[lxc-devel] [lxc/lxc] f24a52: Use consistent /proc, /sys and /sys/fs/cgroup (v2)

GitHub noreply at github.com
Thu Jan 29 10:46:25 UTC 2015 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: f24a52d5f588ff4e4575046903fb9498c376d833
      https://github.com/lxc/lxc/commit/f24a52d5f588ff4e4575046903fb9498c376d833
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2015-01-29 (Thu, 29 Jan 2015)

  Changed paths:
    M config/templates/archlinux.common.conf.in
    M config/templates/centos.common.conf.in
    M config/templates/common.conf.in
    M config/templates/debian.common.conf.in
    M config/templates/gentoo.common.conf.in
    M config/templates/gentoo.moresecure.conf.in
    M config/templates/openwrt.common.conf.in
    M config/templates/oracle.common.conf.in
    M config/templates/plamo.common.conf.in
    M config/templates/ubuntu.common.conf.in
    M doc/lxc.container.conf.sgml.in
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M templates/lxc-alpine.in
    M templates/lxc-altlinux.in
    M templates/lxc-busybox.in
    M templates/lxc-cirros.in
    M templates/lxc-debian.in
    M templates/lxc-openmandriva.in
    M templates/lxc-opensuse.in
    M templates/lxc-plamo.in
    M templates/lxc-sshd.in
    M templates/lxc-ubuntu-cloud.in
    M templates/lxc-ubuntu.in

  Log Message:
  -----------
  Use consistent /proc, /sys and /sys/fs/cgroup (v2)

 - Implements mixed mode for /sys where it's mounted read-only but with
   /sys/devices/virtual/net/ writable.

 - Sets lxc.mount.auto to "cgroup:mixed proc:mixed sys:mixed" for all
   templates.

 - Drop any template-specific mount for /proc, /sys or /sys/fs/cgroup.

 - Get rid of the fstab file by default, using lxc.mount.entry instead.

 - Set sys:mixed as the default for "sys". sys:mixed is slightly more
   permissive than sys:ro so this shouldn't be a problem.

The read-only bind mount of /sys on top of itself is there so that
mountall and other init systems don't attempt to remount /sys
read-write.

v2 changes:
 - Fix the mount list, don't specify a source for the remount.
 - Update the documentation.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: e8bd4e430bf76ed4737563476ce685b2425412ec
      https://github.com/lxc/lxc/commit/e8bd4e430bf76ed4737563476ce685b2425412ec
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-01-29 (Thu, 29 Jan 2015)

  Changed paths:
    M config/apparmor/abstractions/start-container
    M config/apparmor/profiles/lxc-default-with-nesting
    M src/lxc/conf.c
    M src/lxc/start.c
    M src/lxc/start.h

  Log Message:
  -----------
  create lxc.tty ptys from container process

Lxc has always created the ptys for use by console and ttys early
on from the monitor process.  This has some advantages, but also
has disadvantages, namely (1) container ptys counting against the
max ptys for the host, and (2) not having a /dev/pts/N in the
container to pass to getty.  (2) was not a problem for us historically
because we bind-mounted the host's /dev/pts/N onto a /dev/ttyN in
the container.  However, systemd hardocdes a check for container_ttys
that the path have 'pts/' in it.  If it were only for (2) I'd have
opted for a systemd patch to check the device major number, but (1)
made it worth moving the openpty to the container namespace.

So this patch moves the tty creation into the task which becomes
the container init.  It then passes the fds for the opened ptys
back to the monitor over a unix socketpair (for use by lxc-console).
The /dev/console is still created in the monitor process, so that
it can for instance be used by lxc.logfd.

So now if you have a foreground container with lxc.tty = 4, you
should end up with one host /dev/pts entry per container rather than 5.

And lxc-console now works with systemd containers.

Note that if the container init mounts its own devpts over the
one mounted by lxc, the tty /dev/pts/n will be hidden.  This is ok
since it's only systemd that needs it, and systemd won't do that.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/e088e9267c8f...e8bd4e430bf7

More information about the lxc-devel mailing list