[lxc-devel] [PATCH] lxc_cgroup_append_task_1of3() helper_1of2

"Axel Schöner" axel.schoener at gmx.de
Thu Oct 6 12:59:13 UTC 2011 

Hi,

the new patchset consists of 3 patches:
patch_1of3_lxc_cgroup_append_task_helper_cgroup
patch_2of3_lxc_cgroup_append_task_helper_namespace
patch_3of3_lxc_cgroup_append_task_in_lxc_attach

I hope it is much better now.
Thanks to Greg



diff --git a/src/lxc/cgroup.h b/src/lxc/cgroup.h
index 188d948..6669815 100644
--- a/src/lxc/cgroup.h
+++ b/src/lxc/cgroup.h
@@ -31,4 +31,5 @@ int lxc_cgroup_destroy(const char *name);
 int lxc_cgroup_path_get(char **path, const char *subsystem, const char *name);
 int lxc_cgroup_nrtasks(const char *name);
 int lxc_ns_is_mounted(void);
+int lxc_cgroup_append_task(const char *name, pid_t pid);
 #endif
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index a2b823e..d86891b 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -265,6 +265,43 @@ out:
        return err;
 }
 
+/*
+ * for each mounted cgroup, get the cgroup for the container to append a task
+ */
+int lxc_cgroup_append_task(const char *name, pid_t pid)
+{
+       struct mntent *mntent;
+       FILE *file = NULL;
+       int err = -1;
+       char cgname[MAXPATHLEN];
+
+       file = setmntent(MTAB, "r");
+       if (!file) {
+               SYSERROR("failed to open %s", MTAB);
+               return -1;
+       }
+
+       while ((mntent = getmntent(file))) {
+
+               DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mnt_type);
+
+               if (!strcmp(mntent->mnt_type, "cgroup")) {
+
+                       INFO("found cgroup mounted at '%s'", mntent->mnt_dir);
+                       snprintf(cgname, MAXPATHLEN, "%s/%s", mntent->mnt_dir, name);
+                       /* Let's add the pid to the 'tasks' file */
+                       err = cgroup_attach(cgname, pid);
+                       if (err) {
+                               SYSERROR("failed to attach pid '%d' to '%s'", pid, cgname);
+                               endmntent(file);
+                               return err;
+                       }
+               }
+       }
+       endmntent(file);
+       return err;
+}
+
 
 int lxc_one_cgroup_destroy(const char *cgmnt, const char *name)
 {







On Thursday, 6. October 2011 11:19:05 you wrote:
> On Wed, 2011-10-05 at 20:46 +0200, "Axel Schöner" wrote:
> > I've submitted a patch-set a few days before, but i didn't get any
> > feedback yet.
> Hi Axel,
> 
> I guess there are too few people using lxc-attach for the moment...
> 
> > The reason for this patch is, by using "lxc-attach" to enter the
> > namespaces of a container, the "lxc-attach" process and its child
> > processes are not added to the cgroup task-files of the container.
> > That means, that the cgroup based restrictions for these processes would
> > not be applied!
> 
> That makes a lot of sense indeed ! This is clearly an isolation/security
> bug.
> 
> > I think that should be fixed. The patches are again attached to this
> > mail.
> Well, it is better to send your serie like you did before: one patch per
> mail, otherwise it's unpractical to comment... Moreover, each patch
> shouldn't break compilation. For example, your patch number 1 doesn't
> compile as it needs all the other patches. Also, when you add/change a
> function signature, please use a single patch for .h and .c files...
> 
> In short, resend your serie with:
> - patch 1: introduce lxc_cgroup_append_task() helper
> - patch 2: use lxc_cgroup_append_task() in lxc_attach()
> 
> This way, we can comment easily your code and hopefully commit something
> soon.
> 
> Thanks.


----------  Forwarded Message  ----------

Subject: [lxc-devel] [PATCH] Importance for adding pids of lxc-attach to the cgroup of container
Date: Wednesday, 5. October 2011, 20:46:25
From: Axel Schöner <axel.schoener at gmx.de>
To: daniel.lezcano at free.fr
CC: lxc-devel at lists.sourceforge.net

I've submitted a patch-set a few days before, but i didn't get any feedback yet.

