confile: add lxc.cgroup.keep

This adds the new lxc.cgroup.keep config key. The key can be used to instruct
LXC to not escape to never escape to the root cgroup. This makes it easy for
users to adhere to restrictions enforced by cgroup2 and systemd. Specifically,
this makes it possible to run LXC containers as systemd services.

Note that cgroup v1 is considered legacy and will not see additional
controllers being added to it. This means that it is safe to use
lxc.cgroup.keep as config key since there is no "keep" controller. The only way
a conflict can be introduced is if the user is creating a named controller. I
think this case can be safely ignored since it is super rare and also the users
problem.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Felix Abecassis <fabecassis@nvidia.com>
Cc: Jonathan Calmels <jcalmels@nvidia.com>

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index c68108d83766aae18c24a7d2be75ce817a6594b8..070dd22921c957d4f1b7146b55d0e796f3326c42 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -76,6 +76,7 @@ struct lxc_cgroup {
                struct /* meta */ {
                        char *controllers;
                        char *dir;
+                       bool keep;
                };
        };
 };

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 326782eac343204b9e832cd0b020787e51a3f0ca..b94703084fca596f76336dde9ccfadbe420da511 100644 (file)
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -92,6 +92,7 @@ lxc_config_define(cap_keep);
 lxc_config_define(cgroup_controller);
 lxc_config_define(cgroup2_controller);
 lxc_config_define(cgroup_dir);
+lxc_config_define(cgroup_keep);
 lxc_config_define(console_buffer_size);
 lxc_config_define(console_logfile);
 lxc_config_define(console_path);
@@ -167,6 +168,7 @@ static struct lxc_config_t config[] = {
        { "lxc.cap.keep",                  set_config_cap_keep,                    get_config_cap_keep,                    clr_config_cap_keep,                  },
        { "lxc.cgroup2",                   set_config_cgroup2_controller,          get_config_cgroup2_controller,          clr_config_cgroup2_controller,        },
        { "lxc.cgroup.dir",                set_config_cgroup_dir,                  get_config_cgroup_dir,                  clr_config_cgroup_dir,                },
+       { "lxc.cgroup.keep",               set_config_cgroup_keep,                 get_config_cgroup_keep,                 clr_config_cgroup_keep,               },
        { "lxc.cgroup",                    set_config_cgroup_controller,           get_config_cgroup_controller,           clr_config_cgroup_controller,         },
        { "lxc.console.buffer.size",       set_config_console_buffer_size,         get_config_console_buffer_size,         clr_config_console_buffer_size,       },
        { "lxc.console.logfile",           set_config_console_logfile,             get_config_console_logfile,             clr_config_console_logfile,           },
@@ -1395,6 +1397,32 @@ static int set_config_cgroup_dir(const char *key, const char *value,
        return set_config_string_item(&lxc_conf->cgroup_meta.dir, value);
 }
 
+static int set_config_cgroup_keep(const char *key, const char *value,
+                                 struct lxc_conf *lxc_conf, void *data)
+{
+       unsigned int converted;
+       int ret;
+
+       if (lxc_config_value_empty(value))
+               return clr_config_cgroup_keep(key, lxc_conf, NULL);
+
+       ret = lxc_safe_uint(value, &converted);
+       if (ret < 0)
+               return -ret;
+
+       if (converted == 1) {
+               lxc_conf->cgroup_meta.keep = true;
+               return 0;
+       }
+
+       if (converted == 0) {
+               lxc_conf->cgroup_meta.keep = false;
+               return 0;
+       }
+
+       return -EINVAL;
+}
+
 static int set_config_prlimit(const char *key, const char *value,
                            struct lxc_conf *lxc_conf, void *data)
 {
@@ -3187,6 +3215,13 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
        return fulllen;
 }
 
+static inline int get_config_cgroup_keep(const char *key, char *retv, int inlen,
+                                        struct lxc_conf *lxc_conf, void *data)
+{
+       return lxc_get_conf_int(lxc_conf, retv, inlen,
+                               lxc_conf->cgroup_meta.keep);
+}
+
 static int get_config_idmaps(const char *key, char *retv, int inlen,
                             struct lxc_conf *c, void *data)
 {
@@ -3927,6 +3962,13 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
        return 0;
 }
 
+static inline int clr_config_cgroup_keep(const char *key,
+                                        struct lxc_conf *lxc_conf, void *data)
+{
+       lxc_conf->cgroup_meta.keep = false;
+       return 0;
+}
+
 static inline int clr_config_idmaps(const char *key, struct lxc_conf *c,
                                    void *data)
 {