set non device cgroup items before the cgroup is entered

This allows some special cgroup items such as memory.kmem.limit_in_bytes
to be successfully set, since they must be set before any task is put
into the cgroup.

The devices cgroup is setup later giving the container a chance to mount
file systems before the device it might want to mount from becomes
unavailable.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 746a2dbd79fc34e4c99a47f92aba80dc410a83af..9877cc36238e3b8547cde4c543dd568d6b8938e9 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1401,7 +1401,8 @@ static int setup_kmsg(const struct lxc_rootfs *rootfs,
        return 0;
 }
 
-int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
+static int _setup_cgroup(const char *cgpath, struct lxc_list *cgroups,
+                         int devices)
 {
        struct lxc_list *iterator;
        struct lxc_cgroup *cg;
@@ -1411,13 +1412,15 @@ int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
                return 0;
 
        lxc_list_for_each(iterator, cgroups) {
-
                cg = iterator->elem;
 
-               if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, cg->value)) {
-                       ERROR("Error setting %s to %s for %s\n", cg->subsystem,
-                               cg->value, cgpath);
-                       goto out;
+               if (devices == !strncmp("devices", cg->subsystem, 7)) {
+                       if (lxc_cgroup_set_bypath(cgpath, cg->subsystem,
+                           cg->value)) {
+                               ERROR("Error setting %s to %s for %s\n",
+                                     cg->subsystem, cg->value, cgpath);
+                               goto out;
+                       }
                }
 
                DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value);
@@ -1429,6 +1432,16 @@ out:
        return ret;
 }
 
+int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups)
+{
+       return _setup_cgroup(cgpath, cgroups, 1);
+}
+
+int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
+{
+       return _setup_cgroup(cgpath, cgroups, 0);
+}
+
 static void parse_mntopt(char *opt, unsigned long *flags, char **data)
 {
        struct mount_opt *mo;

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 465b1ece4cba4e5144bab89ea131eeb8bbaac415..8180e1870bc9fc6a747871ba7ebf0804f417a183 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -287,6 +287,7 @@ struct lxc_conf {
 int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);
 
 extern int setup_cgroup(const char *cgpath, struct lxc_list *cgroups);
+extern int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups);
 extern int detect_shared_rootfs(void);
 
 /*
@@ -313,8 +314,6 @@ extern int lxc_clear_cgroups(struct lxc_conf *c, const char *key);
 extern int lxc_clear_mount_entries(struct lxc_conf *c);
 extern int lxc_clear_hooks(struct lxc_conf *c, const char *key);
 
-extern int setup_cgroup(const char *name, struct lxc_list *cgroups);
-
 extern int uid_shift_ttys(int pid, struct lxc_conf *conf);
 
 /*

diff --git a/src/lxc/start.c b/src/lxc/start.c
index fd96d4f609ed1183bb12f27fe3396042a47d638c..cf5f9bd12182b0f29bacb37c43f323893da373ce 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -809,6 +809,11 @@ int lxc_spawn(struct lxc_handler *handler)
        if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
                goto out_delete_net;
 
+       if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
+               ERROR("failed to setup the cgroups for '%s'", name);
+               goto out_delete_net;
+       }
+
        if (lxc_cgroup_enter(handler->cgroup, handler->pid) < 0)
                goto out_delete_net;
 
@@ -839,12 +844,11 @@ int lxc_spawn(struct lxc_handler *handler)
        if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
                goto out_delete_net;
 
-       if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
-               ERROR("failed to setup the cgroups for '%s'", name);
+       if (setup_cgroup_devices(handler->cgroup, &handler->conf->cgroup)) {
+               ERROR("failed to setup the devices cgroup for '%s'", name);
                goto out_delete_net;
        }
 
-
        /* Tell the child to complete its initialization and wait for
         * it to exec or return an error.  (the child will never
         * return LXC_SYNC_POST_CGROUP+1.  It will either close the