[lxc-devel] [PATCH] lxc_cgroup_append_task_1of3() helper_1of2
"Axel Schöner"
axel.schoener at gmx.de
Thu Oct 6 12:59:13 UTC 2011
Hi,
the new patchset consists of 3 patches:
patch_1of3_lxc_cgroup_append_task_helper_cgroup
patch_2of3_lxc_cgroup_append_task_helper_namespace
patch_3of3_lxc_cgroup_append_task_in_lxc_attach
I hope it is much better now.
Thanks to Greg
diff --git a/src/lxc/cgroup.h b/src/lxc/cgroup.h
index 188d948..6669815 100644
--- a/src/lxc/cgroup.h
+++ b/src/lxc/cgroup.h
@@ -31,4 +31,5 @@ int lxc_cgroup_destroy(const char *name);
int lxc_cgroup_path_get(char **path, const char *subsystem, const char *name);
int lxc_cgroup_nrtasks(const char *name);
int lxc_ns_is_mounted(void);
+int lxc_cgroup_append_task(const char *name, pid_t pid);
#endif
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index a2b823e..d86891b 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -265,6 +265,43 @@ out:
return err;
}
+/*
+ * for each mounted cgroup, get the cgroup for the container to append a task
+ */
+int lxc_cgroup_append_task(const char *name, pid_t pid)
+{
+ struct mntent *mntent;
+ FILE *file = NULL;
+ int err = -1;
+ char cgname[MAXPATHLEN];
+
+ file = setmntent(MTAB, "r");
+ if (!file) {
+ SYSERROR("failed to open %s", MTAB);
+ return -1;
+ }
+
+ while ((mntent = getmntent(file))) {
+
+ DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mnt_type);
+
+ if (!strcmp(mntent->mnt_type, "cgroup")) {
+
+ INFO("found cgroup mounted at '%s'", mntent->mnt_dir);
+ snprintf(cgname, MAXPATHLEN, "%s/%s", mntent->mnt_dir, name);
+ /* Let's add the pid to the 'tasks' file */
+ err = cgroup_attach(cgname, pid);
+ if (err) {
+ SYSERROR("failed to attach pid '%d' to '%s'", pid, cgname);
+ endmntent(file);
+ return err;
+ }
+ }
+ }
+ endmntent(file);
+ return err;
+}
+
int lxc_one_cgroup_destroy(const char *cgmnt, const char *name)
{
On Thursday, 6. October 2011 11:19:05 you wrote:
> On Wed, 2011-10-05 at 20:46 +0200, "Axel Schöner" wrote:
> > I've submitted a patch-set a few days before, but i didn't get any
> > feedback yet.
> Hi Axel,
>
> I guess there are too few people using lxc-attach for the moment...
>
> > The reason for this patch is, by using "lxc-attach" to enter the
> > namespaces of a container, the "lxc-attach" process and its child
> > processes are not added to the cgroup task-files of the container.
> > That means, that the cgroup based restrictions for these processes would
> > not be applied!
>
> That makes a lot of sense indeed ! This is clearly an isolation/security
> bug.
>
> > I think that should be fixed. The patches are again attached to this
> > mail.
> Well, it is better to send your serie like you did before: one patch per
> mail, otherwise it's unpractical to comment... Moreover, each patch
> shouldn't break compilation. For example, your patch number 1 doesn't
> compile as it needs all the other patches. Also, when you add/change a
> function signature, please use a single patch for .h and .c files...
>
> In short, resend your serie with:
> - patch 1: introduce lxc_cgroup_append_task() helper
> - patch 2: use lxc_cgroup_append_task() in lxc_attach()
>
> This way, we can comment easily your code and hopefully commit something
> soon.
>
> Thanks.
---------- Forwarded Message ----------
Subject: [lxc-devel] [PATCH] Importance for adding pids of lxc-attach to the cgroup of container
Date: Wednesday, 5. October 2011, 20:46:25
From: Axel Schöner <axel.schoener at gmx.de>
To: daniel.lezcano at free.fr
CC: lxc-devel at lists.sourceforge.net
I've submitted a patch-set a few days before, but i didn't get any feedback yet.
