Nelson Elhage [Fri, 18 Feb 2011 01:55:12 +0000 (20:55 -0500)]
cgrulesengd: Ignore netlink messages that don't come from the kernel.
recvfrom() returns the address, it doesn't filter the packet based on the
sender. We need to explicitly check the received address after the call happens.
Signed-off-by: Nelson Elhage <nelhage@ksplice.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Ken'ichi Ohmichi [Thu, 10 Feb 2011 04:41:58 +0000 (13:41 +0900)]
Make --sticky option effective when setuid(2) and setgid(2)
A cgrulesengd daemon did not check whether a stickied process or when
setuid(2)/setgid(2) happens, and the daemon moved the process based on
/etc/cgrules.conf.
So --sticky option was not effective when setuid(2)/setgid(2).
This patch makes --sticky effective when setuid(2) and setgid(2) also.
Balbir Singh [Sun, 2 Jan 2011 10:03:32 +0000 (15:33 +0530)]
Add bindings for python
The added bindings depend on swig and hence are disabled by
default. If you know what you are doing, enable the bindings
for python. To test the bindings, ensure _libcgroup.so
is copied in the same directory as libcgroup.py. There after
libcgroup API's can be invoked from python.
Please use --enable-bindings after installing swig to compile
with the changes
Jiri Slaby [Tue, 4 Jan 2011 16:56:40 +0000 (17:56 +0100)]
[PATCH 3/3] config: fix segfault in cgconfigparser
We now get:
Program received signal SIGSEGV, Segmentation fault.
cgroup_add_controller (cgroup=0x7ffff7f86010, name=0x606300 "cpuacct") at wrapper.c:70
70 cgroup->controller[cgroup->index] = controller;
(gdb) where
0 cgroup_add_controller (cgroup=0x7ffff7f86010, name=0x606300 "cpuacct") at wrapper.c:70
1 0x00007ffff79806d4 in cgroup_config_parse_controller_options (controller=0x606300 "cpuacct", values=0x6085b0)
at config.c:135
2 0x00007ffff79793ec in yyparse () at parse.y:97
3 0x00007ffff7980ee1 in cgroup_config_load_config (pathname=<value optimized out>) at config.c:667
4 0x00000000004009f4 in main (argc=3, argv=0x7fffffffdf08) at cgconfig.c:67
It's because cgroup structure is unitialized. Especially its member
index is not and later we access cgroup->controller[cgroup->index]
with cgroup->index negative and kaboom, we explode.
Jiri Slaby [Tue, 4 Jan 2011 16:56:39 +0000 (17:56 +0100)]
[PATCH 2/3] cgsnapshot: fix strn* lengths
The 'n' parameter in strncat stands for how much to copy from src, not
what's dest overall space. So we need to subtract full strlen we have
constructed so far.
Also fix one strncpy where we may pass too much as well as in strncpy.
When one passes no input to the parser, it spits out:
Cannot have mount and namespace keyword in the same configuration file
It's wrong, because we have none of them. So change it to:
Either mount or namespace keyword has to be specified in the configuration file
cgred.in: fix return value start()/stop() function's
Now cgred script can't return proper value. Because
stop()/start() functions return result of if [] when failing,
and result of wrong commands when succeeding.
So fix this.
Signed-off-by: Masaki Tachibana <tachibana@mxm.nes.nec.co.jp> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Ciju Rajan K [Wed, 15 Dec 2010 11:19:23 +0000 (16:49 +0530)]
When we invoke cgroup_get_cgroup() to get the cgroup meta data, the
admin_id and admin_gid are not displayed correctly. This is because
cgroup_fill_cgc() does not differentiate between the cgroup control
files and tasks file. So cgroup->control_uid and cgroup->control_gid
fields are getting populated with the uid and gid of tasks file.
This patch fixes this problem by adding a check in the cgroup_fill_cgc()
function to see if the file is a 'tasks' file or not.
