From 76f0e2e7395a4417330b8ed943b14194ba70622d Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 18 May 2018 16:16:22 +0200 Subject: [PATCH] confile: add lxc.cgroup.keep This adds the new lxc.cgroup.keep config key. The key can be used to instruct LXC to not escape to never escape to the root cgroup. This makes it easy for users to adhere to restrictions enforced by cgroup2 and systemd. Specifically, this makes it possible to run LXC containers as systemd services. Note that cgroup v1 is considered legacy and will not see additional controllers being added to it. This means that it is safe to use lxc.cgroup.keep as config key since there is no "keep" controller. The only way a conflict can be introduced is if the user is creating a named controller. I think this case can be safely ignored since it is super rare and also the users problem. Signed-off-by: Christian Brauner Cc: Felix Abecassis Cc: Jonathan Calmels --- src/lxc/conf.h | 1 + src/lxc/confile.c | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/src/lxc/conf.h b/src/lxc/conf.h index c68108d83..070dd2292 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -76,6 +76,7 @@ struct lxc_cgroup { struct /* meta */ { char *controllers; char *dir; + bool keep; }; }; }; diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 326782eac..b94703084 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -92,6 +92,7 @@ lxc_config_define(cap_keep); lxc_config_define(cgroup_controller); lxc_config_define(cgroup2_controller); lxc_config_define(cgroup_dir); +lxc_config_define(cgroup_keep); lxc_config_define(console_buffer_size); lxc_config_define(console_logfile); lxc_config_define(console_path); @@ -167,6 +168,7 @@ static struct lxc_config_t config[] = { { "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, }, { "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, }, { "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, }, + { "lxc.cgroup.keep", set_config_cgroup_keep, get_config_cgroup_keep, clr_config_cgroup_keep, }, { "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, }, { "lxc.console.buffer.size", set_config_console_buffer_size, get_config_console_buffer_size, clr_config_console_buffer_size, }, { "lxc.console.logfile", set_config_console_logfile, get_config_console_logfile, clr_config_console_logfile, }, @@ -1395,6 +1397,32 @@ static int set_config_cgroup_dir(const char *key, const char *value, return set_config_string_item(&lxc_conf->cgroup_meta.dir, value); } +static int set_config_cgroup_keep(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) +{ + unsigned int converted; + int ret; + + if (lxc_config_value_empty(value)) + return clr_config_cgroup_keep(key, lxc_conf, NULL); + + ret = lxc_safe_uint(value, &converted); + if (ret < 0) + return -ret; + + if (converted == 1) { + lxc_conf->cgroup_meta.keep = true; + return 0; + } + + if (converted == 0) { + lxc_conf->cgroup_meta.keep = false; + return 0; + } + + return -EINVAL; +} + static int set_config_prlimit(const char *key, const char *value, struct lxc_conf *lxc_conf, void *data) { @@ -3187,6 +3215,13 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, return fulllen; } +static inline int get_config_cgroup_keep(const char *key, char *retv, int inlen, + struct lxc_conf *lxc_conf, void *data) +{ + return lxc_get_conf_int(lxc_conf, retv, inlen, + lxc_conf->cgroup_meta.keep); +} + static int get_config_idmaps(const char *key, char *retv, int inlen, struct lxc_conf *c, void *data) { @@ -3927,6 +3962,13 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, return 0; } +static inline int clr_config_cgroup_keep(const char *key, + struct lxc_conf *lxc_conf, void *data) +{ + lxc_conf->cgroup_meta.keep = false; + return 0; +} + static inline int clr_config_idmaps(const char *key, struct lxc_conf *c, void *data) { -- 2.47.2