From: Serge Hallyn Date: Mon, 9 Nov 2015 23:55:54 +0000 (-0600) Subject: container start: unshare cgns when possible X-Git-Tag: lxc-2.0.0.beta2~70^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12983ba4581e73f18087b2bd471c2d0b8d581a66;p=thirdparty%2Flxc.git container start: unshare cgns when possible We'll probably want to make this configurable with a lxc.cgroupns = [1|0], but for now just always do it. Signed-off-by: Serge Hallyn --- Changelog 20160104: only try to unshare if /proc/self/ns/cgroup exists. --- diff --git a/src/lxc/namespace.h b/src/lxc/namespace.h index 28f17e687..027c76588 100644 --- a/src/lxc/namespace.h +++ b/src/lxc/namespace.h @@ -34,6 +34,9 @@ #ifndef CLONE_NEWNS # define CLONE_NEWNS 0x00020000 #endif +#ifndef CLONE_NEWCGROUP +# define CLONE_NEWCGROUP 0x02000000 +#endif #ifndef CLONE_NEWUTS # define CLONE_NEWUTS 0x04000000 #endif diff --git a/src/lxc/start.c b/src/lxc/start.c index 79dbe335d..6d4d2c211 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -842,6 +842,11 @@ static int do_start(void *data) if (handler->backgrounded && null_stdfds() < 0) goto out_warn_father; + if (cgns_supported() && unshare(CLONE_NEWCGROUP) != 0) { + SYSERROR("Failed to unshare cgroup namespace"); + goto out_warn_father; + } + /* after this call, we are in error because this * ops should not return as it execs */ handler->ops->start(handler, handler->data); diff --git a/src/lxc/utils.c b/src/lxc/utils.c index ad9b0a294..ed8c4c42d 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1185,6 +1185,11 @@ bool file_exists(const char *f) return stat(f, &statbuf) == 0; } +bool cgns_supported(void) +{ + return file_exists("/proc/self/ns/cgroup"); +} + /* historically lxc-init has been under /usr/lib/lxc and under * /usr/lib/$ARCH/lxc. It now lives as $prefix/sbin/init.lxc. */ diff --git a/src/lxc/utils.h b/src/lxc/utils.h index 059026f01..96ec45c20 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -273,6 +273,7 @@ int detect_shared_rootfs(void); int detect_ramfs_rootfs(void); char *on_path(char *cmd, const char *rootfs); bool file_exists(const char *f); +bool cgns_supported(void); char *choose_init(const char *rootfs); int print_to_file(const char *file, const char *content); bool switch_to_ns(pid_t pid, const char *ns);