flags |= MOUNT_ATTR_RELATIME;
if ((cgroup_automount_type == LXC_AUTO_CGROUP_RO) ||
- (cgroup_automount_type == LXC_AUTO_CGROUP_FULL_RO))
+ (cgroup_automount_type == LXC_AUTO_CGROUP_FULL_RO) ||
+ (cgroup_automount_type == LXC_AUTO_CGROUP2_RO))
flags |= MOUNT_ATTR_RDONLY;
if (is_unified_hierarchy(h))
case LXC_AUTO_CGROUP_FULL_MIXED:
TRACE("Full mixed cgroup mounts requested");
break;
+ case LXC_AUTO_CGROUP2_RW:
+ TRACE("Read-write cgroup2 mount requested");
+ break;
+ case LXC_AUTO_CGROUP2_RO:
+ TRACE("Read-only cgroup2 mount requested");
+ break;
default:
return log_error_errno(false, EINVAL, "Invalid cgroup mount options specified");
}
return log_trace(true, "Mounting cgroups not requested or needed");
/* This is really the codepath that we want. */
- if (pure_unified_layout(ops)) {
+ if (pure_unified_layout(ops) ||
+ (cgroup_automount_type == LXC_AUTO_CGROUP2_RW) ||
+ (cgroup_automount_type == LXC_AUTO_CGROUP2_RO)) {
__do_close int dfd_mnt_unified = -EBADF;
+ if (!ops->unified)
+ return log_error_errno(false, EINVAL, "No unified cgroup hierarchy mounted on the host");
+
dfd_mnt_unified = open_at(rootfs->dfd_mnt, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE,
PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_BENEATH_XDEV, 0);
if (dfd_mnt_unified < 0)
* 10. cgroup-full:rw:force -> Not supported.
* 11. cgroup-full:ro:force -> Not supported.
* 12. cgroup-full:mixed:force -> Not supported.
+ *
+ * 13. cgroup2 -> No-op; init system responsible for mounting.
+ * 14. cgroup2:ro -> No-op; init system responsible for mounting.
+ * 15. cgroup2:force -> Mount the cgroup2 filesystem read-write
+ * 16. cgroup2:ro:force -> Mount the cgroup2 filesystem read-only
*/
ret = cgroupfs_mount(cgroup_automount_type, ops->unified, rootfs, dfd_mnt_unified, "");
if (ret < 0)
* Or the user requested to keep the cgroup namespace
* of the host or another container.
*/
- if (wants_force_mount) {
- /*
- * 1. cgroup:rw:force -> Bind-mount the cgroup2 filesystem writable.
- * 2. cgroup:ro:force -> Bind-mount the cgroup2 filesystem read-only.
- * 3. cgroup:mixed:force -> bind-mount the cgroup2 filesystem and
- * and make the parent directory of the
- * container's cgroup read-only but the
- * container's cgroup writable.
- *
- * 10. cgroup-full:rw:force ->
- * 11. cgroup-full:ro:force ->
- * 12. cgroup-full:mixed:force ->
- */
- errno = EOPNOTSUPP;
+ errno = EOPNOTSUPP;
+ if (wants_force_mount)
SYSWARN("Force-mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
- } else {
- errno = EOPNOTSUPP;
+ else
SYSWARN("Mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
- }
}
return syserror_ret(false, "Failed to mount cgroups");
if (can_use_mount_api()) {
fd_fs = fs_prepare("tmpfs", -EBADF, "", 0, 0);
if (fd_fs < 0)
- return log_error_errno(-errno, errno, "Failed to create new filesystem context for tmpfs");
+ return log_error_errno(false, errno, "Failed to create new filesystem context for tmpfs");
ret = fs_set_property(fd_fs, "mode", "0755");
if (ret < 0)
- return log_error_errno(-errno, errno, "Failed to mount tmpfs onto %d(dev)", fd_fs);
+ return log_error_errno(false, errno, "Failed to mount tmpfs onto %d(dev)", fd_fs);
ret = fs_set_property(fd_fs, "size", "10240k");
if (ret < 0)
- return log_error_errno(-errno, errno, "Failed to mount tmpfs onto %d(dev)", fd_fs);
+ return log_error_errno(false, errno, "Failed to mount tmpfs onto %d(dev)", fd_fs);
ret = fs_attach(fd_fs, rootfs->dfd_mnt, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE,
PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_BENEATH_XDEV,
/* /sys/fs/cgroup (full mount, parent r/o, own r/w) */
LXC_AUTO_CGROUP_FULL_MIXED = LXC_AUTO_CGROUP_FULL_RO |
LXC_AUTO_CGROUP_FULL_RW,
+
+ /*
+ * Mount a pure read-write cgroup2 layout in the container independent
+ * of the cgroup layout used on the host.
+ */
+ LXC_AUTO_CGROUP2_RW = BIT(8),
+ /*
+ * Mount a pure read-only cgroup2 layout in the container independent
+ * of the cgroup layout used on the host.
+ */
+ LXC_AUTO_CGROUP2_RO = BIT(9),
+
/*
* These are defined in such a way as to retain binary compatibility
* with earlier versions of this code. If the previous mask is applied,
/* /sys/fs/cgroup (full mount, r/w or mixed, depending on caps) */
LXC_AUTO_CGROUP_FULL_NOSPEC = 0x0E0,
/* mount cgroups even when cgroup namespaces are supported */
- LXC_AUTO_CGROUP_FORCE = BIT(8),
+ LXC_AUTO_CGROUP_FORCE = BIT(10),
/* all known cgroup options */
LXC_AUTO_CGROUP_MASK = LXC_AUTO_CGROUP_MIXED |
LXC_AUTO_CGROUP_FULL_MIXED |
LXC_AUTO_CGROUP_NOSPEC |
LXC_AUTO_CGROUP_FULL_NOSPEC |
- LXC_AUTO_CGROUP_FORCE,
+ LXC_AUTO_CGROUP_FORCE |
+ LXC_AUTO_CGROUP2_RW |
+ LXC_AUTO_CGROUP2_RO,
/* shared mount point */
- LXC_AUTO_SHMOUNTS = BIT(9),
+ LXC_AUTO_SHMOUNTS = BIT(11),
/* shared mount point mask */
LXC_AUTO_SHMOUNTS_MASK = LXC_AUTO_SHMOUNTS,
{ "sys:ro", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO },
{ "sys:mixed", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED },
{ "sys:rw", LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW },
+ { "cgroup2", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP2_RW | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup2:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP2_RO | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup2:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP2_RW | LXC_AUTO_CGROUP_FORCE },
+ { "cgroup2:ro:force", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP2_RO | LXC_AUTO_CGROUP_FORCE },
{ "cgroup", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_NOSPEC },
{ "cgroup:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_MIXED },
{ "cgroup:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_RO },
projects / mirror_lxc.git / commitdiff