The reason for this patch is, by using "lxc-attach" to enter the namespaces of 
a container, the "lxc-attach" process and its child processes are not added to 
the cgroup task-files of the container.
That means, that the cgroup based restrictions for these processes would not 
be applied!

I think that should be fixed. The patches are again attached to this mail.

It can be reproduced by starting a container, attach to it and execute a 
command like "top" inside. Execute "ps -ejH" from the outside and identify the 
pids of "lxc-attach" an "top".
Then look at the task-file of the containers cgroup and search the pids of the 
"lxc-attach" and "top" process. They will not be there.


I demonstrate this by two examples:

Fist example, running a process by lxc-attach without the patch:

 1373  1373  1373 ?        00:00:00   sshd
 1496  1496  1496 ?        00:00:00     sshd
 1568  1568  1568 pts/0    00:00:00       bash
 1769  1769  1568 pts/0    00:00:00         lxc-attach
 1770  1770  1568 pts/0    00:00:00           bash
 1780  1780  1568 pts/0    00:00:00             top
 1781  1781  1781 ?        00:00:00     sshd
 1852  1852  1852 pts/6    00:00:00       bash
 1910  1910  1852 pts/6    00:00:00         ps
 1389  1308  1308 ?        00:00:00   gvfsd
 1402   863   863 ?        00:00:00   upowerd
 1406  1406  1406 ?        00:00:00   pulseaudio
 1489  1406  1406 ?        00:00:00     gconf-helper
 1408   863   863 ?        00:00:00   rtkit-daemon
 1686  1686  1686 ?        00:00:00   lxc-start
 1688  1688  1688 ?        00:00:00     init

cat /cgroup/lxc_tty1/tasks 
1688
1731
1736

Now run it after patching:

 1373  1373  1373 ?        00:00:00   sshd
 1496  1496  1496 ?        00:00:00     sshd
 1568  1568  1568 pts/0    00:00:00       bash
 5576  5576  1568 pts/0    00:00:00         lxc-attach
 5577  5577  1568 pts/0    00:00:00           bash
 5587  5587  1568 pts/0    00:00:00             top
 1781  1781  1781 ?        00:00:00     sshd
 1852  1852  1852 pts/6    00:00:00       bash
 5588  5588  1852 pts/6    00:00:00         ps
 1389  1308  1308 ?        00:00:00   gvfsd
 1402   863   863 ?        00:00:00   upowerd
 1406  1406  1406 ?        00:00:00   pulseaudio
 1489  1406  1406 ?        00:00:00     gconf-helper
 1408   863   863 ?        00:00:00   rtkit-daemon
 5496  5496  5496 ?        00:00:00   lxc-start
 5499  5499  5499 ?        00:00:00     init

cat /cgroup/lxc_tty1/tasks 
5499
5541
5545
5576
5577
5587


The second example demonstrates that the cgroup restriction doesn't work without the patch.
In the configuration of a container I set "lxc.cgroup.cpuset.cpus = 0", then i test it by launching cpuburn two times, here are the results:

Without the patch:
ps -aux | grep burn
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     14818  100  0.0    148     4 pts/1    R    18:02   0:28 burnP6
root     14819  100  0.0    148     4 pts/1    R+   18:02   0:26 burnP6

With the patch:
lxc.cgroup.cpuset.cpus = 0
ps -aux | grep burn
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     19223 52.7  0.0    148     4 pts/1    R    18:05   0:19 burnP6
root     19224 49.9  0.0    148     4 pts/1    R+   18:05   0:17 burnP6


Background:
I'm using "lxc-attach" by PAM to login a user into an adhoc created container, console based an graphical. We intend to make the source code publicly available in the near future.


Axel Schöner
-----------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_1of3_lxc_cgroup_append_task_helper_cgroup
Type: application/octet-stream
Size: 1530 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20111006/216f6ed9/attachment.obj>

More information about the lxc-devel mailing list