[lxc-devel] [lxc/master] Add two auto mount options:

Wed, 07 Feb 2018 03:04:27 -0800 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2136

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
With cgroup:ro(rw/mixed) option, we have some restrictions:
   * general containers(non system containers with cgroup namespace and sys_admin) have no cgroup (/sys/fs/cgroup is empty)
   * container's /sys/fs/cgroup has lxc/containersid, sometimes it's not a issue, but it is strange and the  os also make cgroup subsystem directly in /sys/fs/cgroup.

What I do?
Add two auto mount options:
   *  cgroup-self:ro   partial mount by lxc itself, no lxc/containerid exist in /sys/fs/cgroup r/o
   *  cgroup-self:rw   partial mount by lxc itself, no lxc/containerid exist in /sys/fs/cgroup r/w

Signed-off-by: Shukui Yang <yangshu...@huawei.com>

From 1f13c2810f50106ed5354b33e0fb00d686dc2757 Mon Sep 17 00:00:00 2001
From: Shukui Yang <yangshu...@huawei.com>
Date: Wed, 7 Feb 2018 14:04:41 -0500
Subject: [PATCH] Add auto mount options: *cgroup-self:ro partial mount by lxc
 itself, no lxc/containerid r/o *cgroup-self:rw partial mount by lxc itself,
 no lxc/containerid r/w

Signed-off-by: Shukui Yang <yangshu...@huawei.com>
---
 src/lxc/cgroups/cgfsng.c | 26 ++++++++++++++++++++------
 src/lxc/conf.h           | 13 ++++++++-----
 src/lxc/confile.c        |  2 ++
 3 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index f4bec7f52..41f6fa38b 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1938,8 +1938,6 @@ static int do_secondstage_mounts_if_needed(int type, 
struct hierarchy *h,
        }
        char *sourcepath = must_make_path(h->mountpoint, h->base_cgroup, 
container_cgroup, NULL);
        int flags = MS_BIND;
-       if (type == LXC_AUTO_CGROUP_RO)
-               flags |= MS_RDONLY;
        INFO("Mounting %s onto %s", sourcepath, cgpath);
        if (mount(sourcepath, cgpath, "cgroup", flags, NULL) < 0) {
                free(sourcepath);
@@ -1947,6 +1945,18 @@ static int do_secondstage_mounts_if_needed(int type, 
struct hierarchy *h,
                                cgpath);
                return -1;
        }
+       if (type == LXC_AUTO_CGROUP_RO ||
+               type == LXC_AUTO_CGROUP_SELF_RO){
+               flags |= MS_RDONLY;
+               flags |= MS_REMOUNT;
+               INFO("ReMounting %s onto %s with readoly flag", sourcepath, 
cgpath);
+               if (mount(sourcepath, cgpath, "cgroup", flags, NULL) < 0) {
+                       free(sourcepath);
+                       SYSERROR("Error mounting cgroup %s onto %s", 
h->controllers[0],
+                                       cgpath);
+                       return -1;
+               }
+       }
        free(sourcepath);
        INFO("Completed second stage cgroup automounts for %s", cgpath);
        return 0;
@@ -1993,6 +2003,7 @@ static bool cgfsng_mount(void *hdata, const char *root, 
int type)
        struct lxc_handler *handler = hdata;
        struct cgfsng_handler_data *d = handler->cgroup_data;
        bool has_cgns = false, has_sys_admin = true;
+       char *container_cgroup = "";
 
        if ((type & LXC_AUTO_CGROUP_MASK) == 0)
                return true;
@@ -2002,10 +2013,13 @@ static bool cgfsng_mount(void *hdata, const char *root, 
int type)
                has_sys_admin = in_caplist(CAP_SYS_ADMIN, 
&handler->conf->keepcaps);
        else
                has_sys_admin = !in_caplist(CAP_SYS_ADMIN, 
&handler->conf->caps);
+       if (type != LXC_AUTO_CGROUP_SELF_RO &&
+               type != LXC_AUTO_CGROUP_SELF_RW){
+               if (has_cgns && has_sys_admin )
+                       return true;
 
