[lxc-devel] [PATCH 3/4] cgroup: Add lxc_setup_mount_cgroup to setup /sys/fs/cgroup inside the container

Serge Hallyn serge.hallyn at ubuntu.com
Thu Sep 12 16:44:38 UTC 2013 

Quoting Christian Seiler (christian at iwakd.de):
> Hi Serge,
> 
> Am 12.09.2013 16:43, schrieb Serge Hallyn:
> >Quoting Christian Seiler (christian at iwakd.de):
> >>Add funbction to mount cgroup filesystem hierarchy into the
> >>container,
> >>allowing only access to the parts that the container should have
> >>access
> >>to, but none else.
> >>
> >>Signed-off-by: Christian Seiler <christian at iwakd.de>
> >
> >Hm, these last two patches aren't working for me.  They don't break
> >anything in a normal setup, but when I try use lxc.mount.auto it
> >hangs.  It may not be a fault in the patches, as mountall starts and
> >hangs.
> 
> It may be that the image you are using doesn't like what one
> of the auto-mounted filesystems is doing. It could be that if

Ah, no, mountall just gets upset about some forced readonly
mounts.  lxc.mount.auto = proc always worked for me.  If I do

ubuntu at c-saucy-1:~/lxc-0.9.0.0~staging~20130911-2324$ git diff src/lxc/conf.c
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 364e571..708bb48 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -762,7 +762,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct cgroup
                        goto cleanup;
                }
 
-               r = mount("sysfs", path, "sysfs", MS_RDONLY, NULL);
+               r = mount("sysfs", path, "sysfs", 0, NULL);
                if (r < 0) {
                        SYSERROR("error mounting /sys");
                        goto cleanup;

and

ubuntu at c-saucy-1:~/lxc-0.9.0.0~staging~20130911-2324$ git diff src/lxc/cgroup.c
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 876c60c..a2ed467 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -1310,7 +1310,7 @@ int lxc_setup_mount_cgroup(const char *root, struct cgroup_process_info *base_in
         * new cgroups outside the allowed area fails with an error instead
         * of simply causing this to create directories in the tmpfs itself)
         */
-       mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
+       //mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
 
        free(path);
 
then sys and cgroup auto-mount also work.  The problem with both is that
mountall has entries in /lib/init/fstab saying they should be mounted
readwrite, so it hangs trying to force that to happen.

How would you feel about adding a flag to specify whether they should be
readonly?  How would we specify the flag?  (Note it's ok for sys to be
read-write in ubuntu since apparmor confines it.  cgroups by default are
too, but we don't have a good way yet to generate policy which will allow
/sys/fs/cgroup/$controller/$container-cgroup-path/ to be written to but the
/sys/fs/cgroup/$controller not)

-serge

More information about the lxc-devel mailing list