cgroups: do not fail if setting devices cgroup fails due to EPERM

If we're trying to allow a device which was denied to our parent
container, just continue.

Cgmanager does not help us to distinguish between eperm and other
errors, so just always continue.

We may want to consider actually computing the range of devices
to which the container monitor has access, but OTOH that introduces
a whole new set of complexity to compute access sets.

Closes #827

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
index 9caa40bf68ddad414d30e352c9fe4e5b8b1ca7d2..1bb9b9750e71885a1d0985503fb286686d377ea2 100644 (file)
--- a/src/lxc/cgfs.c
+++ b/src/lxc/cgfs.c
@@ -1284,10 +1284,13 @@ static int lxc_cgroup_set_data(const char *filename, const char *value, struct c
        if ((p = strchr(subsystem, '.')) != NULL)
                *p = '\0';
 
+       errno = ENOENT;
        path = lxc_cgroup_get_hierarchy_abs_path_data(subsystem, d);
        if (path) {
                ret = do_cgroup_set(path, filename, value);
+               int saved_errno = errno;
                free(path);
+               errno = saved_errno;
        }
        return ret;
 }
@@ -1914,6 +1917,11 @@ static int do_setup_cgroup_limits(struct cgfs_data *d,
                                        cgroup_devices_has_allow_or_deny(d, cg->value, true))
                                continue;
                        if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
+                               if (do_devices && errno == EPERM) {
+                                       WARN("Error setting %s to %s for %s",
+                                             cg->subsystem, cg->value, d->name);
+                                       continue;
+                               }
                                ERROR("Error setting %s to %s for %s",
                                      cg->subsystem, cg->value, d->name);
                                goto out;

diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c
index 8ccadaa0eea6ac034b0514e4c26982b2fd7fc661..9f8eaf867af287f7bd5cfe00a8d01977a262d25e 100644 (file)
--- a/src/lxc/cgmanager.c
+++ b/src/lxc/cgmanager.c
@@ -1375,6 +1375,14 @@ static bool cgm_setup_limits(void *hdata, struct lxc_list *cgroup_settings, bool
                                         d->cgroup_path, cg->subsystem, cg->value) != 0) {
                        NihError *nerr;
                        nerr = nih_error_get();
+                       if (do_devices) {
+                               WARN("call to cgmanager_set_value_sync failed: %s", nerr->message);
+                               nih_free(nerr);
+                               WARN("Error setting cgroup %s:%s limit type %s", controller,
+                                       d->cgroup_path, cg->subsystem);
+                               continue;
+                       }
+
                        ERROR("call to cgmanager_set_value_sync failed: %s", nerr->message);
                        nih_free(nerr);
                        ERROR("Error setting cgroup %s:%s limit type %s", controller,