On Fri, Jul 19, 2013 at 02:26:52PM +0000, Serge Hallyn wrote: > From: Serge Hallyn <serge.hal...@ubuntu.com> > > This is needed if we're going to have unprivileged users > create containers inside cgroups which they own. > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
Acked-by: Stéphane Graber <stgra...@ubuntu.com>
> ---
> src/lxc/cgroup.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++-
> src/lxc/cgroup.h | 1 +
> src/lxc/start.c | 11 ++++++++---
> 3 files changed, 59 insertions(+), 4 deletions(-)
>
> diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
> index 38ed514..c707519 100644
> --- a/src/lxc/cgroup.c
> +++ b/src/lxc/cgroup.c
> @@ -706,10 +706,13 @@ again:
> if (ret < 0 || ret >= MAXPATHLEN)
> goto fail;
>
> + INFO("lxcgroup %s name %s tail %s, makes path .%s.",
> + lxcgroup ? lxcgroup : "lxc", name, tail, path);
> +
> if (access(path, F_OK) == 0) goto next;
>
> if (mkdir(path, 0755)) {
> - ERROR("Error creating cgroups");
> + ERROR("Error creating cgroup %s", path);
> goto fail;
> }
>
> @@ -934,3 +937,49 @@ bool is_in_subcgroup(int pid, const char *subsystem,
> const char *cgpath)
> fclose(f);
> return false;
> }
> +
> +/*
> + * Return cgroup of current task.
> + * This assumes that task is in the same cgroup for each controller. This
> + * may or may not *always* be a reasonable assumption - it generally is,
> + * and handling or at least checking for this condition is a TODO.
> + */
> +int lxc_curcgroup(char *cgroup, int inlen)
> +{
> + FILE *f;
> + char *line = NULL, *p, *p2;
> + int ret = 0;
> + size_t len;
> +
> + f = fopen("/proc/self/cgroup", "r");
> + if (!f)
> + return -1;
> +
> + while (getline(&line, &len, f) != -1) {
> + if (strstr(line, ":freezer:") == NULL && strstr(line,
> ":devices:") == NULL)
> + continue;
> + p = rindex(line, ':');
> + if (!p)
> + continue;
> + p++;
> + len = strlen(p) + 1;
> + p2 = p + len - 2;
> + while (*p2 == '\n') { len--; *p2 = '\0'; p2--; }
> + if (!cgroup || inlen <= 0) {
> + ret = len;
> + break;
> + }
> + if (cgroup && len > inlen) {
> + ret = -1;
> + break;
> + }
> + strncpy(cgroup, p, len);
> + ret = len;
> + cgroup[len-1] = '\0';
> + break;
> + }
> +
> + if (line)
> + free(line);
> + return ret;
> +}
> diff --git a/src/lxc/cgroup.h b/src/lxc/cgroup.h
> index c08b2f7..77c44cd 100644
> --- a/src/lxc/cgroup.h
> +++ b/src/lxc/cgroup.h
> @@ -34,4 +34,5 @@ extern int lxc_cgroup_enter(const char *cgpath, pid_t pid);
> extern int lxc_cgroup_attach(pid_t pid, const char *name, const char
> *lxcpath);
> extern char *cgroup_path_get(const char *subsystem, const char *cgpath);
> extern bool is_in_subcgroup(int pid, const char *subsystem, const char
> *cgpath);
> +extern int lxc_curcgroup(char *cgroup, int inlen);
> #endif
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index defa87b..c91b231 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -600,8 +600,9 @@ int save_phys_nics(struct lxc_conf *conf)
> extern bool is_in_subcgroup(int pid, const char *subsystem, const char
> *cgpath);
> int lxc_spawn(struct lxc_handler *handler)
> {
> - int failed_before_rename = 0;
> + int failed_before_rename = 0, len;
> const char *name = handler->name;
> + char *curcgroup = NULL;
>
> if (lxc_sync_init(handler))
> return -1;
> @@ -663,8 +664,12 @@ int lxc_spawn(struct lxc_handler *handler)
> if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE))
> failed_before_rename = 1;
>
> - /* TODO - pass lxc.cgroup.dir (or user's pam cgroup) in for first
> argument */
> - if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
> + if ((len = lxc_curcgroup(NULL, 0)) > 1) {
> + curcgroup = alloca(len);
> + if (lxc_curcgroup(curcgroup, len) <= 1)
> + curcgroup = NULL;
> + }
> + if ((handler->cgroup = lxc_cgroup_path_create(curcgroup, name)) == NULL)
> goto out_delete_net;
>
> if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
> --
> 1.8.3.2
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
