The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3396

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Fixes: #3183
Cc: Thomas Moschny <thomas.mosc...@gmx.de>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 0e7a013ee850f5388f17e562e663268f24903a9b Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Sun, 3 May 2020 11:59:15 +0200
Subject: [PATCH 1/2] cgroups: ignore cgroup2 limits on non-cgroup2 layouts

Mixing cgroup2 and legacy cgroup systems such that some controllers are enabled
in legacy cgroup hierarchies and other controllers in the unified hierarchies
is simply not something we're supporting. Even systemd's hybrid layout (crazy)
doesn't bind controllers to the unified cgroup hierarchy.

Fixes: #3183
Cc: Thomas Moschny <thomas.mosc...@gmx.de>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 37309c9ead..7dfdc4e2d5 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2928,9 +2928,12 @@ __cgfsng_ops static bool cgfsng_setup_limits(struct 
cgroup_ops *ops,
                return ret_set_errno(false, EINVAL);
        conf = handler->conf;
 
-       if (lxc_list_empty(&conf->cgroup2))
-               return true;
        cgroup_settings = &conf->cgroup2;
+       if (lxc_list_empty(cgroup_settings))
+               return true;
+
+       if (!pure_unified_layout(ops))
+               return log_warn_errno(true, EINVAL, "Ignoring cgroup2 limits on 
legacy cgroup system");
 
        if (!ops->unified)
                return false;

From 8dd7f9052fef12c4516fa7f62e267554a489fd9f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Sun, 3 May 2020 12:01:44 +0200
Subject: [PATCH 2/2] common.conf: add cgroup2 default device limits

Fixes: #3183
Cc: Thomas Moschny <thomas.mosc...@gmx.de>
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 config/templates/common.conf.in | 31 +++++++++++++++++++++++++++++++
 config/templates/userns.conf.in |  8 ++++++++
 2 files changed, 39 insertions(+)

diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index c4b3bdcce8..286c5e4a3e 100644
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -15,6 +15,8 @@ lxc.cap.drop = mac_admin mac_override sys_time sys_module 
sys_rawio
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 
+# Default legacy cgroup configuration
+#
 # CGroup whitelist
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
@@ -42,6 +44,35 @@ lxc.cgroup.devices.allow = c 136:* rwm
 ### fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 
+# Default unified cgroup configuration
+#
+# CGroup whitelist
+lxc.cgroup2.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup2.devices.allow = c *:* m
+lxc.cgroup2.devices.allow = b *:* m
+## Allow specific devices
+### /dev/null
+lxc.cgroup2.devices.allow = c 1:3 rwm
+### /dev/zero
+lxc.cgroup2.devices.allow = c 1:5 rwm
+### /dev/full
+lxc.cgroup2.devices.allow = c 1:7 rwm
+### /dev/tty
+lxc.cgroup2.devices.allow = c 5:0 rwm
+### /dev/console
+lxc.cgroup2.devices.allow = c 5:1 rwm
+### /dev/ptmx
+lxc.cgroup2.devices.allow = c 5:2 rwm
+### /dev/random
+lxc.cgroup2.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup2.devices.allow = c 1:9 rwm
+### /dev/pts/*
+lxc.cgroup2.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup2.devices.allow = c 10:229 rwm
+
 # Setup the default mounts
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none 
bind,optional 0 0
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index 19013da5b3..69d9926809 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -1,7 +1,15 @@
 # CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+#
+# Default legacy cgroup configuration
+#
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Default unified cgroup configuration
+#
+lxc.cgroup2.devices.deny =
+lxc.cgroup2.devices.allow =
+
 # Start with a full set of capabilities in user namespaces.
 lxc.cap.drop =
 lxc.cap.keep =
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to