Re: [lxc-devel] [PATCH] set non device cgroup items before the cgroup is entered

Serge Hallyn Wed, 15 May 2013 19:13:09 -0700

Quoting Dwight Engen (dwight.en...@oracle.com):
> This allows some special cgroup items such as memory.kmem.limit_in_bytes
> to be successfully set, since they must be set before any task is put
> into the cgroup.
> 
> The devices cgroup is setup later giving the container a chance to mount
> file systems before the device it might want to mount from becomes
> unavailable.
> 
> Signed-off-by: Dwight Engen <dwight.en...@oracle.com>


Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>

thanks, Dwight.

-serge

> ---
>  src/lxc/conf.c  | 25 +++++++++++++++++++------
>  src/lxc/conf.h  |  3 +--
>  src/lxc/start.c | 10 +++++++---
>  3 files changed, 27 insertions(+), 11 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 746a2db..9877cc3 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1401,7 +1401,8 @@ static int setup_kmsg(const struct lxc_rootfs *rootfs,
>       return 0;
>  }
>  
> -int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
> +static int _setup_cgroup(const char *cgpath, struct lxc_list *cgroups,
> +                       int devices)
>  {
>       struct lxc_list *iterator;
>       struct lxc_cgroup *cg;
> @@ -1411,13 +1412,15 @@ int setup_cgroup(const char *cgpath, struct lxc_list 
> *cgroups)
>               return 0;
>  
>       lxc_list_for_each(iterator, cgroups) {
> -
>               cg = iterator->elem;
>  
> -             if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, cg->value)) {
> -                     ERROR("Error setting %s to %s for %s\n", cg->subsystem,
> -                             cg->value, cgpath);
> -                     goto out;
> +             if (devices == !strncmp("devices", cg->subsystem, 7)) {
> +                     if (lxc_cgroup_set_bypath(cgpath, cg->subsystem,
> +                         cg->value)) {
> +                             ERROR("Error setting %s to %s for %s\n",
> +                                   cg->subsystem, cg->value, cgpath);
> +                             goto out;
> +                     }
>               }
>  
>               DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value);
> @@ -1429,6 +1432,16 @@ out:
>       return ret;
>  }
>  
> +int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups)
> +{
> +     return _setup_cgroup(cgpath, cgroups, 1);
> +}
> +
> +int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
> +{
> +     return _setup_cgroup(cgpath, cgroups, 0);
> +}
> +
>  static void parse_mntopt(char *opt, unsigned long *flags, char **data)
>  {
>       struct mount_opt *mo;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 465b1ec..8180e18 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -287,6 +287,7 @@ struct lxc_conf {
>  int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);
>  
>  extern int setup_cgroup(const char *cgpath, struct lxc_list *cgroups);
> +extern int setup_cgroup_devices(const char *cgpath, struct lxc_list 
> *cgroups);
>  extern int detect_shared_rootfs(void);
>  
>  /*
> @@ -313,8 +314,6 @@ extern int lxc_clear_cgroups(struct lxc_conf *c, const 
> char *key);
>  extern int lxc_clear_mount_entries(struct lxc_conf *c);
>  extern int lxc_clear_hooks(struct lxc_conf *c, const char *key);
>  
> -extern int setup_cgroup(const char *name, struct lxc_list *cgroups);
> -
>  extern int uid_shift_ttys(int pid, struct lxc_conf *conf);
>  
>  /*
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index fd96d4f..cf5f9bd 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -809,6 +809,11 @@ int lxc_spawn(struct lxc_handler *handler)
>       if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
>               goto out_delete_net;
>  
> +     if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
> +             ERROR("failed to setup the cgroups for '%s'", name);
> +             goto out_delete_net;
> +     }
> +
>       if (lxc_cgroup_enter(handler->cgroup, handler->pid) < 0)
>               goto out_delete_net;
>  
> @@ -839,12 +844,11 @@ int lxc_spawn(struct lxc_handler *handler)
>       if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
>               goto out_delete_net;
>  
> -     if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
> -             ERROR("failed to setup the cgroups for '%s'", name);
> +     if (setup_cgroup_devices(handler->cgroup, &handler->conf->cgroup)) {
> +             ERROR("failed to setup the devices cgroup for '%s'", name);
>               goto out_delete_net;
>       }
>  
> -
>       /* Tell the child to complete its initialization and wait for
>        * it to exec or return an error.  (the child will never
>        * return LXC_SYNC_POST_CGROUP+1.  It will either close the
> -- 
> 1.8.1.4
> 

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] set non device cgroup items before the cgroup is entered

Reply via email to