git.proxmox.com Git - mirror_lxc.git/commit

author	Christian Seiler <christian@iwakd.de>
	Sat, 3 May 2014 18:57:44 +0000 (20:57 +0200)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Tue, 6 May 2014 15:20:08 +0000 (10:20 -0500)
commit	b46f05535872669de42b61ff6233a0517cc7584d
tree	1e9d60e6eee0677e8462b636bcffd4b24f1e83aa	tree
parent	3c597cee885b7c6de5be9aff98b3f5034608fbf9	commit \| diff

cgfs: don't mount /sys/fs/cgroup readonly

Ubuntu containers have had trouble with automatic cgroup mounting that
was not read-write (i.e. lxc.mount.auto = cgroup{,-full}:{ro,mixed}) in
containers without CAP_SYS_ADMIN. Ubuntu's mountall program reads
/lib/init/fstab, which contains an entry for /sys/fs/cgroup. Since
there is no ro option specified for that filesystem, mountall will try
to remount it readwrite if it is already mounted. Without
CAP_SYS_ADMIN, that fails and mountall will interrupt boot and wait for
user input on whether to proceed anyway or to manually fix it,
effectively hanging container bootup.

This patch makes sure that /sys/fs/cgroup is always a readwrite tmpfs,
but that the actual cgroup hierarchy paths (/sys/fs/cgroup/$subsystem)
are readonly if :ro or :mixed is used. This still has the desired
effect within the container (no cgroup escalation possible and programs
get errors if they try to do so anyway), while keeping Ubuntu
containers happy.

Signed-off-by: Christian Seiler <christian@iwakd.de>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

doc/lxc.container.conf.sgml.in		diff \| blob \| blame \| history
src/lxc/cgfs.c		diff \| blob \| blame \| history