The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs
managed under /var/cache/lxc/cloud-$release. Don't lock if we've
been handed a tarball.
fake device creation
Unprivileged users can't create devices, so bind mount null, tty, urandom
and console from the host.
Changelog:
Jul 22: as Stéphane points out, remove a left-over debug line
Serge Hallyn [Thu, 9 May 2013 01:25:06 +0000 (20:25 -0500)]
lxc-create: support unpriv users
Just make sure we are root if we are asked to deal with something other
than a directory, and make sure we have permission to create the
container in the given lxcpath.
Serge Hallyn [Thu, 9 May 2013 01:15:29 +0000 (20:15 -0500)]
templates: require running as root
Up to now lxc-create ensured that you were running as root. Now the
templates which require root need to do it for themselves. Templates
which do mknod definately require root.
ubuntu templates: add some kernel filesystems to container fstab
The debugfs, fusectl, and securityfs may not be mounted inside a
non-init userns. But mountall hangs waiting for them to be
mounted. So just pre-mount them using $lxcpath/$name/fstab as
bind mounts, which will prevent mountall from trying to mount
them.
If the kernel doesn't provide them, then the bind mount failure
will be ignored, and mountall in the container will proceed
without the mount since it is 'optional'. But without these
bind mounts, starting a container inside a user namespace
hangs.
Otherwise (a) there is a memory leak when using user namespaces and
clearing a config, and (b) saving a container configuration file doesn't
maintain the userns mapping. For instance, if container c1 has
lxc.id_map configuration entries, then
lxc_create: prepend pretty header to config file (v2)
Define a sha1sum_file() function in utils.c. Use that in lxcapi_create
to write out the sha1sum of the template being used. If libgnutls is
not found, then the template sha1sum simply won't be printed into the
container config.
This patch also trivially fixes some cases where SYSERROR is used after
a fclose (masking errno) and missing consts in mkdir_p.
If set, then fds 0,1,2 will be redirected while the creation
template is executed.
Note, as Dwight has pointed out, if fd 0 is redirected, then if
templates ask for input there will be a problem. We could simply
not redirect fd 0, or we could require that templates work without
interaction. I'm assuming here that we want to do the latter, but
I'm open to changing that.
3.10 kernel comes with proper hierarchical enforcement of devices
cgroup. To keep that code somewhat sane, certain things are not
allowed. Switching from default-allow to default-deny and vice versa
are not allowed when there are children cgroups. (This *could* be
simplified in the kernel by checking that all child cgroups are
unpopulated, but that has not yet been done and may be rejected)
The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
you cannot write 'a' to devices.deny once you have a child cgroup. With
this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
the container's devices cgroup, and (c) setup_cgroup() during lxc startup
ignores failures to write to devices subsystem if we are already in a
child of the container's new cgroup.
((a) is not really related to this bug, but is definately needed.
The followup work of making the other hooks use the passed-in lxcpath
is still to be done)
This hook script updates the hostname in various files under /etc in the
cloned container. In order to do so, the old container name is passed in
the LXC_SRC_NAME environment variable.
lxc-fedora template - Fix retries, use os-release for release, add utsname.
Hey all!
Patch for the Fedora template. Several things...
1) A month or so ago, I floated an idea of adding an option for utsname
which Serge seemed to like but we let it float for more feedback (none
came).
2) In private mail to Serge and Stéphane I mentioned the idea of using
the CPE (Common Platform Enumeration) for host distro and version
identification. I heard back from Serge but not Stéphane. CPE is a
standard promoted by NIST and Mitre (along with CVE and CVSS) as part of
the security community as a common identification mechanism. It's
supported by RedHat based distros and many others (notable exception
Ubuntu). I've patched the Fedora template to parse first
the /etc/os-release file or, alternatively, the /etc/system-release-cpe
file for the distro ID and version instead of the human
readable /etc/redhat-release. There's more that can be done with that
in the realm of cross distro container builds, I suspect.
