git.proxmox.com Git - mirror_lxc.git/commit

author	Serge Hallyn <serge.hallyn@ubuntu.com>
	Sat, 6 Jul 2013 00:34:55 +0000 (19:34 -0500)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Thu, 11 Jul 2013 15:26:33 +0000 (10:26 -0500)
commit	283678ed2ccd88a6ba57fcb28516311adcdb6fac
tree	eeb2af9f19206ec7c14f404006f99b431df250a8	tree
parent	cbee8106e38f9ffa130c7bf8be325f7f203da67a	commit \| diff

Accomodate stricter devices cgroup rules

3.10 kernel comes with proper hierarchical enforcement of devices
cgroup.  To keep that code somewhat sane, certain things are not
allowed.  Switching from default-allow to default-deny and vice versa
are not allowed when there are children cgroups.  (This *could* be
simplified in the kernel by checking that all child cgroups are
unpopulated, but that has not yet been done and may be rejected)

The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
you cannot write 'a' to devices.deny once you have a child cgroup.  With
this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
the container's devices cgroup, and (c) setup_cgroup() during lxc startup
ignores failures to write to devices subsystem if we are already in a
child of the container's new cgroup.

((a) is not really related to this bug, but is definately needed.
The followup work of making the other hooks use the passed-in lxcpath
is still to be done)

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

hooks/mountcgroups		diff \| blob \| blame \| history
src/lxc/cgroup.c		diff \| blob \| blame \| history
src/lxc/cgroup.h		diff \| blob \| blame \| history
src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/lxc/lxccontainer.c		diff \| blob \| blame \| history
src/lxc/start.c		diff \| blob \| blame \| history