unified_init(struct cgroup_ops *ops)
return CGROUP2_SUPER_MAGIC; return CGROUP2_SUPER_MAGIC;
} }
static bool cg_init(struct cgroup_ops *ops) static bool cg_init(struct cgroup_ops *ops, struct lxc_conf *conf)
{ {
int ret; int ret;
const char *tmp; const char *tmp;
bool keep = conf->cgroup_meta.keep;
tmp = lxc_global_config_value("lxc.cgroup.use"); tmp = lxc_global_config_value("lxc.cgroup.use");
if (tmp) { if (tmp) {
@ -2539,14 +2536,14 @@ static bool cg_init(struct cgroup_ops *ops)
free(pin); free(pin);
} }
ret = cg_unified_init(ops); ret = cg_unified_init(ops, keep);
if (ret < 0) if (ret < 0)
return false; return false;
if (ret == CGROUP2_SUPER_MAGIC) if (ret == CGROUP2_SUPER_MAGIC)
return true; return true;
return cg_hybrid_init(ops); return cg_hybrid_init(ops, keep);
} }
static bool cgfsng_data_init(struct cgroup_ops *ops) static bool cgfsng_data_init(struct cgroup_ops *ops)
@ -2565,7 +2562,7 @@ static bool cgfsng_data_init(struct cgroup_ops *ops)
return true; return true;
} }
struct cgroup_ops *cgfsng_ops_init(void) struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf)
{ {
struct cgroup_ops *cgfsng_ops; struct cgroup_ops *cgfsng_ops;
@ -2576,7 +2573,7 @@ struct cgroup_ops *cgfsng_ops_init(void)
memset(cgfsng_ops, 0, sizeof(struct cgroup_ops)); memset(cgfsng_ops, 0, sizeof(struct cgroup_ops));
cgfsng_ops->cgroup_layout = CGROUP_LAYOUT_UNKNOWN; cgfsng_ops->cgroup_layout = CGROUP_LAYOUT_UNKNOWN;
if (!cg_init(cgfsng_ops)) { if (!cg_init(cgfsng_ops, conf)) {
free(cgfsng_ops); free(cgfsng_ops);
return NULL; return NULL;
} }

6
src/lxc/cgroups/cgroup.c
View File

@ -33,13 +33,13 @@
lxc_log_define(cgroup, lxc); lxc_log_define(cgroup, lxc);
extern struct cgroup_ops *cgfsng_ops_init(void); extern struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf);
struct cgroup_ops *cgroup_init(struct lxc_handler *handler) struct cgroup_ops *cgroup_init(struct lxc_conf *conf)
{ {
struct cgroup_ops *cgroup_ops; struct cgroup_ops *cgroup_ops;
cgroup_ops = cgfsng_ops_init(); cgroup_ops = cgfsng_ops_init(conf);
if (!cgroup_ops) { if (!cgroup_ops) {
ERROR("Failed to initialize cgroup driver"); ERROR("Failed to initialize cgroup driver");
return NULL; return NULL;

4
src/lxc/cgroups/cgroup.h
View File

@ -127,7 +127,7 @@ struct cgroup_ops {
bool (*create)(struct cgroup_ops *ops, struct lxc_handler *handler); bool (*create)(struct cgroup_ops *ops, struct lxc_handler *handler);
bool (*enter)(struct cgroup_ops *ops, pid_t pid); bool (*enter)(struct cgroup_ops *ops, pid_t pid);
const char *(*get_cgroup)(struct cgroup_ops *ops, const char *controller); const char *(*get_cgroup)(struct cgroup_ops *ops, const char *controller);
bool (*escape)(const struct cgroup_ops *ops); bool (*escape)(const struct cgroup_ops *ops, struct lxc_conf *conf);
int (*num_hierarchies)(struct cgroup_ops *ops); int (*num_hierarchies)(struct cgroup_ops *ops);
bool (*get_hierarchies)(struct cgroup_ops *ops, int n, char ***out); bool (*get_hierarchies)(struct cgroup_ops *ops, int n, char ***out);
int (*set)(struct cgroup_ops *ops, const char *filename, int (*set)(struct cgroup_ops *ops, const char *filename,
@ -145,7 +145,7 @@ struct cgroup_ops {
int (*nrtasks)(struct cgroup_ops *ops); int (*nrtasks)(struct cgroup_ops *ops);
}; };
extern struct cgroup_ops *cgroup_init(struct lxc_handler *handler); extern struct cgroup_ops *cgroup_init(struct lxc_conf *conf);
extern void cgroup_exit(struct cgroup_ops *ops); extern void cgroup_exit(struct cgroup_ops *ops);
extern void prune_init_scope(char *cg); extern void prune_init_scope(char *cg);

6
src/lxc/criu.c
View File

@ -190,7 +190,7 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct criu_opts *opts)
* /actual/ root cgroup so that lxcfs thinks criu has enough rights to * /actual/ root cgroup so that lxcfs thinks criu has enough rights to
* see all cgroups. * see all cgroups.
*/ */
if (!cgroup_ops->escape(cgroup_ops)) { if (!cgroup_ops->escape(cgroup_ops, opts->handler->conf)) {
ERROR("failed to escape cgroups"); ERROR("failed to escape cgroups");
return; return;
} }
@ -967,7 +967,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
if (lxc_init(c->name, handler) < 0) if (lxc_init(c->name, handler) < 0)
goto out; goto out;
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(c->lxc_conf);
if (!cgroup_ops) if (!cgroup_ops)
goto out_fini_handler; goto out_fini_handler;
handler->cgroup_ops = cgroup_ops; handler->cgroup_ops = cgroup_ops;
@ -1272,7 +1272,7 @@ static bool do_dump(struct lxc_container *c, char *mode, struct migrate_opts *op
h.name = c->name; h.name = c->name;
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(c->lxc_conf);
if (!cgroup_ops) { if (!cgroup_ops) {
ERROR("failed to cgroup_init()"); ERROR("failed to cgroup_init()");
_exit(EXIT_FAILURE); _exit(EXIT_FAILURE);

