From: Christian Brauner Date: Mon, 15 Feb 2021 14:07:02 +0000 (+0100) Subject: cgroupfs: rework cgroup2 mounting X-Git-Tag: lxc-5.0.0~287^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a3e5ec2657e90319f375b2494dd3870a2b53ca46;p=thirdparty%2Flxc.git cgroupfs: rework cgroup2 mounting We now explicitly refuse to mount cgroups on pure unified layouts when the container is not running in a separate cgroup namespace. This is not a regression since we simply always failed before anyway. I will likely fix this very soon though. But there are bigger fish to fry currently. Signed-off-by: Christian Brauner --- diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index c4a77dba7..30ccf8e37 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -1949,19 +1949,66 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, * If cgroup namespaces are supported but the container will * not have CAP_SYS_ADMIN after it has started we need to mount * the cgroups manually. + * + * Note that here we know that wants_force_mount is true. + * Otherwise we would've returned early above. */ - if (in_cgroup_ns && wants_force_mount) + if (in_cgroup_ns) { + /* + * 1. cgroup:rw:force -> Mount the cgroup2 filesystem. + * 2. cgroup:ro:force -> Mount the cgroup2 filesystem read-only. + * 3. cgroup:mixed:force -> See comment above how this + * does not apply so + * cgroup:mixed is equal to + * cgroup:rw when cgroup + * namespaces are supported. + + * 4. cgroup:rw -> No-op; init system responsible for mounting. + * 5. cgroup:ro -> No-op; init system responsible for mounting. + * 6. cgroup:mixed -> No-op; init system responsible for mounting. + * + * 7. cgroup-full:rw -> Not supported. + * 8. cgroup-full:ro -> Not supported. + * 9. cgroup-full:mixed -> Not supported. + + * 10. cgroup-full:rw:force -> Not supported. + * 11. cgroup-full:ro:force -> Not supported. + * 12. cgroup-full:mixed:force -> Not supported. + */ ret = cgroupfs_mount(cg_flags, ops->unified, rootfs, dfd_mnt_cgroupfs, ""); - else - ret = cgroupfs_bind_mount(cg_flags, ops->unified, rootfs, dfd_mnt_cgroupfs, ""); - if (ret < 0) - return syserrno(false, "Failed to%s mount cgroup filesystem%s", - wants_force_mount ? " force mount" : "", - in_cgroup_ns ? " in cgroup namespace" : ""); + if (ret < 0) + return syserrno(false, "Failed to force mount cgroup filesystem in cgroup namespace"); + + return log_trace(true, "Force mounted cgroup filesystem in new cgroup namespace"); + } else { + /* + * Either no cgroup namespace supported (highly + * unlikely unless we're dealing with a Frankenkernel. + * Or the user requested to keep the cgroup namespace + * of the host or another container. + */ + if (wants_force_mount) { + /* + * 1. cgroup:rw:force -> Bind-mount the cgroup2 filesystem writable. + * 2. cgroup:ro:force -> Bind-mount the cgroup2 filesystem read-only. + * 3. cgroup:mixed:force -> bind-mount the cgroup2 filesystem and + * and make the parent directory of the + * container's cgroup read-only but the + * container's cgroup writable. + * + * 10. cgroup-full:rw:force -> + * 11. cgroup-full:ro:force -> + * 12. cgroup-full:mixed:force -> + */ + errno = EOPNOTSUPP; + SYSWARN("Force-mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported"); + } else { + errno = EOPNOTSUPP; + SYSWARN("Mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported"); + } + } - return log_trace(true, "%s cgroup filesystem%s", - wants_force_mount ? "Force mounted" : "Mounted", - in_cgroup_ns ? " in cgroup namespace" : ""); + return syserrno(false, "Failed to mount cgroups"); } /*