cgfsng: cgfsng_monitor_enter()

brauner@wittgenstein|~
> sudo systemctl status lxc@c1
● lxc@c1.service - LXC Container: c1
   Loaded: loaded (/lib/systemd/system/lxc@.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2018-09-11 10:42:22 CEST; 38s ago
     Docs: man:lxc-start
           man:lxc
  Process: 29855 ExecStart=/usr/bin/lxc-start -n c1 -p /run/lxc/c1.pid (code=exited, status=0/SUCCESS)
    Tasks: 18 (limit: 4915)
   Memory: 32.1M
   CGroup: /system.slice/system-lxc.slice/lxc@c1.service
           ├─lxc.monitor
           │ └─c1
           │   └─29870 [lxc monitor] /var/lib/lxc c1
           └─lxc.payload
             └─c1
               ├─init.scope
               │ └─29878 /sbin/init
               └─system.slice
                 ├─console-getty.service
                 │ └─30028 /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 linux
                 ├─cron.service
                 │ └─30019 /usr/sbin/cron -f
                 ├─dbus.service
                 │ └─30020 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
                 ├─networkd-dispatcher.service
                 │ └─30016 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
                 ├─rsyslog.service
                 │ └─30017 /usr/sbin/rsyslogd -n
                 ├─system-container\x2dgetty.slice
                 │ ├─container-getty@0.service
                 │ │ └─30027 /sbin/agetty -o -p -- \u --noclear --keep-baud pts/0 115200,38400,9600 vt220
                 │ ├─container-getty@1.service
                 │ │ └─30030 /sbin/agetty -o -p -- \u --noclear --keep-baud pts/1 115200,38400,9600 vt220
                 │ ├─container-getty@2.service
                 │ │ └─30026 /sbin/agetty -o -p -- \u --noclear --keep-baud pts/2 115200,38400,9600 vt220
                 │ └─container-getty@3.service
                 │   └─30029 /sbin/agetty -o -p -- \u --noclear --keep-baud pts/3 115200,38400,9600 vt220
                 ├─systemd-journald.service
                 │ └─29976 /lib/systemd/systemd-journald
                 ├─systemd-logind.service
                 │ └─30018 /lib/systemd/systemd-logind
                 ├─systemd-networkd.service
                 │ └─29996 /lib/systemd/systemd-networkd
                 ├─systemd-resolved.service
                 │ └─30014 /lib/systemd/systemd-resolved
                 └─systemd-udevd.service
                   └─29986 /lib/systemd/systemd-udevd

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index b67655471421e64ee89645dc511b848b42078af7..a0bde6c03d1a0d7b8a78255fff1085cf2ab79e99 100644 (file)
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1370,33 +1370,48 @@ out_free:
        return false;
 }
 
-__cgfsng_ops__ static bool cgfsng_enter(struct cgroup_ops *ops, pid_t pid)
+__cgfsng_ops__ static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid,
+                                            bool monitor)
 {
-       int i, len;
+       int len;
        char pidstr[25];
 
        len = snprintf(pidstr, 25, "%d", pid);
        if (len < 0 || len >= 25)
                return false;
 
-       for (i = 0; ops->hierarchies[i]; i++) {
+       for (int i = 0; ops->hierarchies[i]; i++) {
                int ret;
-               char *fullpath;
+               char *path;
 
-               fullpath = must_make_path(ops->hierarchies[i]->container_full_path,
-                                         "cgroup.procs", NULL);
-               ret = lxc_write_to_file(fullpath, pidstr, len, false, 0666);
+               if (monitor)
+                       path = must_make_path(ops->hierarchies[i]->monitor_full_path,
+                                             "cgroup.procs", NULL);
+               else
+                       path = must_make_path(ops->hierarchies[i]->container_full_path,
+                                             "cgroup.procs", NULL);
+               ret = lxc_write_to_file(path, pidstr, len, false, 0666);
                if (ret != 0) {
-                       SYSERROR("Failed to enter cgroup \"%s\"", fullpath);
-                       free(fullpath);
+                       SYSERROR("Failed to enter cgroup \"%s\"", path);
+                       free(path);
                        return false;
                }
-               free(fullpath);
+               free(path);
        }
 
        return true;
 }
 
+static bool cgfsng_monitor_enter(struct cgroup_ops *ops, pid_t pid)
+{
+       return __do_cgroup_enter(ops, pid, true);
+}
+
+static bool cgfsng_payload_enter(struct cgroup_ops *ops, pid_t pid)
+{
+       return __do_cgroup_enter(ops, pid, false);
+}
+
 static int chowmod(char *path, uid_t chown_uid, gid_t chown_gid,
                   mode_t chmod_mode)
 {
@@ -2656,6 +2671,7 @@ struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf)
        cgfsng_ops->data_init = cgfsng_data_init;
        cgfsng_ops->destroy = cgfsng_destroy;
        cgfsng_ops->monitor_create = cgfsng_monitor_create;
+       cgfsng_ops->monitor_enter = cgfsng_monitor_enter;
        cgfsng_ops->payload_create = cgfsng_payload_create;
        cgfsng_ops->payload_enter = cgfsng_payload_enter;
        cgfsng_ops->escape = cgfsng_escape;

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 55eee070f3a208203b28e32f6c320fc66e705eb6..0629e90c4271a7eea0c0b1b1a08b7538f3bde1ec 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1971,6 +1971,11 @@ int __lxc_start(const char *name, struct lxc_handler *handler,
                goto out_fini_nonet;
        }
 
+       if (!cgroup_ops->monitor_enter(cgroup_ops, lxc_raw_getpid())) {
+               ERROR("Failed to enter monitor cgroup");
+               goto out_fini_nonet;
+       }
+
        if (geteuid() == 0 && !lxc_list_empty(&conf->id_map)) {
                /* If the backing store is a device, mount it here and now. */
                if (rootfs_is_blockdev(conf)) {