3) At the time of working on 1&2 I noticed that the retry logic in the
Fedora template just didn't seem right. I believe I posted a message
asking for clarification on that behavior. A recently post in the
-users list indicating that someone could not create a Fedora 19
container (because the release ver string was 19-2 and the template was
only looking for -1) prompted me to rework the retry logic for handling
the mirror list and servers as well as revamp the download logic to
properly identify the correct release package.
The patch for all of the above is attached below the jump. It's been
tested on Fedora 17 through Fedora 19 hosts and has created containers
for F11, F12, F13, F14, F16, F17, F18, and F19. F15 failed for rpm
dependency issues that are not worth fixing (IMHO).
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
I noticed that if find_first_wholeword() is called with word at the very
beginning of p, we will deref *(p - 1) to see if it is a word boundary.
Fix by considering p = p0 to be a word boundary.
The new openssh uses a different mechanism to start/stop the daemon
which in turn requires a few tweaks in our template to deal with both
the new and old ways of doing that.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
lxc-start-ephemeral: Fix console() and add storage option
The introduction of the new console() python API broke
lxc-start-ephemeral's console(tty=1) call, I now changed that to
console() which does the right thing with both API versions.
This also adds a new storage-type option, letting the user choose to use
a standard directory instead of tmpfs for the container (but still have
it ephemeral).
It turns out that most API users want some kind of timeout option for
get_ips, so instead of re-implementing it in every single client
software, let's just have it as a python overlay upstream.
commit 829dd918 added parsing of a -c argument to both the common options
handling and to lxc-start. It is not a common option, and should have only
been added to lxc-start. Because the common code is processing it, no other
command can use -c. Remove -c from being processed by the common code.
Tested that -c still works with lxc-start.
Andrew Gilbert [Thu, 27 Jun 2013 13:09:05 +0000 (08:09 -0500)]
Add -n differentiation to lxc-netstat
lxc-netstat now only processes an -n argument if it has not previously
received a value for $name from --name or -n. If it _has_ received such
a value, it stops processing arguments and leaves the -n for netstat.
This does not apply to the use of --name after a name has been provided
by --name or -n; the current behaviour continues. The new behaviour
makes
netstat -n <container> -n -a
behave like
netstat -n <container> -a -n
which already will act as though there is '--' between '<container>' and
'-a' (see line 91 of lxc-netstat.in).
Signed-off-by: Andrew Gilbert <andrewg800@gmail.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Andrew Gilbert [Thu, 27 Jun 2013 13:07:14 +0000 (08:07 -0500)]
Add double-dash to lxc-netstat re-call arguments
When lxc-netstat was called by lxc-unshare, it would be given the
arguments intended for netstat from the first invocation, but without
anything to separate them from the arguments intended for lxc-netstat.
This meant that netstat arguments like -n would result in lxc-netstat
trying to process them.
Signed-off-by: Andrew Gilbert <andrewg800@gmail.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Fri, 21 Jun 2013 19:15:42 +0000 (14:15 -0500)]
Accept more word delimiters when updating hooks
When updating container names in hook files during a container clone,
we substitute the new container name for the old any time the old name
shows up as a separate word. This patch adds the four characters
'.,_-' as additional delimiters.
Serge Hallyn [Tue, 18 Jun 2013 19:52:24 +0000 (14:52 -0500)]
conf.c: always strdup rootfs.mount
The reason is that the generic code which handles reading
lxc.rootfs.mount always frees the old value if not NULL.
So without this setting lxc.rootfs.mount = /mnt causes
segfault.
Serge Hallyn [Thu, 13 Jun 2013 15:06:15 +0000 (10:06 -0500)]
don't set up console for lxc-execute
Currently due to some safety checks for !rootfs.path, lxc-execute works
ok if you do not set lxc.rootfs at all in your lxc.conf. But if you
set lxc.rootfs = '/', then it sets up console, and when you do an
lxc-execute, the console appears hung.
However the lxc.rootfs NULL check was just incidental to not dereference
a NULL pointer. In fact we should not be setting up a console if the
container isn't running a full-fledged distro with a getty/login
running on the container's /dev/console.