Changes from v1.0:
* Instead of using strstr() using pointer arithmetic to get the last six
characters of the entire path
* Fixed the problem of dealing *tasks* string as part of directory names
Signed-off-by: Ciju Rajan K <ciju@linux.vnet.ibm.com> Acked-by: Dhaval Giani <dhaval.giani@gmail.com> Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Jan Safranek [Thu, 2 Dec 2010 14:00:40 +0000 (15:00 +0100)]
if a hierarchy with more controllers is parsed before hierarchy with less
controllers as the last two hierarchies, then the output of cgsnapshot is
broken - test is missing
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Acked-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Jan Safranek [Thu, 2 Dec 2010 14:00:40 +0000 (15:00 +0100)]
There is a bug which causes the initialised configuration will
be bogus or does not work at all and majority of tools does not work well.
The situation happens when multiple mount points are mounted for one hierarchy and the hierarchy
have multiple controllers:
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Acked-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Jan Safranek [Thu, 2 Dec 2010 14:00:40 +0000 (15:00 +0100)]
there is no sense to read the data for cgroup which was not found
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Acked-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Jan Safranek [Thu, 2 Dec 2010 14:00:40 +0000 (15:00 +0100)]
There is a bogus test in cgroup_get_parent_name
which returns error in situation when 0 should be return.
This causes problem e.g. when a hierarchy is mounted to two
mount points.
CHANGELOG:
- the test is not removed but moved to the else part
EXAMPLE:
$ cat aux.conf
mount {
cpu = /cgroup/cpu;
cpuacct = /cgroup/cpu;
memory = /cgroup/memory;
}
group hXAjiy/wWRq {
cpu {}
memory {}
}
$ mkdir /mnt/cgroups/cpu 2>/dev/null
$ mount -t cgroup -o cpu,cpuacct cpu /mnt/cgroups/cpu
$ time cgconfigparser -l aux.conf
$ cgclear
$ cat /proc/cgroups
Dhaval Giani [Tue, 16 Nov 2010 13:29:49 +0000 (14:29 +0100)]
v2 [patch 4/6] api: Use a new counter in an inner loop
The same counter is reused in an inner loop in cg_prepare_cgroup.
This is perfectly fine simply because we never exit the inner
loop to the outer loop. The only way out of the inner loop leads
to a return statement, during which there is no mention of the
outer counter.
However, this is ugly code, and hard to read and may lead to bugs
if some decides to refactor the code. So clean it all up using a
different counter.
Thanks to Steve Grubb for raising this issue at
http://article.gmane.org/gmane.comp.lib.libcg.devel/2485
Reported-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Dhaval Giani <dhaval.giani@gmail.com> Acked-By: Jan Safranek <jsafrane@redhat.com>
Dhaval Giani [Tue, 16 Nov 2010 13:29:48 +0000 (14:29 +0100)]
v2 [patch 3/6] libcgroup: Fix up memory leak in cgroup_basename
We were not freeing up tmp_string if the strdup for basename failed.
Since we anyway need to free up tmp_string and return NULL if the
strdup failed, we don't really care about testing the return value
of the strdup, and therefore this check is not needed. Remove this
check then.
Thanks to Steve Grubb's review at
http://article.gmane.org/gmane.comp.lib.libcg.devel/2485
Reported-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Dhaval Giani <dhaval.giani@gmail.com> Acked-By: Jan Safranek <jsafrane@redhat.com>
Dhaval Giani [Tue, 16 Nov 2010 13:29:47 +0000 (14:29 +0100)]
v2 [patch 2/6] wrapper.c: correct the return types
Steve Grubb was kind enough to do a review at
http://article.gmane.org/gmane.comp.lib.libcg.devel/2485
and pointed out that we were checking for unsigned values to be
negative. That is of course wrong, and we need to actually be
checking integers. Correct the return type so that the check
is valid once more.
