From: Christian Brauner Date: Thu, 3 Nov 2016 20:24:31 +0000 (+0100) Subject: start: CLONE_NEWCGROUP after we have setup cgroups X-Git-Tag: lxc-2.1.0~276^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1275%2Fhead;p=thirdparty%2Flxc.git start: CLONE_NEWCGROUP after we have setup cgroups If we do it earlier we end up with a wrong view of /proc/self/cgroup. For example, assume we unshare(CLONE_NEWCGROUP) first, and then create the cgroup for the container, say /sys/fs/cgroup/cpuset/lxc/c, then /proc/self/cgroup would show us: 8:cpuset:/lxc/c whereas it should actually show 8:cpuset:/ Signed-off-by: Christian Brauner --- diff --git a/src/lxc/start.c b/src/lxc/start.c index d9c65464d..451becb33 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -854,6 +854,26 @@ static int do_start(void *data) if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP)) goto out_error; + /* Unshare cgroup namespace after we have setup our cgroups. If we do it + * earlier we end up with a wrong view of /proc/self/cgroup. For + * example, assume we unshare(CLONE_NEWCGROUP) first, and then create + * the cgroup for the container, say /sys/fs/cgroup/cpuset/lxc/c, then + * /proc/self/cgroup would show us: + * + * 8:cpuset:/lxc/c + * + * whereas it should actually show + * + * 8:cpuset:/ + */ + if (cgns_supported()) { + if (unshare(CLONE_NEWCGROUP) < 0) { + INFO("Failed to unshare CLONE_NEWCGROUP."); + goto out_warn_father; + } + INFO("Unshared CLONE_NEWCGROUP."); + } + /* Set the label to change to when we exec(2) the container's init */ if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0) goto out_warn_father; @@ -1156,10 +1176,6 @@ static int lxc_spawn(struct lxc_handler *handler) flags = handler->clone_flags; if (handler->clone_flags & CLONE_NEWUSER) flags &= ~CLONE_NEWNET; - if (cgns_supported()) { - handler->clone_flags |= CLONE_NEWCGROUP; - flags |= CLONE_NEWCGROUP; - } handler->pid = lxc_clone(do_start, handler, flags); if (handler->pid < 0) { SYSERROR("failed to fork into a new namespace");