13
src/lxc/freezer.c
View File

@ -42,7 +42,8 @@
lxc_log_define(freezer, lxc); lxc_log_define(freezer, lxc);
static int do_freeze_thaw(bool freeze, const char *name, const char *lxcpath) static int do_freeze_thaw(bool freeze, struct lxc_conf *conf, const char *name,
const char *lxcpath)
{ {
int ret; int ret;
char v[100]; char v[100];
@ -51,7 +52,7 @@ static int do_freeze_thaw(bool freeze, const char *name, const char *lxcpath)
size_t state_len = 6; size_t state_len = 6;
lxc_state_t new_state = freeze ? FROZEN : THAWED; lxc_state_t new_state = freeze ? FROZEN : THAWED;
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(conf);
if (!cgroup_ops) if (!cgroup_ops)
return -1; return -1;
@ -85,14 +86,14 @@ static int do_freeze_thaw(bool freeze, const char *name, const char *lxcpath)
} }
} }
int lxc_freeze(const char *name, const char *lxcpath) int lxc_freeze(struct lxc_conf *conf, const char *name, const char *lxcpath)
{ {
lxc_cmd_serve_state_clients(name, lxcpath, FREEZING); lxc_cmd_serve_state_clients(name, lxcpath, FREEZING);
lxc_monitor_send_state(name, FREEZING, lxcpath); lxc_monitor_send_state(name, FREEZING, lxcpath);
return do_freeze_thaw(true, name, lxcpath); return do_freeze_thaw(true, conf, name, lxcpath);
} }
int lxc_unfreeze(const char *name, const char *lxcpath) int lxc_unfreeze(struct lxc_conf *conf, const char *name, const char *lxcpath)
{ {
return do_freeze_thaw(false, name, lxcpath); return do_freeze_thaw(false, conf, name, lxcpath);
} }

6
src/lxc/lxc.h
View File

@ -81,14 +81,16 @@ extern int lxc_monitor_close(int fd);
* @name : the container name * @name : the container name
* Returns 0 on success, < 0 otherwise * Returns 0 on success, < 0 otherwise
*/ */
extern int lxc_freeze(const char *name, const char *lxcpath); extern int lxc_freeze(struct lxc_conf *conf, const char *name,
const char *lxcpath);
/* /*
* Unfreeze all previously frozen tasks. * Unfreeze all previously frozen tasks.
* @name : the name of the container * @name : the name of the container
* Return 0 on success, < 0 otherwise * Return 0 on success, < 0 otherwise
*/ */
extern int lxc_unfreeze(const char *name, const char *lxcpath); extern int lxc_unfreeze(struct lxc_conf *conf, const char *name,
const char *lxcpath);
/* /*
* Retrieve the container state * Retrieve the container state

8
src/lxc/lxccontainer.c
View File

@ -529,7 +529,7 @@ static bool do_lxcapi_freeze(struct lxc_container *c)
if (!c) if (!c)
return false; return false;
ret = lxc_freeze(c->name, c->config_path); ret = lxc_freeze(c->lxc_conf, c->name, c->config_path);
if (ret < 0) if (ret < 0)
return false; return false;
@ -545,7 +545,7 @@ static bool do_lxcapi_unfreeze(struct lxc_container *c)
if (!c) if (!c)
return false; return false;
ret = lxc_unfreeze(c->name, c->config_path); ret = lxc_unfreeze(c->lxc_conf, c->name, c->config_path);
if (ret < 0) if (ret < 0)
return false; return false;
@ -3263,7 +3263,7 @@ static bool do_lxcapi_set_cgroup_item(struct lxc_container *c, const char *subsy
if (is_stopped(c)) if (is_stopped(c))
return false; return false;
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(c->lxc_conf);
if (!cgroup_ops) if (!cgroup_ops)
return false; return false;
@ -3292,7 +3292,7 @@ static int do_lxcapi_get_cgroup_item(struct lxc_container *c, const char *subsys
if (is_stopped(c)) if (is_stopped(c))
return -1; return -1;
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(c->lxc_conf);
if (!cgroup_ops) if (!cgroup_ops)
return -1; return -1;

2
src/lxc/start.c
View File

@ -856,7 +856,7 @@ int lxc_init(const char *name, struct lxc_handler *handler)
} }
TRACE("Chowned console"); TRACE("Chowned console");
handler->cgroup_ops = cgroup_init(handler); handler->cgroup_ops = cgroup_init(handler->conf);
if (!handler->cgroup_ops) { if (!handler->cgroup_ops) {
ERROR("Failed to initialize cgroup driver"); ERROR("Failed to initialize cgroup driver");
goto out_delete_terminal; goto out_delete_terminal;

2
src/tests/cgpath.c
View File

@ -80,7 +80,7 @@ static int test_running_container(const char *lxcpath,
goto err3; goto err3;
} }
cgroup_ops = cgroup_init(NULL); cgroup_ops = cgroup_init(c->lxc_conf);
if (!cgroup_ops) if (!cgroup_ops)
goto err3; goto err3;