git.proxmox.com Git - mirror

author	Serge Hallyn <serge@hallyn.com>
	Tue, 21 Jun 2022 12:50:53 +0000 (14:50 +0200)
committer	Christian Brauner (Microsoft) <christian.brauner@ubuntu.com>
	Tue, 21 Jun 2022 14:01:13 +0000 (16:01 +0200)
commit	c55353f84a8c171d0ccb911e1d34a5ed5577def1
tree	f1b48fdc24980279d5253b7c00ee243331fec946	tree
parent	0a73102d43c0abfe9c29e88d5b4135e1d18f48dd	commit \| diff

use systemd dbus StartTransientUnit for unpriv cgroup2

If, when init'ing cgroups for a container start, we detect that we
are an unprivileged user on a unified-hierarchy-only system, then we
try to request systemd, through dbus api, to create a new scope for
us with delegation. Call the cgroup it creates for us P1. We then
create P1/init, move ourselves into there, so we can enable the
controllers for delegation to P1's children through P1/cgroup.subtree_control.

On attach, we try to request systemd attach us to the container's
scope. We can't do that ourselves in the normal case, as root owns
our login cgroups.

Create a new command api for the lxc monitor to tell lxc-attach the
systemd scope to which to attach.

Changelog:
* free cgroup_meta.systemd_scope in lxc_conf_free (Thanks Tycho)
* fix some indent
* address some (not all) of brauner's feedback

Signed-off-by: Serge Hallyn <serge@hallyn.com>

.github/workflows/build.yml		diff \| blob \| blame \| history
.github/workflows/coverity.yml		diff \| blob \| blame \| history
.github/workflows/sanitizers.sh		diff \| blob \| blame \| history
.github/workflows/sanitizers.yml		diff \| blob \| blame \| history
meson.build		diff \| blob \| blame \| history
meson_options.txt		diff \| blob \| blame \| history
src/lxc/cgroups/cgfsng.c		diff \| blob \| blame \| history
src/lxc/commands.c		diff \| blob \| blame \| history
src/lxc/commands.h		diff \| blob \| blame \| history
src/lxc/conf.c		diff \| blob \| blame \| history
src/lxc/conf.h		diff \| blob \| blame \| history
src/tests/oss-fuzz.sh		diff \| blob \| blame \| history