[lxc-devel] [PATCH 3/4] cgroup: Add lxc_setup_mount_cgroup to setup /sys/fs/cgroup inside the container
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Sep 12 16:44:38 UTC 2013
Quoting Christian Seiler (christian at iwakd.de):
> Hi Serge,
>
> Am 12.09.2013 16:43, schrieb Serge Hallyn:
> >Quoting Christian Seiler (christian at iwakd.de):
> >>Add funbction to mount cgroup filesystem hierarchy into the
> >>container,
> >>allowing only access to the parts that the container should have
> >>access
> >>to, but none else.
> >>
> >>Signed-off-by: Christian Seiler <christian at iwakd.de>
> >
> >Hm, these last two patches aren't working for me. They don't break
> >anything in a normal setup, but when I try use lxc.mount.auto it
> >hangs. It may not be a fault in the patches, as mountall starts and
> >hangs.
>
> It may be that the image you are using doesn't like what one
> of the auto-mounted filesystems is doing. It could be that if
Ah, no, mountall just gets upset about some forced readonly
mounts. lxc.mount.auto = proc always worked for me. If I do
ubuntu at c-saucy-1:~/lxc-0.9.0.0~staging~20130911-2324$ git diff src/lxc/conf.c
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 364e571..708bb48 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -762,7 +762,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct cgroup
goto cleanup;
}
- r = mount("sysfs", path, "sysfs", MS_RDONLY, NULL);
+ r = mount("sysfs", path, "sysfs", 0, NULL);
if (r < 0) {
SYSERROR("error mounting /sys");
goto cleanup;
and
ubuntu at c-saucy-1:~/lxc-0.9.0.0~staging~20130911-2324$ git diff src/lxc/cgroup.c
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 876c60c..a2ed467 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -1310,7 +1310,7 @@ int lxc_setup_mount_cgroup(const char *root, struct cgroup_process_info *base_in
* new cgroups outside the allowed area fails with an error instead
* of simply causing this to create directories in the tmpfs itself)
*/
- mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
+ //mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
free(path);
then sys and cgroup auto-mount also work. The problem with both is that
mountall has entries in /lib/init/fstab saying they should be mounted
readwrite, so it hangs trying to force that to happen.
How would you feel about adding a flag to specify whether they should be
readonly? How would we specify the flag? (Note it's ok for sys to be
read-write in ubuntu since apparmor confines it. cgroups by default are
too, but we don't have a good way yet to generate policy which will allow
/sys/fs/cgroup/$controller/$container-cgroup-path/ to be written to but the
/sys/fs/cgroup/$controller not)
-serge
More information about the lxc-devel
mailing list