Have lxc_execute() mark in lxc_conf that this is a lxc-execute and not
an lxc-start, and don't set up the console.
The issue is documented at https://sourceforge.net/p/lxc/bugs/67/ .
Dwight Engen [Wed, 12 Jun 2013 15:09:16 +0000 (08:09 -0700)]
console API improvements
Add a higher level console API that opens a tty/console and runs the
mainloop as well. Rename existing API to console_getfd(). Use these in
the python binding.
Allow attaching a console peer after container bootup, including if the
container was launched with -d. This is made possible by allocation of a
"proxy" pty as the peer when the console is attached to.
Improve handling of SIGWINCH, the pty size will be correctly set at the
beginning of a session and future changes when using the lxc_console() API
will be propagated to it as well.
Refactor some common code between lxc_console.c and console.c. The variable
wait4q (renamed to saw_escape) was static, making the mainloop callback not
safe across threads. This wasn't a problem when the callback was in the
non-threaded lxc-console, but now that it is internal to console.c, we have
to take care of it. This is now contained in a per-tty state structure.
Don't attempt to open /dev/null as the console peer since /dev/null cannot
be added to the mainloop (epoll_ctl() fails with EPERM). This isn't needed
to get the console setup (and the log to work) since the case of not having
a peer at console init time has to be handled to allow for attaching to it
later.
Move signalfd libc wrapper/replacement to utils.h.
Natanael Copa [Wed, 12 Jun 2013 09:18:04 +0000 (11:18 +0200)]
lxc-init: continue even if we fail to mount /dev/mqueue
The 'lxc-init' (a lightweight init process used by lxc-execute in place
of upstart etc) tries to mount /dev/mqueue during startup. If that fails
(for instance due to missing support for mqueue in kernel) then it
aborts execution and returns -1. This is unreasonable as very few
applications actually need /dev/mqueue.
This similar to what we do with /dev/shm.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Qiang Huang [Fri, 7 Jun 2013 07:27:32 +0000 (15:27 +0800)]
lxc-execute: allow lxc-init to log only when we have a valid log level
Right now if we use lxc-execute without log level set, we get error:
lxc: invalid log priority NOTSET.
Because we set log level manually in execute_start(), but didn't
check if we have a valid log level or not, so fix it.
Serge Hallyn [Mon, 3 Jun 2013 16:19:01 +0000 (18:19 +0200)]
lxc_create: support 'lxc-create -t <template> -h'
With the lxc-create script, 'lxc-create -t template -h' used to call
'template -h' to get template-specific help. The api based lxc-create
did not yet support that.
Add a 'helpfn' method to the lxc_arguments, which is called at the end
of printhelp, and passed the lxc_arguments. Use that in lxc_create to
reintroduce the desired behavior.
Natanael Copa [Tue, 28 May 2013 08:25:14 +0000 (10:25 +0200)]
lxc-alpine: download a static package manager if its missing
If the package manager, apk-tools is missing, then:
- download a static binary and public keys
- verify the keys against embedded checksum
- verify the signature of the static binary against the downloaded keys
- use the verified static binary
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Serge Hallyn [Fri, 31 May 2013 14:02:33 +0000 (16:02 +0200)]
configure/makefile: rename default_conf to distro_conf
configure/makefile: rename default_conf to distro_conf, since it is a per-distro
default. Then we'll be able to use the symbol LXC_DEFAULT_CONF in the code to
refer to the installed file.
Serge Hallyn [Thu, 30 May 2013 16:22:16 +0000 (11:22 -0500)]
waitpid at abort to make sure we can rmdir cgroups
If we abort the container start, and don't wait for the init task to be
reaped after we kill it, then we can't remove the container cgroup
because it is not empty.
Serge Hallyn [Wed, 29 May 2013 17:26:25 +0000 (12:26 -0500)]
lxccontainer: don't lock around getstate and freeze/unfreeze (v2)
Those go through commands.c and are already mutex'ed that way.
Also remove a unmatched container_disk_unlock in lxcapi_create.
