[lxc.git] / debian / patches / 0010-start-unshare-cgroup-after-setting-up-device-limits.patch

From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 19 Sep 2017 10:00:43 +0200
Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits

Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)"
introduced another sync step before the cgroup device
limits, but in order for cgroup namespace separation to work
these limits must be setup before creating the separation
directory, which means we need to move the unshare to after
setting up the limits.

Fixup-for: separate the limiting from the namespaced cgroup root
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/lxc/start.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 4fec27b9..7715f64f 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 
-	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
-		goto out_delete_net;
-
 	if (!cgroup_setup_limits(handler, true)) {
 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
 		goto out_delete_net;
@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler)
 		}
 	}
 
+	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+		goto out_delete_net;
+
 	cgroup_disconnect();
 	cgroups_connected = false;
 
-- 
2.11.0
Commit	Line	Data
f81e43ae WB	1	From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001
	2	From: Wolfgang Bumiller <w.bumiller@proxmox.com>
	3	Date: Tue, 19 Sep 2017 10:00:43 +0200
	4	Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits
	5
	6	Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)"
	7	introduced another sync step before the cgroup device
	8	limits, but in order for cgroup namespace separation to work
	9	these limits must be setup before creating the separation
	10	directory, which means we need to move the unshare to after
	11	setting up the limits.
	12
	13	Fixup-for: separate the limiting from the namespaced cgroup root
	14	Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
	15	---
	16	src/lxc/start.c \| 6 +++---
	17	1 file changed, 3 insertions(+), 3 deletions(-)
	18
	19	diff --git a/src/lxc/start.c b/src/lxc/start.c
	20	index 4fec27b9..7715f64f 100644
	21	--- a/src/lxc/start.c
	22	+++ b/src/lxc/start.c
	23	@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler)
	24	goto out_delete_net;
	25	}
	26
	27	- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
	28	- goto out_delete_net;
	29	-
	30	if (!cgroup_setup_limits(handler, true)) {
	31	ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
	32	goto out_delete_net;
	33	@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler)
	34	}
	35	}
	36
	37	+ if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
	38	+ goto out_delete_net;
	39	+
	40	cgroup_disconnect();
	41	cgroups_connected = false;
	42
	43	--
	44	2.11.0
	45