Reported-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Dhaval Giani <dhaval.giani@gmail.com> Acked-By: Jan Safranek <jsafrane@redhat.com>
Dhaval Giani [Tue, 16 Nov 2010 13:29:46 +0000 (14:29 +0100)]
v2 [patch 1/6] wrapper.c: Fix memory leaks
Steve Grubb was kind enough to do a code review at
http://article.gmane.org/gmane.comp.lib.libcg.devel/2485
and spotted a few memory leaks. Take care of them!
Reported-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Dhaval Giani <dhaval.giani@gmail.com> Acked-By: Jan Safranek <jsafrane@redhat.com>
Jan Safranek [Mon, 15 Nov 2010 13:59:44 +0000 (14:59 +0100)]
Set cgrulesengd socket owner
Currently, cgexec has suid flag and runs as root because it needs to
communicate with cgrulesengd using /var/run/cgred.socket. This is generally
frowned upon, so let's add few options to cgrulesengd to set the socket
owner to someone else - cgexec does not need to run as powerful root, but
as some new harmless user or group.
Signed-off-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Dhaval Giani <dhaval.giani@gmail.com>
This patch fixes several minor problem in manual pages:
* cgconfig.conf (5) .. fix "SEE ALSO" part
* cgcreate .. fix the SYNTAX part format - add bold to -g
* cgdelete .. fix .TH tag and add space to "SEE ALSO" part
* cgcreate .. fix the SYNTAX part format - add bold to -a
* cgsnapshot .. remove newline in SYNOPSIS part
* lscgroup, lssubsys, cgrules.conf .. add space to "SEE ALSO" part
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
In 2.3.36 there is new variable (memory.oom_control)
in memory controller, this variable should be blacklisted now
(cgsnapshot should have some additonal logic for it)
Signed-off-by: Ivana Hutarova Varekova<varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com> Acked-by: Dhaval Giani <dhaval.giani@gmail.com>
Jan Safranek [Wed, 10 Nov 2010 15:09:55 +0000 (16:09 +0100)]
Before: Error: libcgroup initialization failed, 50001
Now: Error: libcgroup initialization failed, Cgroup is not mounted
Changelog:
- point to /etc/cgrules/conf when loading of the rules failed
Before: Error: libcgroup failed to initialize rulescache, No such file or
directory
Now: Error: libcgroup failed to initialize rulescache from
/etc/cgrules.conf. No such file or directory
Signed-off-by: Jan Safranek <jsafrane@redhat.com> Acked-by: Ivana Hutarova Varekova <varekova@redhat.com>
This patch add options -f and -d to cgcreate, it cause the permission change of the files of the created group
-d, --dperm mode
sets the permission mode of control groups directory. The mode have to be set using octal numbers e.g. -d 775.
-f, --fperm mode
sets the permission mode of control groups files. The mode have to be set using octal numbers e.g. -f 775.
CHANGELOG v1:
* fix jsafrane foodback thanks for it)
EXAMPLE:
#cgcreate -f 775 -d 775 -g devices:with
#cgcreate -g devices:without
# ll /cgroup/devices/ | grep with
drwxrwxr-x. 2 root root 0 Oct 29 06:55 with
drwxr-xr-x. 2 root root 0 Oct 29 06:55 without
# ll /cgroup/devices/with
total 0
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 cgroup.event_control
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 cgroup.procs
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 devices.allow
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 devices.deny
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 devices.list
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 notify_on_release
-rwxrwxr-x. 1 root root 0 Oct 29 06:55 tasks
# ll /cgroup/devices/without/
total 0
--w--w--w-. 1 root root 0 Oct 29 06:55 cgroup.event_control
-r--r--r--. 1 root root 0 Oct 29 06:55 cgroup.procs
--w-------. 1 root root 0 Oct 29 06:55 devices.allow
--w-------. 1 root root 0 Oct 29 06:55 devices.deny
-r--r--r--. 1 root root 0 Oct 29 06:55 devices.list
-rw-r--r--. 1 root root 0 Oct 29 06:55 notify_on_release
-rw-r--r--. 1 root root 0 Oct 29 06:55 tasks
Signed-off-by: Ivana Hutarova Varekova<varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
This patch adds permission change function
int cg_chmod_recursive(struct cgroup *cgroup, mode_t dir_mode,
int dirm_change, mode_t file_mode, int filem_change);
It changes the directory and files permissions to the given values.
