-From a9ab32b6e1e7b53c5f9ae3919b87bad80c30ba19 Mon Sep 17 00:00:00 2001
+From a3743ab2816d54fbe9854a5a9f31cc62b01b5339 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 15 Nov 2016 09:20:24 +0100
Subject: [PATCH 1/2] separate the limiting from the namespaced cgroup root
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
- src/lxc/cgroups/cgfs.c | 15 ++++++++--
- src/lxc/cgroups/cgfsng.c | 70 +++++++++++++++++++++++++++++++++++++--------
- src/lxc/cgroups/cgmanager.c | 15 ++++++++--
- src/lxc/cgroups/cgroup.c | 12 ++++----
- src/lxc/cgroups/cgroup.h | 12 ++++----
+ src/lxc/cgroups/cgfs.c | 15 +++++++--
+ src/lxc/cgroups/cgfsng.c | 76 ++++++++++++++++++++++++++++++++++++---------
+ src/lxc/cgroups/cgmanager.c | 15 +++++++--
+ src/lxc/cgroups/cgroup.c | 12 +++----
+ src/lxc/cgroups/cgroup.h | 12 +++----
src/lxc/criu.c | 2 +-
- src/lxc/start.c | 21 ++++++++++++--
- 7 files changed, 113 insertions(+), 34 deletions(-)
+ src/lxc/start.c | 21 +++++++++++--
+ 7 files changed, 116 insertions(+), 37 deletions(-)
diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
index 8499200..0152477 100644
return false;
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 57a13dc..15db0f1 100644
+index d3215d7..123c67c 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
-@@ -1250,14 +1250,20 @@ struct cgroup_ops *cgfsng_ops_init(void)
+@@ -1303,18 +1303,24 @@ struct cgroup_ops *cgfsng_ops_init(void)
return &cgfsng_ops;
}
+static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, bool inner)
{
- h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
-- if (dir_exists(h->fullcgpath)) // it must not already exist
+- if (dir_exists(h->fullcgpath)) { // it must not already exist
+- ERROR("Path \"%s\" already existed.", h->fullcgpath);
- return false;
-- if (!handle_cpuset_hierarchy(h, cgname))
+- }
+- if (!handle_cpuset_hierarchy(h, cgname)) {
+- ERROR("Failed to handle cgroupfs v1 cpuset controller.");
- return false;
-- return mkdir_p(h->fullcgpath, 0755) == 0;
+ char *path;
+ if (inner) {
+ path = must_make_path(h->fullcgpath, "ns", NULL);
+ } else {
+ path = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
+ h->fullcgpath = path;
-+ if (dir_exists(h->fullcgpath)) // it must not already exist
++ if (dir_exists(h->fullcgpath)) { // it must not already exist
++ ERROR("Path \"%s\" already existed.", h->fullcgpath);
+ return false;
-+ if (!handle_cpuset_hierarchy(h, cgname))
++ }
++ if (!handle_cpuset_hierarchy(h, cgname)) {
++ ERROR("Failed to handle cgroupfs v1 cpuset controller.");
+ return false;
-+ }
++ }
+ }
+- return mkdir_p(h->fullcgpath, 0755) == 0;
+ return mkdir_p(path, 0755) == 0;
}
static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
-@@ -1272,7 +1278,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
+@@ -1329,7 +1335,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
* Try to create the same cgroup in all hierarchies.
* Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999
*/
{
struct cgfsng_handler_data *d = hdata;
char *tmp, *cgname, *offset;
-@@ -1282,9 +1289,15 @@ static inline bool cgfsng_create(void *hdata)
+@@ -1339,9 +1346,15 @@ static inline bool cgfsng_create(void *hdata)
if (!d)
return false;
if (d->container_cgroup) {
tmp = lxc_string_replace("%n", d->name, d->cgroup_pattern);
if (!tmp) {
-@@ -1305,7 +1318,7 @@ again:
+@@ -1362,7 +1375,7 @@ again:
if (idx)
snprintf(offset, 5, "-%d", idx);
for (i = 0; hierarchies[i]; i++) {
int j;
SYSERROR("Failed to create %s: %s", hierarchies[i]->fullcgpath, strerror(errno));
free(hierarchies[i]->fullcgpath);
-@@ -1325,7 +1338,24 @@ out_free:
+@@ -1382,7 +1395,24 @@ out_free:
return false;
}
{
char pidstr[25];
int i, len;
-@@ -1335,7 +1365,12 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1392,7 +1422,12 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
return false;
for (i = 0; hierarchies[i]; i++) {
"cgroup.procs", NULL);
if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) {
SYSERROR("Failed to enter %s", fullpath);
-@@ -1351,6 +1386,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1408,6 +1443,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
struct chown_data {
struct cgfsng_handler_data *d;
uid_t origuid; // target uid in parent namespace
};
/*
-@@ -1379,13 +1415,20 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1436,13 +1472,20 @@ static int chown_cgroup_wrapper(void *data)
for (i = 0; hierarchies[i]; i++) {
char *fullpath, *path = hierarchies[i]->fullcgpath;
return -1;
}
-@@ -1409,12 +1452,14 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1466,12 +1509,14 @@ static int chown_cgroup_wrapper(void *data)
if (chmod(fullpath, 0664) < 0)
WARN("Error chmoding %s: %m", path);
free(fullpath);
{
struct cgfsng_handler_data *d = hdata;
struct chown_data wrap;
-@@ -1427,6 +1472,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
+@@ -1484,6 +1529,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
wrap.d = d;
wrap.origuid = geteuid();
extern bool cgroup_create_legacy(struct lxc_handler *handler);
extern int cgroup_nrtasks(struct lxc_handler *handler);
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
-index 9523af3..2339088 100644
+index 50a7400..8933d9a 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
-@@ -770,7 +770,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
+@@ -797,7 +797,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
goto out_fini_handler;
}
goto out_fini_handler;
}
diff --git a/src/lxc/start.c b/src/lxc/start.c
-index 451becb..29bbb08 100644
+index 71206e0..c9d78b7 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
-@@ -1137,7 +1137,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1121,7 +1121,7 @@ static int lxc_spawn(struct lxc_handler *handler)
cgroups_connected = true;
- if (!cgroup_create(handler)) {
+ if (!cgroup_create(handler, false)) {
- ERROR("failed creating cgroups");
+ ERROR("Failed creating cgroups.");
goto out_delete_net;
}
-@@ -1222,10 +1222,10 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1208,10 +1208,10 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
goto out_delete_net;
if (failed_before_rename)
-@@ -1268,6 +1268,21 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1254,6 +1254,21 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
-From e1678be9b02b589f19cae89ed989fa2c82388962 Mon Sep 17 00:00:00 2001
+From 1623287e7370989d554149a1e2ac28afcde96dbb Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 16 Nov 2016 09:53:42 +0100
Subject: [PATCH 2/2] start/initutils: make cgroupns separation level
extern void lxc_setup_fs(void);
extern const char *lxc_global_config_value(const char *option_name);
diff --git a/src/lxc/start.c b/src/lxc/start.c
-index 29bbb08..93338ae 100644
+index c9d78b7..d4603f7 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
-@@ -1084,6 +1084,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1067,6 +1067,7 @@ static int lxc_spawn(struct lxc_handler *handler)
int saved_ns_fd[LXC_NS_MAX];
int preserve_mask = 0, i, flags;
int netpipepair[2], nveths;
netpipe = -1;
-@@ -1148,7 +1149,7 @@ static int lxc_spawn(struct lxc_handler *handler)
- *
- * if the container is unprivileged then skip rootfs pinning
+@@ -1130,7 +1131,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+ * it readonly.
+ * If the container is unprivileged then skip rootfs pinning.
*/
- if (lxc_list_empty(&handler->conf->id_map)) {
+ if (!privileged) {
handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
if (handler->pinfd == -1)
- INFO("failed to pin the container's rootfs");
-@@ -1269,17 +1270,20 @@ static int lxc_spawn(struct lxc_handler *handler)
+ INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
+@@ -1255,17 +1256,20 @@ static int lxc_spawn(struct lxc_handler *handler)
}
if (cgns_supported()) {
+++ /dev/null
-From 5610055a113f46a017bad687c40e7570da2a7035 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Wed, 17 Aug 2016 11:36:39 +0200
-Subject: [PATCH] conf: merge network namespace move & rename on shutdown
-
-On shutdown we move physical network interfaces back to the
-host namespace and rename them afterwards as well as in the
-later lxc_network_delete() step. However, if the device had
-a name which already exists in the host namespace then the
-moving fails and so do the subsequent rename attempts. When
-the namespace ceases to exist the devices finally end up
-in the host namespace named 'dev<ID>' by the kernel.
