[lxc-devel] [PATCH 5/8] send current cgroup to lxc_cgroup_create()

Fri Jul 19 14:26:52 UTC 2013

From: Serge Hallyn <serge.hallyn at ubuntu.com>

This is needed if we're going to have unprivileged users
create containers inside cgroups which they own.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 src/lxc/cgroup.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 src/lxc/cgroup.h |  1 +
 src/lxc/start.c  | 11 ++++++++---
 3 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 38ed514..c707519 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -706,10 +706,13 @@ again:
 		if (ret < 0 || ret >= MAXPATHLEN)
 			goto fail;
 
+		INFO("lxcgroup %s name %s tail %s, makes path .%s.",
+			lxcgroup ? lxcgroup : "lxc", name, tail, path);
+
 		if (access(path, F_OK) == 0) goto next;
 
 		if (mkdir(path, 0755)) {
-			ERROR("Error creating cgroups");
+			ERROR("Error creating cgroup %s", path);
 			goto fail;
 		}
 
@@ -934,3 +937,49 @@ bool is_in_subcgroup(int pid, const char *subsystem, const char *cgpath)
 	fclose(f);
 	return false;
 }
+
+/*
+ * Return cgroup of current task.
+ * This assumes that task is in the same cgroup for each controller.  This
+ * may or may not *always* be a reasonable assumption - it generally is,
+ * and handling or at least checking for this condition is a TODO.
+ */
+int lxc_curcgroup(char *cgroup, int inlen)
+{
+	FILE *f;
+	char *line = NULL, *p, *p2;
+	int ret = 0;
+	size_t len;
+
+	f = fopen("/proc/self/cgroup", "r");
+	if (!f)
+		return -1;
+
+	while (getline(&line, &len, f) != -1) {
+		if (strstr(line, ":freezer:") == NULL && strstr(line, ":devices:") == NULL)
+			continue;
+		p = rindex(line, ':');
+		if (!p)
+			continue;
+		p++;
+		len = strlen(p) + 1;
+		p2 = p + len - 2;
+		while (*p2 == '\n') { len--; *p2 = '\0'; p2--; }
+		if (!cgroup || inlen <= 0) {
+			ret = len;
+			break;
+		}
+		if (cgroup && len > inlen) {
+			ret = -1;
+			break;
+		}
+		strncpy(cgroup, p, len);
+		ret = len;
+		cgroup[len-1] = '\0';
+		break;
+	}
+
+	if (line)
+		free(line);
+	return ret;
+}
diff --git a/src/lxc/cgroup.h b/src/lxc/cgroup.h
index c08b2f7..77c44cd 100644
--- a/src/lxc/cgroup.h
+++ b/src/lxc/cgroup.h
@@ -34,4 +34,5 @@ extern int lxc_cgroup_enter(const char *cgpath, pid_t pid);
 extern int lxc_cgroup_attach(pid_t pid, const char *name, const char *lxcpath);
 extern char *cgroup_path_get(const char *subsystem, const char *cgpath);
 extern bool is_in_subcgroup(int pid, const char *subsystem, const char *cgpath);
+extern int lxc_curcgroup(char *cgroup, int inlen);
 #endif
diff --git a/src/lxc/start.c b/src/lxc/start.c
index defa87b..c91b231 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -600,8 +600,9 @@ int save_phys_nics(struct lxc_conf *conf)
 extern bool is_in_subcgroup(int pid, const char *subsystem, const char *cgpath);
 int lxc_spawn(struct lxc_handler *handler)
 {
-	int failed_before_rename = 0;
+	int failed_before_rename = 0, len;
 	const char *name = handler->name;
+	char *curcgroup = NULL;
 
 	if (lxc_sync_init(handler))
 		return -1;
@@ -663,8 +664,12 @@ int lxc_spawn(struct lxc_handler *handler)
 	if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE))
 		failed_before_rename = 1;
 
-	/* TODO - pass lxc.cgroup.dir (or user's pam cgroup) in for first argument */
-	if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
+	if ((len = lxc_curcgroup(NULL, 0)) > 1) {
+		curcgroup = alloca(len);
+		if (lxc_curcgroup(curcgroup, len) <= 1)
+			curcgroup = NULL;
+	}
+	if ((handler->cgroup = lxc_cgroup_path_create(curcgroup, name)) == NULL)
 		goto out_delete_net;
 
 	if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
-- 
1.8.3.2