If dirm_change is nonzero, then directory permissions will be set to the second parameter
dir_mode.
If filem_change is nonzero, then directory permissions will be set to the second parameter
file_mode.
CHANGELOG v2:
* fix the return value check for cg_chmod_file procedure
CHANGELOG v1:
* improve the patch description and typo in comment
* fix the problems jsafrane reported
Signed-off-by: Ivana Hutarova Varekova<varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
fixes the cgsnapshot problem with pfile permisssions
cgpconfigparser changes the permissions of all files. That's why to test whether the variable file is writable, there have to be used the variable file from the root group.
CHANGELOG:
* add the information why root group is used for finding which variable is writable
Signed-off-by: Ivana Hutarova Varekova<varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
CHANGELOGS:
CHANGELOG v7
* fix the warnings, remove the root path variable at all, free the name
CHANGELOG v6
* remove the default whitelist (now default state is no whitelist is used)
* incorporate jan's feedback
* dynamic allocation of variable names in lists
* fix the path names and reading
CHANGELOG v5
* add the default blacklist and whitelist
* -w, -b: there is options for setting both blacklist and whitelist configuration files
* -t: add the possibility to read the whitelist strictly
CHANGELOG v3
* white/blacklist is cached
* incorporate jsafraneks feedback
CHANGELOG v2
* add whitelist which describe the set of variables which can be dealt by
cgsnapshot without any problem (the values which with which have cgsnapshot
the problems are there with TODO comment and the reason) without -s option
the skipped variables are output with the warning text
* add the possibility to set the whitelist file
* add the possibility to redirect the output
CHANGELOG v1
* more verbose comments
* tune the variable names/description/usage in display_controller_data
function
* remove unnecessary .stat exception
SYNOPSIS:
cgsnapshot [-h] [-s] [-t] [-b file] [-w file] [-f output_file] [controller] [...]
Generate the configuration file from the given controllers of control groups
-b,--blacklist file Set the blacklist configuration file (default /etc/cgsnapshot_blacklist.conf)
-f,--file Redirect the output to output_file
-h,--help Display this help
-s,--silent Ignore all warnings
-t,--strict Don't show the variables which are not on the whitelist
-w,--whitelist file Set the whitelist configuration file (don't used by default)
Jan Safranek [Tue, 5 Oct 2010 07:51:10 +0000 (13:21 +0530)]
If cgconfigparser fails, it tries to delete created groups. But if they are
in the config file in wrong order, it tries to remove a parent group before
its children are destroyed, resulting into error.
The roll back should use recursive delete. And in addition, it should
delete as much as possible, not to stop on first error.
Signed-off-by: Jan Safranek <jsafrane@redhat.com> Reviewed-By: Ivana Hutarova Varekova <varekova@redhat.com> Tested-By: Ivana Hutarova Varekova <varekova@redhat.com> Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Add the flag CGROUP_DAEMON_CANCEL_UNCHANGE_PROCESS.
A new flag CGROUP_DAEMON_CANCEL_UNCHANGE_PROCESS cancels the unchanged process.
If specifying this flag as the argument of cgroup_register_unchanged_process,
a cgrulesengd daemon can move the specified process to right cgroup based on
/etc/cgrules.conf.
Add the flag CGROUP_DAEMON_CANCEL_UNCHANGE_PROCESS.
Hi,
A new flag CGROUP_DAEMON_CANCEL_UNCHANGE_PROCESS cancels the unchanged process.
If specifying this flag as the argument of cgroup_register_unchanged_process,
a cgrulesengd daemon can move the specified process to right cgroup based on
/etc/cgrules.conf.
There is a problem in cgroup_init function
Now if the function strtok_r get at first the controller which
precedes some other controllers on the mount-point option list,
then it removes all next controllers from the list and they are omitted.
