The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3396
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Fixes: #3183 Cc: Thomas Moschny <thomas.mosc...@gmx.de> Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From 0e7a013ee850f5388f17e562e663268f24903a9b Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Sun, 3 May 2020 11:59:15 +0200 Subject: [PATCH 1/2] cgroups: ignore cgroup2 limits on non-cgroup2 layouts Mixing cgroup2 and legacy cgroup systems such that some controllers are enabled in legacy cgroup hierarchies and other controllers in the unified hierarchies is simply not something we're supporting. Even systemd's hybrid layout (crazy) doesn't bind controllers to the unified cgroup hierarchy. Fixes: #3183 Cc: Thomas Moschny <thomas.mosc...@gmx.de> Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/cgroups/cgfsng.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index 37309c9ead..7dfdc4e2d5 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -2928,9 +2928,12 @@ __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops, return ret_set_errno(false, EINVAL); conf = handler->conf; - if (lxc_list_empty(&conf->cgroup2)) - return true; cgroup_settings = &conf->cgroup2; + if (lxc_list_empty(cgroup_settings)) + return true; + + if (!pure_unified_layout(ops)) + return log_warn_errno(true, EINVAL, "Ignoring cgroup2 limits on legacy cgroup system"); if (!ops->unified) return false; From 8dd7f9052fef12c4516fa7f62e267554a489fd9f Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Sun, 3 May 2020 12:01:44 +0200 Subject: [PATCH 2/2] common.conf: add cgroup2 default device limits Fixes: #3183 Cc: Thomas Moschny <thomas.mosc...@gmx.de> Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- config/templates/common.conf.in | 31 +++++++++++++++++++++++++++++++ config/templates/userns.conf.in | 8 ++++++++ 2 files changed, 39 insertions(+) diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in index c4b3bdcce8..286c5e4a3e 100644 --- a/config/templates/common.conf.in +++ b/config/templates/common.conf.in @@ -15,6 +15,8 @@ lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio # Ensure hostname is changed on clone lxc.hook.clone = @LXCHOOKDIR@/clonehostname +# Default legacy cgroup configuration +# # CGroup whitelist lxc.cgroup.devices.deny = a ## Allow any mknod (but not reading/writing the node) @@ -42,6 +44,35 @@ lxc.cgroup.devices.allow = c 136:* rwm ### fuse lxc.cgroup.devices.allow = c 10:229 rwm +# Default unified cgroup configuration +# +# CGroup whitelist +lxc.cgroup2.devices.deny = a +## Allow any mknod (but not reading/writing the node) +lxc.cgroup2.devices.allow = c *:* m +lxc.cgroup2.devices.allow = b *:* m +## Allow specific devices +### /dev/null +lxc.cgroup2.devices.allow = c 1:3 rwm +### /dev/zero +lxc.cgroup2.devices.allow = c 1:5 rwm +### /dev/full +lxc.cgroup2.devices.allow = c 1:7 rwm +### /dev/tty +lxc.cgroup2.devices.allow = c 5:0 rwm +### /dev/console +lxc.cgroup2.devices.allow = c 5:1 rwm +### /dev/ptmx +lxc.cgroup2.devices.allow = c 5:2 rwm +### /dev/random +lxc.cgroup2.devices.allow = c 1:8 rwm +### /dev/urandom +lxc.cgroup2.devices.allow = c 1:9 rwm +### /dev/pts/* +lxc.cgroup2.devices.allow = c 136:* rwm +### fuse +lxc.cgroup2.devices.allow = c 10:229 rwm + # Setup the default mounts lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in index 19013da5b3..69d9926809 100644 --- a/config/templates/userns.conf.in +++ b/config/templates/userns.conf.in @@ -1,7 +1,15 @@ # CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices +# +# Default legacy cgroup configuration +# lxc.cgroup.devices.deny = lxc.cgroup.devices.allow = +# Default unified cgroup configuration +# +lxc.cgroup2.devices.deny = +lxc.cgroup2.devices.allow = + # Start with a full set of capabilities in user namespaces. lxc.cap.drop = lxc.cap.keep =
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel