<filename>/sys</filename> as read-write
</para>
</listitem>
+
<listitem>
<para>
<option>cgroup:mixed</option>:
- mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
- create directories for all hierarchies to which
- the container is added, create subdirectories
- there with the name of the cgroup, and bind-mount
- the container's own cgroup into that directory.
- The container will be able to write to its own
- cgroup directory, but not the parents, since they
- will be remounted read-only.
+ Mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
+ create directories for all hierarchies to which the container
+ is added, create subdirectories in those hierarchies with the
+ name of the cgroup, and bind-mount the container's own cgroup
+ into that directory. The container will be able to write to
+ its own cgroup directory, but not the parents, since they will
+ be remounted read-only.
</para>
</listitem>
+
<listitem>
<para>
- <option>cgroup:ro</option>: similar to
- <option>cgroup:mixed</option>, but everything will
- be mounted read-only.
+ <option>cgroup:mixed:force</option>:
+ The <option>force</option> option will cause LXC to perform
+ the cgroup mounts for the container under all circumstances.
+ Otherwise it is similar to <option>cgroup:mixed</option>.
+ This is mainly useful when the cgroup namespaces are enabled
+ where LXC will normally leave mounting cgroups to the init
+ binary of the container since it is perfectly safe to do so.
</para>
</listitem>
+
+ <listitem>
+ <para>
+ <option>cgroup:ro</option>:
+ similar to <option>cgroup:mixed</option>, but everything will
+ be mounted read-only.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <option>cgroup:ro:force</option>:
+ The <option>force</option> option will cause LXC to perform
+ the cgroup mounts for the container under all circumstances.
+ Otherwise it is similar to <option>cgroup:ro</option>.
+ This is mainly useful when the cgroup namespaces are enabled
+ where LXC will normally leave mounting cgroups to the init
+ binary of the container since it is perfectly safe to do so.
+ </para>
+ </listitem>
+
<listitem>
<para>
<option>cgroup:rw</option>: similar to
- <option>cgroup:mixed</option>, but everything will
- be mounted read-write. Note that the paths leading
- up to the container's own cgroup will be writable,
- but will not be a cgroup filesystem but just part
- of the tmpfs of <filename>/sys/fs/cgroup</filename>
+ <option>cgroup:mixed</option>, but everything will be mounted
+ read-write. Note that the paths leading up to the container's
+ own cgroup will be writable, but will not be a cgroup
+ filesystem but just part of the tmpfs of
+ <filename>/sys/fs/cgroup</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <option>cgroup:rw:force</option>:
+ The <option>force</option> option will cause LXC to perform
+ the cgroup mounts for the container under all circumstances.
+ Otherwise it is similar to <option>cgroup:rw</option>.
+ This is mainly useful when the cgroup namespaces are enabled
+ where LXC will normally leave mounting cgroups to the init
+ binary of the container since it is perfectly safe to do so.
</para>
</listitem>
+
<listitem>
<para>
<option>cgroup</option> (without specifier):
static bool cgfsng_mount(void *hdata, const char *root, int type)
{
- int i;
+ int i, ret;
char *tmpfspath = NULL;
bool retval = false;
struct lxc_handler *handler = hdata;
struct cgfsng_handler_data *d = handler->cgroup_data;
- bool has_cgns = false, has_sys_admin = true;
+ bool has_cgns = false, wants_force_mount = false;
if ((type & LXC_AUTO_CGROUP_MASK) == 0)
return true;
- has_cgns = cgns_supported();
- if (!lxc_list_empty(&handler->conf->keepcaps))
- has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
- else
- has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+ if (type & LXC_AUTO_CGROUP_FORCE) {
+ type &= ~LXC_AUTO_CGROUP_FORCE;
+ wants_force_mount = true;
+ }
- if (has_cgns && has_sys_admin)
- return true;
+ if (!wants_force_mount){
+ if (!lxc_list_empty(&handler->conf->keepcaps))
+ wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
+ else
+ wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+ }
- tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
+ has_cgns = cgns_supported();
+ if (has_cgns && !wants_force_mount)
+ return true;
if (type == LXC_AUTO_CGROUP_NOSPEC)
type = LXC_AUTO_CGROUP_MIXED;
type = LXC_AUTO_CGROUP_FULL_MIXED;
/* Mount tmpfs */
- if (safe_mount("cgroup_root", tmpfspath, "tmpfs",
- MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME,
- "size=10240k,mode=755",
- root) < 0)
- goto bad;
+ tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
+ ret = safe_mount("cgroup_root", tmpfspath, "tmpfs",
+ MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
+ "size=10240k,mode=755", root);
+ if (ret < 0)
+ goto on_error;
for (i = 0; hierarchies[i]; i++) {
char *controllerpath, *path2;
struct hierarchy *h = hierarchies[i];
char *controller = strrchr(h->mountpoint, '/');
- int r;
if (!controller)
continue;
free(controllerpath);
continue;
}
- if (mkdir(controllerpath, 0755) < 0) {
+ ret = mkdir(controllerpath, 0755);
+ if (ret < 0) {
SYSERROR("Error creating cgroup path: %s", controllerpath);
free(controllerpath);
- goto bad;
+ goto on_error;
}
- if (has_cgns && !has_sys_admin) {
+ if (has_cgns && wants_force_mount) {
/* If cgroup namespaces are supported but the container
* will not have CAP_SYS_ADMIN after it has started we
* need to mount the cgroups manually.
*/
- r = cg_mount_in_cgroup_namespace(type, h, controllerpath);
+ ret = cg_mount_in_cgroup_namespace(type, h, controllerpath);
free(controllerpath);
- if (r < 0)
- goto bad;
+ if (ret < 0)
+ goto on_error;
+
continue;
}
- if (mount_cgroup_full(type, h, controllerpath, d->container_cgroup) < 0) {
+ ret = mount_cgroup_full(type, h, controllerpath, d->container_cgroup);
+ if (ret < 0) {
free(controllerpath);
- goto bad;
+ goto on_error;
}
+
if (!cg_mount_needs_subdirs(type)) {
free(controllerpath);
continue;
}
- path2 = must_make_path(controllerpath, h->base_cgroup, d->container_cgroup, NULL);
- if (mkdir_p(path2, 0755) < 0) {
+
+ path2 = must_make_path(controllerpath, h->base_cgroup,
+ d->container_cgroup, NULL);
+ ret = mkdir_p(path2, 0755);
+ if (ret < 0) {
free(controllerpath);
free(path2);
- goto bad;
+ goto on_error;
}
- r = do_secondstage_mounts_if_needed(type, h, controllerpath, path2,
- d->container_cgroup);
+ ret = do_secondstage_mounts_if_needed(
+ type, h, controllerpath, path2, d->container_cgroup);
free(controllerpath);
free(path2);
- if (r < 0)
- goto bad;
+ if (ret < 0)
+ goto on_error;
}
retval = true;
-bad:
+on_error:
free(tmpfspath);
return retval;
}
if (flags & LXC_AUTO_CGROUP_MASK) {
int cg_flags;
- cg_flags = flags & LXC_AUTO_CGROUP_MASK;
+ cg_flags = flags & (LXC_AUTO_CGROUP_MASK & ~LXC_AUTO_CGROUP_FORCE);
/* If the type of cgroup mount was not specified, it depends on the
* container's capabilities as to what makes sense: if we have
* CAP_SYS_ADMIN, the read-only part can be remounted read-write
else
cg_flags = has_sys_admin ? LXC_AUTO_CGROUP_FULL_RW : LXC_AUTO_CGROUP_FULL_MIXED;
}
-
+ if (flags & LXC_AUTO_CGROUP_FORCE)
+ cg_flags |= LXC_AUTO_CGROUP_FORCE;
if (!cgroup_mount(conf->rootfs.path ? conf->rootfs.mount : "", handler, cg_flags)) {
SYSERROR("error mounting /sys/fs/cgroup");
return -1;
* before, /sys could not have been mounted
* (is either mounted automatically or via fstab entries)
*/
- if (lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & LXC_AUTO_CGROUP_MASK, handler) < 0) {
+ if (lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & (LXC_AUTO_CGROUP_MASK), handler) < 0) {
ERROR("failed to setup the automatic mounts for '%s'", name);
return -1;
}
* variants, which is safe. */
LXC_AUTO_CGROUP_NOSPEC = 0x0B0, /* /sys/fs/cgroup (partial mount, r/w or mixed, depending on caps) */
LXC_AUTO_CGROUP_FULL_NOSPEC = 0x0E0, /* /sys/fs/cgroup (full mount, r/w or mixed, depending on caps) */
- LXC_AUTO_CGROUP_MASK = 0x0F0,
-
- LXC_AUTO_ALL_MASK = 0x0FF, /* all known settings */
+ LXC_AUTO_CGROUP_FORCE = 0x100, /* mount cgroups even when cgroup namespaces are supported */
+ LXC_AUTO_CGROUP_MASK = 0x1F0, /* all known cgroup options, doe not contain LXC_AUTO_CGROUP_FORCE */
+ LXC_AUTO_ALL_MASK = 0x1FF, /* all known settings */
};
/*
int mask;
int flag;
} allowed_auto_mounts[] = {
- { "proc", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED },
- { "proc:mixed", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED },
- { "proc:rw", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW },
- { "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
- { "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO },
- { "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
- { "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW },
- { "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC },
- { "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED },
- { "cgroup:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO },
- { "cgroup:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW },
- { "cgroup-full", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_NOSPEC },
- { "cgroup-full:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED },
- { "cgroup-full:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO },
- { "cgroup-full:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW },
- /* NB: For adding anything that is just a single on/off, but has
- * no options: keep mask and flag identical and just define the
- * enum value as an unused bit so far
+ { "proc", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED },
+ { "proc:mixed", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED },
+ { "proc:rw", LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW },
+ { "sys", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
+ { "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO },
+ { "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
+ { "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW },
+ { "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC },
+ { "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED },
+ { "cgroup:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO },
+ { "cgroup:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW },
+ { "cgroup:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup:mixed:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup:ro:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup:rw:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RW | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup-full", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_NOSPEC },
+ { "cgroup-full:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED },
+ { "cgroup-full:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO },
+ { "cgroup-full:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW },
+ /* For adding anything that is just a single on/off, but has no
+ * options: keep mask and flag identical and just define the enum
+ * value as an unused bit so far
*/
- { NULL, 0, 0 }
+ { NULL, 0, 0 }
};
if (lxc_config_value_empty(value)) {
projects / thirdparty / lxc.git / commitdiff
