From: Serge Hallyn Date: Thu, 17 Jul 2014 22:20:34 +0000 (-0500) Subject: remove mountcgroup hook entirely X-Git-Tag: lxc-1.1.0.alpha2~128 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd6b3e37a6d9ceffb76c4b552e0cc55fe623f8d2;p=thirdparty%2Flxc.git remove mountcgroup hook entirely Also fix the comment in lxc-cirros template (which I overlooked last time). Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- diff --git a/hooks/Makefile.am b/hooks/Makefile.am index 64bb26b36..be55601e0 100644 --- a/hooks/Makefile.am +++ b/hooks/Makefile.am @@ -2,7 +2,6 @@ hooksdir=@LXCHOOKDIR@ hooks_SCRIPTS = \ clonehostname \ - mountcgroups \ mountecryptfsroot \ ubuntu-cloud-prep \ squid-deb-proxy-client diff --git a/hooks/mountcgroups b/hooks/mountcgroups deleted file mode 100755 index 073929c60..000000000 --- a/hooks/mountcgroups +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash - -# (C) Copyright Canonical 2011,2012 - -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. - -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. - -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -# -# This is an example hook to mount all mounted cgroups in the -# container. Only the container's own cgroup (not parents) will be -# accessible to the container. You can enable this by adding -# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups -# to your container's configuration file. - -set -e - -c=$1 -configfile=$LXC_CONFIG_FILE -d=/sys/fs/cgroup -d2=$LXC_ROOTFS_MOUNT/${d} -# name lxc hook lxcpath -lxcpath=$4 -if [ ! -d "$d" ]; then - exit 0 -fi - -mount -n -t tmpfs tmpfs ${d2} - -do_devices_setup() { - local devdir="$1" - local c="$2" - local line - local w # which (allow or deny) - local v # value - # lxc.include provides common configuration options - local commonconfigfile=$(egrep "^lxc.include[ \t]*=" ${configfile} | awk -F= '{ print $2 }') - cat ${configfile} ${commonconfigfile} | egrep "^lxc.cgroup.devices.(allow|deny)[ \t]*=" | while read line; do - w=`echo $line | awk -F. '{ print $4 }' | awk '{ print $1 }'` - v=`echo $line | awk -F= '{ print $2 }'` - echo "$v" >> "$devdir"/devices.$w - done -} - -# XXX TODO - we'll need to account for other cgroup groups beside 'lxc', -# i.e. 'build' or 'users/joe'. -for dir in `/bin/ls $d`; do - if [ "$dir" = "devices" ]; then - devicesdir="${d}/${dir}/lxc/${c}" - mkdir -p "$devicesdir" - # set the devices cgroup perms now - we can't change from blacklist to - # whitelist, or add perms, once we have children. - do_devices_setup "$devicesdir" "${c}" - fi - mkdir -p "${d}/${dir}/lxc/${c}/${c}.real" - echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks" - mkdir -p ${d2}/${dir} - mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}" -done diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in index 986b2b129..24b9210aa 100644 --- a/templates/lxc-cirros.in +++ b/templates/lxc-cirros.in @@ -121,7 +121,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time #lxc.aa_profile = unconfined # To support container nesting on an Ubuntu host, uncomment next two lines: #lxc.aa_profile = lxc-container-default-with-nesting -#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups +#lxc.mount.auto = cgroup lxc.cgroup.devices.deny = a # Allow any mknod (but not using the node)