Since is_stopped uses getstate which is no longer locked, rename
it to drop the _locked suffix.
And convert save_config to taking the disk lock. This way the
save_ and load_config are mutexing each other, as they should.
Changelog: May 29:
Per Dwight's comment, take the lock before opening the config
FILE *.
Only take disklock at load and save_config when we're using the
container's config file, not when read/writing from/to another
file.
Dwight Engen [Tue, 28 May 2013 19:25:41 +0000 (15:25 -0400)]
add console to lxc api
Make lxc_cmd_console() return the fd from the socket connection to the
caller. This fd keeps the tty slot allocated until the caller closes
it. Returning the fd allows for a long lived process to close the fd
and reuse consoles.
Serge Hallyn [Tue, 28 May 2013 20:27:42 +0000 (15:27 -0500)]
api_clone: call is_stopped_locked() to avoid deadlock.
Technically as Dwight has mentioned we should probably drop the locking
from api_state() altogether, since those are protected through the
lxc command system.
Serge Hallyn [Fri, 17 May 2013 21:23:17 +0000 (23:23 +0200)]
Move container creation fully into the api
1. implement bdev->create:
python and lua: send NULL for bdevtype and bdevspecs.
They'll want to be updated to pass those in in a way that makes
sense, but I can't think about that right now.
2. templates: pass --rootfs
If the container is backed by a device which must be mounted (i.e.
lvm) then pass the actual rootfs mount destination to the
templates.
Note that the lxc.rootfs can be a mounted block device. The template
should actually be installing the rootfs under the path where the
lxc.rootfs is *mounted*.
Still, some people like to run templates by hand and assume purely
directory backed containers, so continue to support that use case
(i.e. if no --rootfs is listed).
Make sure the templates don't re-write lxc.rootfs if it is
already in the config. (Most were already checking for that)
3. Replace lxc-create script with lxc_create.c program.
Changelog:
May 24: when creating a container, create $lxcpath/$name/partial,
and flock it. When done, close that file and unlink it. In
lxc_container_new() and lxcapi_start(), check for this file. If
it is locked, create is ongoing. If it exists but is not locked,
create() was killed - remove the container.
May 24: dont disk-lock during lxcapi_create. The partial lock
is sufficient.
Serge Hallyn [Fri, 17 May 2013 05:20:10 +0000 (07:20 +0200)]
destroy: implement in the api
This requires implementing bdev->ops->destroy() for each of the backing
store types. Then implementing lxcapi_clone(), writing lxc_destroy.c
using the api, and removing the lxc-destroy.in script.
(this also has a few other cleanups, like marking some functions
static)
Changelog:
fold into destroy: fix zfs destroy
destroy: use correct program name in help
Serge Hallyn [Thu, 16 May 2013 21:03:47 +0000 (23:03 +0200)]
lxc-stop: use api, remove lxc_shutdown, extend lxc-stop functionality
implement c->reboot(c) in the api.
Also if the container is not running, return -2. Currently
lxc-stop will return 0, so you cannot tell the difference
between successfull stopping and noop.
Per stgraber's email:
- Remove lxc-shutdown
- Change lxc-stop so that:
* Default behaviour is to call shutdown(), wait 15s for STOPPED, if
not STOPPED, print a message to the user and call stop() [ NOTE:
actually 60 seconds per followup thread]
* We have a -r option to reboot the container (with proper check that
the container indeed rebooted within the next 15s)
* We have a -s option to shutdown the container without the automatic
fallback to stop()
* Add a -k option allowing a user to just kill a container
(equivalent to old lxc-stop, no shutdown() call and no delay).
Serge Hallyn [Fri, 24 May 2013 21:03:22 +0000 (16:03 -0500)]
locking: update per Dwight's comment
Create three pairs of functions:
int process_lock(void);
void process_unlock(void);
int container_mem_lock(struct lxc_container *c)
void container_mem_unlock(struct lxc_container *c)
int container_disk_lock(struct lxc_container *c);
void container_disk_unlock(struct lxc_container *c);
and use those in lxccontainer.c
process_lock() is to protect the process state among multiple threads.
container_mem_lock() is to protect a struct container among multiple
threads. container_disk_lock is to protect a container on disk.