-
-In order to avoid this, we do the moving and renaming in a
-single step (lxc_netdev_move_by_*()'s move & rename happen
-in a single netlink transaction).
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/conf.c | 29 ++++++++---------------------
- src/lxc/conf.h | 2 +-
- src/lxc/start.c | 2 +-
- 3 files changed, 10 insertions(+), 23 deletions(-)
-
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index f688f94..b2e0fd9 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2397,15 +2397,17 @@ static int setup_network(struct lxc_list *network)
- }
-
- /* try to move physical nics to the init netns */
--void restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf)
-+void lxc_restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf)
- {
- int i, ret, oldfd;
- char path[MAXPATHLEN];
- char ifname[IFNAMSIZ];
-
-- if (netnsfd < 0)
-+ if (netnsfd < 0 || conf->num_savednics == 0)
- return;
-
-+ INFO("running to reset %d nic names", conf->num_savednics);
-+
- ret = snprintf(path, MAXPATHLEN, "/proc/self/ns/net");
- if (ret < 0 || ret >= MAXPATHLEN) {
- WARN("Failed to open monitor netns fd");
-@@ -2427,32 +2429,17 @@ void restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf)
- WARN("no interface corresponding to index '%d'", s->ifindex);
- continue;
- }
-- if (lxc_netdev_move_by_name(ifname, 1, NULL))
-+ if (lxc_netdev_move_by_name(ifname, 1, s->orig_name))
- WARN("Error moving nic name:%s back to host netns", ifname);
-+ free(s->orig_name);
- }
-+ conf->num_savednics = 0;
-+
- if (setns(oldfd, 0) != 0)
- SYSERROR("Failed to re-enter monitor's netns");
- close(oldfd);
- }
-
--void lxc_rename_phys_nics_on_shutdown(int netnsfd, struct lxc_conf *conf)
--{
-- int i;
--
-- if (conf->num_savednics == 0)
-- return;
--
-- INFO("running to reset %d nic names", conf->num_savednics);
-- restore_phys_nics_to_netns(netnsfd, conf);
-- for (i=0; i<conf->num_savednics; i++) {
-- struct saved_nic *s = &conf->saved_nics[i];
-- INFO("resetting nic %d to %s", s->ifindex, s->orig_name);
-- lxc_netdev_rename_by_index(s->ifindex, s->orig_name);
-- free(s->orig_name);
-- }
-- conf->num_savednics = 0;
--}
--
- static char *default_rootfs_mount = LXCROOTFSMOUNT;
-
- struct lxc_conf *lxc_conf_init(void)
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index e484667..842e4dc 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -440,7 +440,7 @@ extern int do_rootfs_setup(struct lxc_conf *conf, const char *name,
- struct cgroup_process_info;
- extern int lxc_setup(struct lxc_handler *handler);
-
--extern void lxc_rename_phys_nics_on_shutdown(int netnsfd, struct lxc_conf *conf);
-+extern void lxc_restore_phys_nics_to_netns(int netnsfd, struct lxc_conf *conf);
-
- extern int find_unmapped_nsuid(struct lxc_conf *conf, enum idtype idtype);
- extern int mapped_hostid(unsigned id, struct lxc_conf *conf, enum idtype idtype);
-diff --git a/src/lxc/start.c b/src/lxc/start.c
-index ecc7b08..0da7f9f 100644
---- a/src/lxc/start.c
-+++ b/src/lxc/start.c
-@@ -1420,7 +1420,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
- }
-
- DEBUG("Pushing physical nics back to host namespace");
-- lxc_rename_phys_nics_on_shutdown(netnsfd, handler->conf);
-+ lxc_restore_phys_nics_to_netns(netnsfd, handler->conf);
-
- DEBUG("Tearing down virtual network devices used by container");
- lxc_delete_network(handler);
---
-2.1.4
-
projects / lxc.git / commitdiff