nspawn: enable all controllers we can for the "payload" subcgroup we create

In the unified hierarchy delegating controller access is safe, hence
make sure to enable all controllers for the "payload" subcgroup if we
create it, so that the container will have all controllers enabled the
nspawn service itself has.

diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 388bd629eeb368d1b0379a908a60e2b03bfc6ca2..a298b29382c3d2385cf2aae83587953ad066e03b 100644 (file)
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -2163,7 +2163,7 @@ int cg_enable_everywhere(CGroupMask supported, CGroupMask mask, const char *p) {
 
                         r = write_string_file(fs, s, 0);
                         if (r < 0)
-                                log_warning_errno(r, "Failed to enable controller %s for %s (%s): %m", n, p, fs);
+                                log_debug_errno(r, "Failed to enable controller %s for %s (%s): %m", n, p, fs);
                 }
         }
 

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index a56960506cffb17dcaabcf05cda636f29f6d0552..1c64c3e771469c0fec343fc4986b58a99d07de6b 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4737,6 +4737,7 @@ static int create_subcgroup(pid_t pid) {
         _cleanup_free_ char *cgroup = NULL;
         const char *child;
         int unified, r;
+        CGroupMask supported;
 
         /* In the unified hierarchy inner nodes may only only contain
          * subgroups, but not processes. Hence, if we running in the
@@ -4756,6 +4757,10 @@ static int create_subcgroup(pid_t pid) {
         if (unified == 0)
                 return 0;
 
+        r = cg_mask_supported(&supported);
+        if (r < 0)
+                return log_error_errno(r, "Failed to determine supported controllers: %m");
+
         r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
         if (r < 0)
                 return log_error_errno(r, "Failed to get our control group: %m");
@@ -4770,6 +4775,8 @@ static int create_subcgroup(pid_t pid) {
         if (r < 0)
                 return log_error_errno(r, "Failed to create %s subcgroup: %m", child);
 
+        /* Try to enable as many controllers as possible for the new payload. */
+        (void) cg_enable_everywhere(supported, supported, cgroup);
         return 0;
 }