The reason for this patch is, by using "lxc-attach" to enter the namespaces of
a container, the "lxc-attach" process and its child processes are not added to
the cgroup task-files of the container.
That means, that the cgroup based restrictions for these processes would not
be applied!
I think that should be fixed. The patches are again attached to this mail.
It can be reproduced by starting a container, attach to it and execute a
command like "top" inside. Execute "ps -ejH" from the outside and identify the
pids of "lxc-attach" an "top".
Then look at the task-file of the containers cgroup and search the pids of the
"lxc-attach" and "top" process. They will not be there.
I demonstrate this by two examples:
Fist example, running a process by lxc-attach without the patch:
1373 1373 1373 ? 00:00:00 sshd
1496 1496 1496 ? 00:00:00 sshd
1568 1568 1568 pts/0 00:00:00 bash
1769 1769 1568 pts/0 00:00:00 lxc-attach
1770 1770 1568 pts/0 00:00:00 bash
1780 1780 1568 pts/0 00:00:00 top
1781 1781 1781 ? 00:00:00 sshd
1852 1852 1852 pts/6 00:00:00 bash
1910 1910 1852 pts/6 00:00:00 ps
1389 1308 1308 ? 00:00:00 gvfsd
1402 863 863 ? 00:00:00 upowerd
1406 1406 1406 ? 00:00:00 pulseaudio
1489 1406 1406 ? 00:00:00 gconf-helper
1408 863 863 ? 00:00:00 rtkit-daemon
1686 1686 1686 ? 00:00:00 lxc-start
1688 1688 1688 ? 00:00:00 init
cat /cgroup/lxc_tty1/tasks
1688
1731
1736
Now run it after patching:
1373 1373 1373 ? 00:00:00 sshd
1496 1496 1496 ? 00:00:00 sshd
1568 1568 1568 pts/0 00:00:00 bash
5576 5576 1568 pts/0 00:00:00 lxc-attach
5577 5577 1568 pts/0 00:00:00 bash
5587 5587 1568 pts/0 00:00:00 top
1781 1781 1781 ? 00:00:00 sshd
1852 1852 1852 pts/6 00:00:00 bash
5588 5588 1852 pts/6 00:00:00 ps
1389 1308 1308 ? 00:00:00 gvfsd
1402 863 863 ? 00:00:00 upowerd
1406 1406 1406 ? 00:00:00 pulseaudio
1489 1406 1406 ? 00:00:00 gconf-helper
1408 863 863 ? 00:00:00 rtkit-daemon
5496 5496 5496 ? 00:00:00 lxc-start
5499 5499 5499 ? 00:00:00 init
cat /cgroup/lxc_tty1/tasks
5499
5541
5545
5576
5577
5587
The second example demonstrates that the cgroup restriction doesn't work without the patch.
In the configuration of a container I set "lxc.cgroup.cpuset.cpus = 0", then i test it by launching cpuburn two times, here are the results:
Without the patch:
ps -aux | grep burn
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 14818 100 0.0 148 4 pts/1 R 18:02 0:28 burnP6
root 14819 100 0.0 148 4 pts/1 R+ 18:02 0:26 burnP6
With the patch:
lxc.cgroup.cpuset.cpus = 0
ps -aux | grep burn
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 19223 52.7 0.0 148 4 pts/1 R 18:05 0:19 burnP6
root 19224 49.9 0.0 148 4 pts/1 R+ 18:05 0:17 burnP6
Background:
I'm using "lxc-attach" by PAM to login a user into an adhoc created container, console based an graphical. We intend to make the source code publicly available in the near future.
Axel Schöner
-----------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_1of3_lxc_cgroup_append_task_helper_cgroup
Type: application/octet-stream
Size: 1530 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111006/216f6ed9/attachment.obj>
More information about the lxc-devel
mailing list