-       if (has_cgns && has_sys_admin)
-               return true;
-
+               container_cgroup = d->container_cgroup;
+       }
        tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
 
        if (type == LXC_AUTO_CGROUP_NOSPEC)
@@ -2060,7 +2074,7 @@ static bool cgfsng_mount(void *hdata, const char *root, 
int type)
                        free(controllerpath);
                        continue;
                }
-               path2 = must_make_path(controllerpath, h->base_cgroup, 
d->container_cgroup, NULL);
+               path2 = must_make_path(controllerpath, h->base_cgroup, 
container_cgroup, NULL);
                if (mkdir_p(path2, 0755) < 0) {
                        free(controllerpath);
                        free(path2);
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 2346b717f..1d5680a47 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -223,9 +223,12 @@ enum {
        LXC_AUTO_CGROUP_RO            = 0x010,   /* /sys/fs/cgroup (partial 
mount, read-only) */
        LXC_AUTO_CGROUP_RW            = 0x020,   /* /sys/fs/cgroup (partial 
mount, read-write) */
        LXC_AUTO_CGROUP_MIXED         = 0x030,   /* /sys/fs/cgroup (partial 
mount, paths r/o, cgroup r/w) */
-       LXC_AUTO_CGROUP_FULL_RO       = 0x040,   /* /sys/fs/cgroup (full mount, 
read-only) */
-       LXC_AUTO_CGROUP_FULL_RW       = 0x050,   /* /sys/fs/cgroup (full mount, 
read-write) */
-       LXC_AUTO_CGROUP_FULL_MIXED    = 0x060,   /* /sys/fs/cgroup (full mount, 
parent r/o, own r/w) */
+       LXC_AUTO_CGROUP_SELF_RO       = 0x040,   /* /sys/fs/cgroup (partial 
mount by lxc itself, no lxc/containerid r/o) */
+       LXC_AUTO_CGROUP_SELF_RW       = 0x050,   /* /sys/fs/cgroup (partial 
mount by lxc itself, no lxc/containerid r/w) */
+       LXC_AUTO_CGROUP_FULL_RO       = 0x060,   /* /sys/fs/cgroup (full mount, 
read-only) */
+       LXC_AUTO_CGROUP_FULL_RW       = 0x070,   /* /sys/fs/cgroup (full mount, 
read-write) */
+       LXC_AUTO_CGROUP_FULL_MIXED    = 0x080,   /* /sys/fs/cgroup (full mount, 
parent r/o, own r/w) */
+
        /* These are defined in such a way as to retain
         * binary compatibility with earlier versions of
         * this code. If the previous mask is applied,
@@ -233,9 +236,9 @@ enum {
         * variants, which is safe. */
        LXC_AUTO_CGROUP_NOSPEC        = 0x0B0,   /* /sys/fs/cgroup (partial 
mount, r/w or mixed, depending on caps) */
        LXC_AUTO_CGROUP_FULL_NOSPEC   = 0x0E0,   /* /sys/fs/cgroup (full mount, 
r/w or mixed, depending on caps) */
-       LXC_AUTO_CGROUP_MASK          = 0x0F0,
+       LXC_AUTO_CGROUP_MASK          = 0x1F0,
 
-       LXC_AUTO_ALL_MASK             = 0x0FF,   /* all known settings */
+       LXC_AUTO_ALL_MASK             = 0x1FF,   /* all known settings */
 };
 
 /*
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index fa4f84da9..509c3b4e6 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1770,6 +1770,8 @@ static int set_config_mount_auto(const char *key, const 
char *value,
            { "cgroup-full:mixed", LXC_AUTO_CGROUP_MASK, 
LXC_AUTO_CGROUP_FULL_MIXED  },
            { "cgroup-full:ro",    LXC_AUTO_CGROUP_MASK, 
LXC_AUTO_CGROUP_FULL_RO     },
            { "cgroup-full:rw",    LXC_AUTO_CGROUP_MASK, 
LXC_AUTO_CGROUP_FULL_RW     },
+           { "cgroup-self:ro",    LXC_AUTO_CGROUP_MASK, 
LXC_AUTO_CGROUP_SELF_RO     },
+           { "cgroup-self:rw",    LXC_AUTO_CGROUP_MASK, 
LXC_AUTO_CGROUP_SELF_RW     },
            /* For adding anything that is just a single on/off, but has no
             * options: keep mask and flag identical and just define the enum
             * value as an unused bit so far

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to