Quoting Dwight Engen (dwight.en...@oracle.com): > This allows some special cgroup items such as memory.kmem.limit_in_bytes > to be successfully set, since they must be set before any task is put > into the cgroup. > > The devices cgroup is setup later giving the container a chance to mount > file systems before the device it might want to mount from becomes > unavailable. > > Signed-off-by: Dwight Engen <dwight.en...@oracle.com>
Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com> thanks, Dwight. -serge > --- > src/lxc/conf.c | 25 +++++++++++++++++++------ > src/lxc/conf.h | 3 +-- > src/lxc/start.c | 10 +++++++--- > 3 files changed, 27 insertions(+), 11 deletions(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 746a2db..9877cc3 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -1401,7 +1401,8 @@ static int setup_kmsg(const struct lxc_rootfs *rootfs, > return 0; > } > > -int setup_cgroup(const char *cgpath, struct lxc_list *cgroups) > +static int _setup_cgroup(const char *cgpath, struct lxc_list *cgroups, > + int devices) > { > struct lxc_list *iterator; > struct lxc_cgroup *cg; > @@ -1411,13 +1412,15 @@ int setup_cgroup(const char *cgpath, struct lxc_list > *cgroups) > return 0; > > lxc_list_for_each(iterator, cgroups) { > - > cg = iterator->elem; > > - if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, cg->value)) { > - ERROR("Error setting %s to %s for %s\n", cg->subsystem, > - cg->value, cgpath); > - goto out; > + if (devices == !strncmp("devices", cg->subsystem, 7)) { > + if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, > + cg->value)) { > + ERROR("Error setting %s to %s for %s\n", > + cg->subsystem, cg->value, cgpath); > + goto out; > + } > } > > DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value); > @@ -1429,6 +1432,16 @@ out: > return ret; > } > > +int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups) > +{ > + return _setup_cgroup(cgpath, cgroups, 1); > +} > + > +int setup_cgroup(const char *cgpath, struct lxc_list *cgroups) > +{ > + return _setup_cgroup(cgpath, cgroups, 0); > +} > + > static void parse_mntopt(char *opt, unsigned long *flags, char **data) > { > struct mount_opt *mo; > diff --git a/src/lxc/conf.h b/src/lxc/conf.h > index 465b1ec..8180e18 100644 > --- a/src/lxc/conf.h > +++ b/src/lxc/conf.h > @@ -287,6 +287,7 @@ struct lxc_conf { > int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf); > > extern int setup_cgroup(const char *cgpath, struct lxc_list *cgroups); > +extern int setup_cgroup_devices(const char *cgpath, struct lxc_list > *cgroups); > extern int detect_shared_rootfs(void); > > /* > @@ -313,8 +314,6 @@ extern int lxc_clear_cgroups(struct lxc_conf *c, const > char *key); > extern int lxc_clear_mount_entries(struct lxc_conf *c); > extern int lxc_clear_hooks(struct lxc_conf *c, const char *key); > > -extern int setup_cgroup(const char *name, struct lxc_list *cgroups); > - > extern int uid_shift_ttys(int pid, struct lxc_conf *conf); > > /* > diff --git a/src/lxc/start.c b/src/lxc/start.c > index fd96d4f..cf5f9bd 100644 > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -809,6 +809,11 @@ int lxc_spawn(struct lxc_handler *handler) > if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL) > goto out_delete_net; > > + if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) { > + ERROR("failed to setup the cgroups for '%s'", name); > + goto out_delete_net; > + } > + > if (lxc_cgroup_enter(handler->cgroup, handler->pid) < 0) > goto out_delete_net; > > @@ -839,12 +844,11 @@ int lxc_spawn(struct lxc_handler *handler) > if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE)) > goto out_delete_net; > > - if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) { > - ERROR("failed to setup the cgroups for '%s'", name); > + if (setup_cgroup_devices(handler->cgroup, &handler->conf->cgroup)) { > + ERROR("failed to setup the devices cgroup for '%s'", name); > goto out_delete_net; > } > > - > /* Tell the child to complete its initialization and wait for > * it to exec or return an error. (the child will never > * return LXC_SYNC_POST_CGROUP+1. It will either close the > -- > 1.8.1.4 > ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel