[lxc-devel] [lxc/lxc] b46f05: cgfs: don't mount /sys/fs/cgroup readonly

GitHub noreply at github.com
Tue May 6 15:21:24 UTC 2014 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: b46f05535872669de42b61ff6233a0517cc7584d
      https://github.com/lxc/lxc/commit/b46f05535872669de42b61ff6233a0517cc7584d
  Author: Christian Seiler <christian at iwakd.de>
  Date:   2014-05-06 (Tue, 06 May 2014)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/cgfs.c

  Log Message:
  -----------
  cgfs: don't mount /sys/fs/cgroup readonly

Ubuntu containers have had trouble with automatic cgroup mounting that
was not read-write (i.e. lxc.mount.auto = cgroup{,-full}:{ro,mixed}) in
containers without CAP_SYS_ADMIN. Ubuntu's mountall program reads
/lib/init/fstab, which contains an entry for /sys/fs/cgroup. Since
there is no ro option specified for that filesystem, mountall will try
to remount it readwrite if it is already mounted. Without
CAP_SYS_ADMIN, that fails and mountall will interrupt boot and wait for
user input on whether to proceed anyway or to manually fix it,
effectively hanging container bootup.

This patch makes sure that /sys/fs/cgroup is always a readwrite tmpfs,
but that the actual cgroup hierarchy paths (/sys/fs/cgroup/$subsystem)
are readonly if :ro or :mixed is used. This still has the desired
effect within the container (no cgroup escalation possible and programs
get errors if they try to do so anyway), while keeping Ubuntu
containers happy.

Signed-off-by: Christian Seiler <christian at iwakd.de>
Cc: Serge Hallyn <serge.hallyn at ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>


  Commit: bab88e68940f5acc451b0d0e9450292fcc9ef44c
      https://github.com/lxc/lxc/commit/bab88e68940f5acc451b0d0e9450292fcc9ef44c
  Author: Christian Seiler <christian at iwakd.de>
  Date:   2014-05-06 (Tue, 06 May 2014)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  Factor out capability parsing logic

Currently, setup_caps and dropcaps_except both use the same parsing
logic for parsing capabilities (try to identify by name, but allow
numerical specification). Since this is a common routine, separate it
out to improve maintainability and reuseability.

Signed-off-by: Christian Seiler <christian at iwakd.de>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>


  Commit: 0769b82a42ccdb8daa378b493be8ea092a283b24
      https://github.com/lxc/lxc/commit/0769b82a42ccdb8daa378b493be8ea092a283b24
  Author: Christian Seiler <christian at iwakd.de>
  Date:   2014-05-06 (Tue, 06 May 2014)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/cgfs.c
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c

  Log Message:
  -----------
  lxc.mount.auto: improve defaults for cgroup and cgroup-full

If the user specifies cgroup or cgroup-full without a specifier (:ro,
:rw or :mixed), this changes the behavior. Previously, these were
simple aliases for the :mixed variants; now they depend on whether the
container also has CAP_SYS_ADMIN; if it does they resolve to the :rw
variants, if it doesn't to the :mixed variants (as before).

If a container has CAP_SYS_ADMIN privileges, any filesystem can be
remounted read-write from within, so initially mounting the cgroup
filesystems partially read-only as a default creates a false sense of
security. It is better to default to full read-write mounts to show the
administrator what keeping CAP_SYS_ADMIN entails.

If an administrator really wants both CAP_SYS_ADMIN and the :mixed
variant of cgroup or cgroup-full automatic mounts, they can still
specify that explicitly; this commit just changes the default without
specifier.

Signed-off-by: Christian Seiler <christian at iwakd.de>
Cc: Serge Hallyn <serge.hallyn at ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/3c597cee885b...0769b82a42cc

More information about the lxc-devel mailing list