Also remove the lock in lxcapi_init_pid() as Dwight suggested.
Fix a typo (s/container/contain) spotted by Dwight.
More locking fixes are needed, but let's first the the fundamentals
right. How close does this get us?
Serge Hallyn [Wed, 22 May 2013 21:24:00 +0000 (16:24 -0500)]
lxclock: Replace named sempahore with flock
The problem: if a task is killed while holding a posix semaphore,
there appears to be no way to have the semaphore be reliably
autmoatically released. The only trick which seemed promising
is to store the pid of the lock holder in some file and have
later lock seekers check whether that task has died.
Instead of going down that route, this patch switches from a
named posix semaphore to flock. The advantage is that when
the task is killed, its fds are closed and locks are automatically
released.
The disadvantage of flock is that we can't rely on it to exclude
threads. Therefore c->slock must now always be wrapped inside
c->privlock.
This patch survived basic testing with the lxcapi_create patchset,
where now killing lxc-create while it was holding the lock did
not lock up future api commands.
Dwight Engen [Thu, 23 May 2013 19:44:39 +0000 (15:44 -0400)]
fix memory leaks in cgroup functions
There were several memory leaks in the cgroup functions, notably in the
success cases.
The cgpath test program was refactored and additional tests added to it.
It was used in various modes under valgrind to test that the leaks were
fixed.
Simplify lxc_cgroup_path_get() and cgroup_path_get by having them return a
char * instead of an int and an output char * argument. The only return
values ever used were -1 and 0, which are now handled with NULL and non-NULL
returns respectively.
Use consistent variable names of cgabspath when refering to an absolute path
to a cgroup subsystem or file, and cgrelpath when refering to a container
"group/name" within the cgroup heirarchy.
Remove unused subsystem argument to lxc_cmd_get_cgroup_path().
Stéphane Graber [Thu, 23 May 2013 02:28:43 +0000 (22:28 -0400)]
python: Fix lxc-ls's usage of get_ips()
The recent port of get_ips() from pure python to the C API came with
a couple of API changes for that function call (as were highlighted in
the commit message).
I somehow didn't notice that lxc-ls was still calling with the old API
and so was crashing whenever it was asked to show the ipv4 or ipv6 address.
This is just some minor changes in the way the Fedora template is
synthesizing the target rootfs_path. Currently, the template uses a
path with the container in it twice like this:
/var/lib/lxc/rasputin/rasputin/rootfs
This happens because the container name is already contained in the
"path" and the template appends it a second time. This changes the
logic to be congruent with other templates such as lxc-arch. The new
behavior will be to create the rootfs like this:
/var/lib/lxc/rasputin/rootfs
Attached below the jump.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Dwight Engen [Tue, 21 May 2013 15:34:45 +0000 (11:34 -0400)]
oracle template: mount /dev/shm as tmpfs
sem_open(3) checks that /dev/shm is SHMFS_SUPER_MAGIC. Normally /dev/shm
is mounted in the initramfs created by dracut, but that won't be run for
a container so make sure that rc.sysinit mounts /dev/shm.
Serge Hallyn [Wed, 22 May 2013 01:31:04 +0000 (20:31 -0500)]
attach: and cgroup.c: be overly cautious
Realistically (as Dwight points out) it doesn't seem possible that
getline won't return at least one line in this functions, however
just to make absolutely sure we don't get a segv on free(NULL),
check line != NULL before freeing it on exit.
Dwight Engen [Fri, 17 May 2013 22:29:12 +0000 (18:29 -0400)]
extend command processor to handle generic data
Motivation for this change is to have the ability to get the run-time
configuration items from a container, which may differ from its current
on disk configuration, or might not be available any other way (for
example lxc.network.0.veth.pair). In adding this ability it seemed there
was room for refactoring improvements.
Genericize the command infrastructure so that both command requests and
responses can have arbitrary data. Consolidate all commands into command.c
and name them consistently. This allows all the callback routines to be
made static, reducing exposure.
