[lxc-devel] [PATCH] Importance for adding pids of lxc-attach to the cgroup of container
Greg Kurz
gkurz at fr.ibm.com
Thu Oct 6 09:19:05 UTC 2011
On Wed, 2011-10-05 at 20:46 +0200, "Axel Schöner" wrote:
> I've submitted a patch-set a few days before, but i didn't get any feedback yet.
>
Hi Axel,
I guess there are too few people using lxc-attach for the moment...
> The reason for this patch is, by using "lxc-attach" to enter the namespaces of
> a container, the "lxc-attach" process and its child processes are not added to
> the cgroup task-files of the container.
> That means, that the cgroup based restrictions for these processes would not
> be applied!
>
That makes a lot of sense indeed ! This is clearly an isolation/security
bug.
> I think that should be fixed. The patches are again attached to this mail.
>
Well, it is better to send your serie like you did before: one patch per
mail, otherwise it's unpractical to comment... Moreover, each patch
shouldn't break compilation. For example, your patch number 1 doesn't
compile as it needs all the other patches. Also, when you add/change a
function signature, please use a single patch for .h and .c files...
In short, resend your serie with:
- patch 1: introduce lxc_cgroup_append_task() helper
- patch 2: use lxc_cgroup_append_task() in lxc_attach()
This way, we can comment easily your code and hopefully commit something
soon.
Thanks.
--
Gregory Kurz gkurz at fr.ibm.com
Software Engineer @ IBM/Meiosys http://www.ibm.com
Tel +33 (0)534 638 479 Fax +33 (0)561 400 420
"Anarchy is about taking complete responsibility for yourself."
Alan Moore.
More information about the lxc-devel
mailing list