[lxc-devel] [PATCH RFC] Accomodate stricter devices cgroup rules

[Serge Hallyn]

Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> 3.10 kernel comes with proper hierarchical enforcement of devices
> cgroup.  To keep that code somewhat sane, certain things are not
> allowed.  Switching from default-allow to default-deny and vice versa
> are not allowed when there are children cgroups.  (This *could* be
> simplified in the kernel by checking that all child cgroups are
> unpopulated, but that has not yet been done and may be rejected)
> 
> The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
> you cannot write 'a' to devices.deny once you have a child cgroup.  With
> this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
> the container's devices cgroup, and (c) setup_cgroup() during lxc startup
> ignores failures to write to devices subsystem if we are already in a
> child of the container's new cgroup.
> 
> ((a) is not really related to this bug, but is definately needed.
> The followup work of making the other hooks use the passed-in lxcpath
> is still to be done)
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

I've gone ahead and pushed this for now.

I need to spend time working on the nestable cgroup manager which
would completely obsolete this issue.