[lxc-devel] [PATCH RFC] Accomodate stricter devices cgroup rules
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Jul 11 15:27:51 UTC 2013
Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> 3.10 kernel comes with proper hierarchical enforcement of devices
> cgroup. To keep that code somewhat sane, certain things are not
> allowed. Switching from default-allow to default-deny and vice versa
> are not allowed when there are children cgroups. (This *could* be
> simplified in the kernel by checking that all child cgroups are
> unpopulated, but that has not yet been done and may be rejected)
>
> The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
> you cannot write 'a' to devices.deny once you have a child cgroup. With
> this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
> the container's devices cgroup, and (c) setup_cgroup() during lxc startup
> ignores failures to write to devices subsystem if we are already in a
> child of the container's new cgroup.
>
> ((a) is not really related to this bug, but is definately needed.
> The followup work of making the other hooks use the passed-in lxcpath
> is still to be done)
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
I've gone ahead and pushed this for now.
I need to spend time working on the nestable cgroup manager which
would completely obsolete this issue.
More information about the lxc-devel
mailing list