find_mounted_controller() now stores the corresponding open file descriptor for
the mount of the controller in the private lxcfs mount namespace in @cfd.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
- So far lxcfs.c and bindings.{c,h} did not share cgroup information and we
unnecessarily kept parsing and storing additional information. Let's share it
instead.
- Add lxcfs_clone() function.
- Mount cgroups in a private mount namespace. We use CLONE_FILES so that file
descriptors opened via lxcfs_clone() are not copied and hence are valid in
child and parent.
- For each mounted hierarchy, open a file descriptor and store it in an mmap()ed
array that is MAP_SHARED between parent and child.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
- Fix do_mount_cgroups(): It previously returned ret uninitialized on failure.
- Quite a few snprintf() call used size_t variables but then checked whether
size_t < 0. Since size_t is unsigned these checks were always true. Let's use
ssize_t instead which is signed.
- Use additional ssize_t variable to catch snprintf() error for swap
calculation and add the value to the final result afterwards instead of
directly.
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
cpuinfo is different on s390x. On amd64 there is a set of lines
per processor, begging with 'processor : n'. On s390x, the first
line identifies the vendor, then there are general lines which apply
to all containers, finally the processors show up one per line.
Serge Hallyn [Tue, 29 Mar 2016 18:35:01 +0000 (13:35 -0500)]
fuse file info release: guard against multiple calls
While fuse clearly calls the release info helpers under pthread
lock, it's not as clear that it may not be called more than once.
Null everything after we free it.
The hope is that this will fix the occasional mysterious crashes
on very heavily used (50 containers nonstop) servers.
Stéphane Graber [Sun, 20 Mar 2016 15:00:55 +0000 (11:00 -0400)]
hook: don't use mountpoint
It's not very reliable (had it fail on one of my servers) and since
we're already iterating through a list of mountpoints, it's also
completely unneeded.
Serge Hallyn [Thu, 17 Mar 2016 21:28:53 +0000 (14:28 -0700)]
pam: support 14.04
In 14.04 our pam_systemd module used a different format for the
login cgroups. If we find one of those in our name, then we want
to just chown it to us and not do anything more, just as we do in
xenial.
Serge Hallyn [Mon, 14 Mar 2016 19:19:27 +0000 (12:19 -0700)]
pam_cgfs: create a new systemd cgroup if current isn't ours
If current systemd cgroup does not end in user-$uid.slice/session-c%d.scope,
then pam did not create our current systemd cgroup for us, so create a new
one rather than chowning the current one.
Serge Hallyn [Mon, 7 Mar 2016 23:50:50 +0000 (15:50 -0800)]
meminfo_read: return 0 for Slab
Slab: is supposed to be the "in-kernel data structures cache". I don't
know of a good way to calculate this from memory cgroup info. If/when
we find it we can update it. This value is used by free -m meaning
that if we don't shrink it, we can end up with negative values for
used memory.
Serge Hallyn [Tue, 23 Feb 2016 19:52:22 +0000 (11:52 -0800)]
Add upstart and systemd init jobs
Mostly copied from the Ubuntu package.
Note someone still needs to write the bsd and gentoo init
scripts. (You can look at the sysvinit jobs here and the
bsd+gentoo jobs in git://github.com/lxc/cgmanager for
inspiration).
Serge Hallyn [Thu, 18 Feb 2016 18:10:16 +0000 (10:10 -0800)]
pid_from_ns_wrapper: remove the loop
If we clone a child which can't reply to us within the timeout, do
not keep looping, just return an error. Commonize the function
superficially to make it look like pid_to_ns_wrapper(). Presumably
we can now merge these into one function, that's left for later.
Because of the different signatures of fork() and clone(),
pid_to_ns and pid_from_ns get an additional wrapper that is
passed to clone(). To pass the needed arguments to
pid_ns_clone_wrapper, a new struct called pid_ns_clone_args
is introduced.
The return type of pid_to_ns and pid_from_ns need to be
changed to int, returning equals exiting with clone().
(serge - inline fix of erorr typo which bled through from the original)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
cgfs_list_children() and cgfs_list_keys() follow the same
pattern with the differences being that one lists
directories, the other files, and that cgfs_list_children()
always allocates an empty list while cgfs_list_keys()
NULL-initializes the list.
Both have a case which returns an error after a list has
been allocated, and in both cases the cleanup code is
guarded with an if(list).
In both cases on success the caller assumes the list is
non-empty which is why cgfs_list_children() returned a list
with a terminating NULL-entry.
This deduplicates the iteration code into a function with a
flag for whether regular files or directories are of
interest and a callback to create the list element.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
We already assume tmp[] is big enough when using an unsized
sprintf(), considering it contains a single pid number and
is 30 bytes we can assume it was also big enough to hold the
terminating null byte.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Mon, 1 Feb 2016 11:21:01 +0000 (12:21 +0100)]
Make the bulk of the lxcfs code reloadable
Move the majority of the code (the bits most likely to have security
bugs coming up) reloadable. Sending USR1 signal to lxcfs will cause
it to reload the shared library so as to immediately start using the
fixed code. This allows us to upgrade lxcfs in the majority of
cases without having to restart containers.
To achieve this, some code was moved around so that lxcfs.c itself
does not risk pinning any symbols from the shared library (which
would prevent it being unloaded). We track the number of threads
currently using the bindings, and do the reload after it hits
zero (specifically, the next time that we turn the count from 0 to 1)
Also add a test case to make sure an updated library does in fact
get loaded.
projects / mirror_lxcfs.git / log