git.ipfire.org Git - thirdparty/lxc.git/commit

author	Serge Hallyn <serge@hallyn.com>
	Tue, 21 Jun 2022 12:50:53 +0000 (14:50 +0200)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Mon, 25 Jul 2022 22:12:19 +0000 (18:12 -0400)
commit	cfcbdb75f061108021cb233d221e8496ac40c30e
tree	3ee6525108049261962fd7af7bd89a448d84d460	tree
parent	28726f215084391c398873125e29512ec5b21a2b	commit \| diff

use systemd dbus StartTransientUnit for unpriv cgroup2

If, when init'ing cgroups for a container start, we detect that we
are an unprivileged user on a unified-hierarchy-only system, then we
try to request systemd, through dbus api, to create a new scope for
us with delegation. Call the cgroup it creates for us P1. We then
create P1/init, move ourselves into there, so we can enable the
controllers for delegation to P1's children through P1/cgroup.subtree_control.

On attach, we try to request systemd attach us to the container's
scope. We can't do that ourselves in the normal case, as root owns
our login cgroups.

Create a new command api for the lxc monitor to tell lxc-attach the
systemd scope to which to attach.

Changelog:
* free cgroup_meta.systemd_scope in lxc_conf_free (Thanks Tycho)
* fix some indent
* address some (not all) of brauner's feedback

Signed-off-by: Serge Hallyn <serge@hallyn.com>

.github/workflows/build.yml		diff \| blob \| blame \| history
.github/workflows/coverity.yml		diff \| blob \| blame \| history
.github/workflows/sanitizers.sh		diff \| blob \| blame \| history
.github/workflows/sanitizers.yml		diff \| blob \| blame \| history
meson.build		diff \| blob \| blame \| history
meson_options.txt		diff \| blob \| blame \| history
src/lxc/cgroups/cgfsng.c		diff \| blob \| blame \| history
src/lxc/commands.c		diff \| blob \| blame \| history
src/lxc/commands.h		diff \| blob \| blame \| history
src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/tests/oss-fuzz.sh		diff \| blob \| blame \| history