[lxc-devel] [PATCH] cgfs: don't mount /sys/fs/cgroup readonly

Stéphane Graber stgraber at ubuntu.com
Fri May 2 16:38:36 UTC 2014 

On Fri, May 02, 2014 at 11:35:10AM -0500, Serge Hallyn wrote:
> /sys/fs/cgroup is just a size-limited tmpfs, and making it ro does
> nothing to affect our ability alter mount settings of its subdirs.
> OTOH making it ro can upset mountall in the container which tries
> to remount it rw, which may be refused.
> 
> So just don't do it.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> Cc: Christian Seiler <christian at iwakd.de>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/cgfs.c | 16 ----------------
>  1 file changed, 16 deletions(-)
> 
> diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
> index db2a973..ba7df89 100644
> --- a/src/lxc/cgfs.c
> +++ b/src/lxc/cgfs.c
> @@ -1413,14 +1413,6 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
>  				SYSERROR("error bind-mounting %s to %s", mp->mount_point, abs_path);
>  				goto out_error;
>  			}
> -			/* main cgroup path should be read-only */
> -			if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_FULL_MIXED) {
> -				r = mount(NULL, abs_path, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
> -				if (r < 0) {
> -					SYSERROR("error re-mounting %s readonly", abs_path);
> -					goto out_error;
> -				}
> -			}
>  			/* own cgroup should be read-write */
>  			if (type == LXC_AUTO_CGROUP_FULL_MIXED) {
>  				r = mount(abs_path2, abs_path2, NULL, MS_BIND, NULL);
> @@ -1487,14 +1479,6 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
>  		parts = NULL;
>  	}
>  
> -	/* try to remount the tmpfs readonly, since the container shouldn't
> -	 * change anything (this will also make sure that trying to create
> -	 * new cgroups outside the allowed area fails with an error instead
> -	 * of simply causing this to create directories in the tmpfs itself)
> -	 */
> -	if (type != LXC_AUTO_CGROUP_RW && type != LXC_AUTO_CGROUP_FULL_RW)
> -		mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> -
>  	free(path);
>  
>  	return true;
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140502/89db1e0b/attachment.sig>

More information about the lxc-devel mailing list