git.proxmox.com Git - mirror_lxc.git/commit

author	Serge Hallyn <serge.hallyn@ubuntu.com>
	Mon, 14 Jan 2013 23:32:44 +0000 (23:32 +0000)
committer	Stéphane Graber <stgraber@ubuntu.com>
	Tue, 15 Jan 2013 16:57:02 +0000 (11:57 -0500)
commit	544a48a0bdad50b601ab2d186aa78e71a47f92cd
tree	7412b137c6dc6005dd7e39b69c2be270a9444d3f	tree
parent	c4ea60dff6ac1dfd4dcce11ffd7b3007bb108122	commit \| diff

setup cgroups from parent

This is a first step to enabling user namespaces.  When starting a
container in a new user namespace, the child will not have the
rights to write to the cgroup fs.  (We can give it that right, but
don't always want to have to).

At the parent, we don't want to setup_cgroups() before the child
has set itself up.  But we also don't want to wait until it has
started running it's init, since that is racy.

Therefore introduce a new sync point.  The child will let the
parent know when it is ready to be confined, and wait for the
parent to respond that it has done so.  Then the child will finish
constraining itself with LSM and seccomp and execute init.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/start.c		diff \| blob \| blame \| history
src/lxc/sync.h		diff \| blob \| blame \| history