cgroups: do not fail if setting devices cgroup fails due to EPERM

If we're trying to allow a device which was denied to our parent
container, just continue.

Cgmanager does not help us to distinguish between eperm and other
errors, so just always continue.

We may want to consider actually computing the range of devices
to which the container monitor has access, but OTOH that introduces
a whole new set of complexity to compute access sets.

Closes #827

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
index b43e1ce01cc6471efa2adde79a115dfa01a45f43..f303a11d24e45a2297b9e6874b6c50d8e9038025 100644 (file)
--- a/src/lxc/cgfs.c
+++ b/src/lxc/cgfs.c
@@ -1285,10 +1285,13 @@ static int lxc_cgroup_set_data(const char *filename, const char *value, struct c
        if ((p = strchr(subsystem, '.')) != NULL)
                *p = '\0';
 
+       errno = ENOENT;
        path = lxc_cgroup_get_hierarchy_abs_path_data(subsystem, d);
        if (path) {
                ret = do_cgroup_set(path, filename, value);
+               int saved_errno = errno;
                free(path);
+               errno = saved_errno;
        }
        return ret;
 }
@@ -1915,6 +1918,11 @@ static int do_setup_cgroup_limits(struct cgfs_data *d,
                                        cgroup_devices_has_allow_or_deny(d, cg->value, true))
                                continue;
                        if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
+                               if (do_devices && errno == EPERM) {
+                                       WARN("Error setting %s to %s for %s",
+                                             cg->subsystem, cg->value, d->name);
+                                       continue;
+                               }
                                ERROR("Error setting %s to %s for %s",
                                      cg->subsystem, cg->value, d->name);
                                goto out;

diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c
index 79912c08c14c800e6728be0652f37c7ad36056db..860d8f4569e7b98dc009871b7db634b88c8aa720 100644 (file)
--- a/src/lxc/cgmanager.c
+++ b/src/lxc/cgmanager.c
@@ -1523,6 +1523,14 @@ static bool cgm_setup_limits(void *hdata, struct lxc_list *cgroup_settings, bool
                                         d->cgroup_path, cg->subsystem, cg->value) != 0) {
                        NihError *nerr;
                        nerr = nih_error_get();
+                       if (do_devices) {
+                               WARN("call to cgmanager_set_value_sync failed: %s", nerr->message);
+                               nih_free(nerr);
+                               WARN("Error setting cgroup %s:%s limit type %s", controller,
+                                       d->cgroup_path, cg->subsystem);
+                               continue;
+                       }
+
                        ERROR("call to cgmanager_set_value_sync failed: %s", nerr->message);
                        nih_free(nerr);
                        ERROR("Error setting cgroup %s:%s limit type %s", controller,