Return the actual allocated tty for the console command. Don't print the
init pid in lxc_info if the container isn't actually running. Command
processing was made more thread safe by removing the static buffer from
receive_answer(). Refactored command response code to a common routine.
This adds a new get_ips call which takes a family (inet, inet6 or NULL),
a network interface (or NULL for all) and a scope (0 for global) and returns
a char** of all the IPs in the container.
This also adds a matching python3 binding (function result is a tuple) and
deprecates the previous pure-python get_ips() implementation.
WARNING: The python get_ips() call is quite different from the previous
implementation. The timeout argument has been removed, the family names are
slightly different (inet/inet6 vs ipv4/ipv6) and an extra scope parameter
has been added.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Patch to the lxc-fedora template to setup gettys on the ttys that are
enabled in the configuration. The area of the code already had some
modifications to that service that didn't seem to do anything and would
get wiped out by an update. I commented that out but subsumed the
change it was attempting into my command in case it does something on
another rev somewhere.
This is very similar to the logic in the OpenSuse template but doesn't
seem to appear in other templates, such as arch, which have to deal with
systemd. This isn't unique to Fedora. The templates for Fedora,
ArchLinux, and OpenSuse are the only three that seem to have any
reference to systemd at all.
Attached below the jump.
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
--
Signed-off-by: Michael H. Warfield <mhw@WittsEnd.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Dwight Engen [Fri, 17 May 2013 22:28:12 +0000 (18:28 -0400)]
return lxc generated name for veth pair
Doing a get_config_item for lxc.network.0.veth.pair only returns the
pair name if explicitly given, but it can be useful to know the name
even if it is the one that lxc autogenerated.
Serge Hallyn [Tue, 14 May 2013 21:10:37 +0000 (16:10 -0500)]
lxc: add clone hook.
Add a clone hook called from api_clone. Pass arguments to it from
lxc_clone.c.
The clone update hook is called while the container's bdev is mounted.
Information about the container is passed in through environment
variables LXC_ROOTFS_PATH, LXC_NAME, The LXC_ROOTFS_MOUNT, and
LXC_CONFIG_FILE.
So from the hook, updates to the container should be made under
$LXC_ROOTFS_MOUNT/ .
The hook also receives command line arguments as follows:
First argument is container name, second is always 'lxc', third
is the hook name (always clone), then come the arguments which
were passed to lxc-clone. I.e. when I did:
sudo lxc-clone demo2 demo3 -- hey there dude
the arguments passed in were "demo3 lxc clone hey there dude"
I personally would like to drop the first two arguments. The
name is available as $LXC_NAME, and the section argument ('lxc')
is meaningless. However, doing so risks invalidating existing
hooks.
Soon analogous create and destroy hooks will be added as well.
Serge Hallyn [Wed, 15 May 2013 20:21:24 +0000 (15:21 -0500)]
cgroup: prevent DOS when a hierachy is mounted multiple times
When starting a container, we walk through all cgroup mounts looking
for a unique directory name we can use for this container. If the
name we are trying is in use, we try another name. If it is not in
use in the first mount we check, we need to check other hierarchies
as it may exist there. But we weren't checking whether we have already
checked a subsystem - so that if freezer was mounted twice, we would
create it in the first mount, see it exists in the second, so start
over trying in the second mount.
To fix this, keep track of which subsystems we have already checked,
and do not re-check.
Note we still need to add, at the next: label, the removal of the
directories we've already created. I'm keeping that for later as
it's far lower priority than this fix, and I don't want to risk
introducing a regression for that.
Dwight Engen [Wed, 15 May 2013 16:27:34 +0000 (12:27 -0400)]
set non device cgroup items before the cgroup is entered
This allows some special cgroup items such as memory.kmem.limit_in_bytes
to be successfully set, since they must be set before any task is put
into the cgroup.
The devices cgroup is setup later giving the container a chance to mount
file systems before the device it might want to mount from becomes
unavailable.
projects / mirror_lxc.git / log