The test which is done by strtok_r is redundant (there is already
hasmntopt test), so the patch is removing it at all.
E.G. use commands:
$ mount -t cgroup -o cpu,memory,net_cls lab1 /cgroup/lab1
$ mount -t cgroup -o remount,cpuset,cpu,memory,net_cls lab1 /cgroup/lab1
$ lssubsys -ma
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
changelog
incorporate Jan's feedback
- test the return value of cgroup_read_value_next
- output \t character only after the whole row of the output
This patch rework cgget to use cgroup_read_vars_{begin/next/end}
iterators - it fix the problem with long variables (like e.g. devices.list)
it also fixes the bug in stat file reading (it shows the variables in root
directory all time)
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
This patch adds three iterators api function
cgroup_read_vars_begin
cgroup_read_vars_next
cgroup_read_vars_end
They read the values of the given variable for the specified
controller and control group. The string with the maximal
length max is returned line is returned per
cgroup_read_stats_begin() and cgroup_read_stats_next() call.
(there already are _stat_ versions of function which can read only stat
variables)
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
Jan Safranek [Tue, 7 Sep 2010 18:04:52 +0000 (23:34 +0530)]
Rewrite cg_mkdir_p so it does not change current working directory.
Old sequence of operations when creating e.g. /cgroup/cpu
$OLDCWD=$PWD
cd /
mkdir cgroup
cd cgroup
mkdir cpu
cd $OLDCWD
New sequence is:
mkdir /cgroup
mkdir /cgroup/cpu
Some tools, namely those used in /etc/init.d/cgconfig, might be executed with
security constrained context, which does not allow them to access certain
directories (like /var/log/audit). And when e.g. cgconfigparser is executed in
/var/log/audit as current working directory, chdir("/var/log/audit") in
cg_mkdir_p() fails. As consequence, "/etc/init.d/cgconfig start" randomly fails
or succeeds, depending on current working directory and current SELinux policy.
Signed-off-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Jan Safranek [Tue, 7 Sep 2010 15:02:56 +0000 (20:32 +0530)]
It might be useful to allow empty values in cgconfig.conf, like:
devices {
devices.deny = "";
}
I know, it sounds weird, but Ivana is preparing cgsnapshot tool, which
saves current cgroups into a cgconfig.conf file, and empty values might
occur there.
Signed-off-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Change the return value to more informative one
the previous error message:
# /sbin/cgconfigparser -l /tmp/cgconfig.conf
can't create group "CBSFxx/Zcz6": Loading configuration file /etc/cgconfig.conf failed
Cgroup values are not equal
the new error message
#/sbin/cgconfigparser -l /etc/cgconfig.conf
can't create group "CBSFxx/Zcz6": Loading configuration file /etc/cgconfig.conf failed
Value setting does not succeed
Signed-off-by: Ivana Hutarova Varekova <varekova@redhat.com> Signed-off-by: Jan Safranek <jsafrane@redhat.com>
-i, --hierrachies
Display attached hierarchy number, if the subsystem is in a hierrachy.
If the option -m is used too, then the hierarchy number is shown only for not mounted hierarchies.
Jan Safranek [Tue, 10 Aug 2010 09:38:14 +0000 (15:08 +0530)]
Some parameters (like devices.allow) shall include a space in their values.
This patch adds possibility to specify parameters names in double quotes,
like:
devices {
devices.allow="c 1:3 mr";
}
The double quotes are not mandatory, old behavior is still there.
As side effect, also parameter names, group names, user names, controller names
etc. can be (optionally) in double quotes and can contain weird characters
- it's a feature, not a bug :). Of course, I could change the grammar to allow
double quotes only in param. values, that shouldn't be a problem.
There is also no advance handling of escape sequences - \", \n, \t does not work
here. That means that parameter values cannot contain newline or double quote
characters - are they required by any controllers?
Signed-off-by: Jan Safranek <jsafrane@redhat.com> Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
projects / thirdparty / libcgroup.git / log
