proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-06-10 20:09:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1aad9e44d6
mirror_lxc/hooks/mountcgroups
Serge Hallyn 283678ed2c Accomodate stricter devices cgroup rules 
3.10 kernel comes with proper hierarchical enforcement of devices
cgroup.  To keep that code somewhat sane, certain things are not
allowed.  Switching from default-allow to default-deny and vice versa
are not allowed when there are children cgroups.  (This *could* be
simplified in the kernel by checking that all child cgroups are
unpopulated, but that has not yet been done and may be rejected)

The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
you cannot write 'a' to devices.deny once you have a child cgroup.  With
this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
the container's devices cgroup, and (c) setup_cgroup() during lxc startup
ignores failures to write to devices subsystem if we are already in a
child of the container's new cgroup.

((a) is not really related to this bug, but is definately needed.
The followup work of making the other hooks use the passed-in lxcpath
is still to be done)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2013-07-11 10:26:33 -05:00

67 lines
2.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# (C) Copyright Canonical 2011,2012
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# This is an example hook to mount all mounted cgroups in the
# container. Only the container's own cgroup (not parents) will be
# accessible to the container. You can enable this by adding
# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
# to your container's configuration file.
set -e
c=$1
d=/sys/fs/cgroup
d2=$LXC_ROOTFS_MOUNT/${d}
# name lxc hook lxcpath
lxcpath=$4
if [ ! -d "$d" ]; then
exit 0
fi
mount -n -t tmpfs tmpfs ${d2}
do_devices_setup() {
local devdir="$1"
local c="$2"
local line
local w # which (allow or deny)
local v # value
egrep "^lxc.cgroup.devices.(allow|deny)[ \t]*=" ${lxcpath}/${c}/config | while read line; do
w=`echo $line | awk -F. '{ print $4 }' | awk '{ print $1 }'`
v=`echo $line | awk -F= '{ print $2 }'`
echo "$v" >> "$devdir"/devices.$w
done
}
# XXX TODO - we'll need to account for other cgroup groups beside 'lxc',
# i.e. 'build' or 'users/joe'.
for dir in `/bin/ls $d`; do
if [ "$dir" = "devices" ]; then
devicesdir="${d}/${dir}/lxc/${c}"
mkdir -p "$devicesdir"
# set the devices cgroup perms now - we can't change from blacklist to
# whitelist, or add perms, once we have children.
do_devices_setup "$devicesdir" "${c}"
fi
mkdir -p "${d}/${dir}/lxc/${c}/${c}.real"
echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks"
mkdir -p ${d2}/${dir}
mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}"
done
Reference in New Issue View Git Blame Copy Permalink