[lxc-devel] [lxc/master] container start: clone newcgroup immediately

hallyn on Github lxc-bot at linuxcontainers.org
Sat Jun 25 05:10:51 UTC 2016 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1166 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160625/f3f9a4a6/attachment.bin>
-------------- next part --------------
From 9fac8fbbd9801867c5329ba43a9cbc0f0e80e14c Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge at hallyn.com>
Date: Sat, 25 Jun 2016 00:05:08 -0500
Subject: [PATCH] container start: clone newcgroup immediately

rather than waiting and later unsharing.

This "makes the creation of a new cgroup early enough that the existing
cgroup mounts are visible.  Which means any fancy permission checks
I dream will work on a future version of liblxc."

This also includes what should be a tiny improvement regarding netns,
though it's conceivable it'll break something.  Remember that with new
kernels we need to unshare netns after we've become the root user in the
new userns, so that netns files are owned by that root.  But we were
passing the unfiltered handler->clone_flags to the original clone().
This just resulted in a temporary extra netns generation, but still
worked since our target netns, which we passed our devices into, was
created late enough.

Signed-off-by: Serge Hallyn <serge at hallyn.com>
Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
---
 src/lxc/start.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 5437206..b7f58cd 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -908,11 +908,6 @@ static int do_start(void *data)
 		devnull_fd = -1;
 	}
 
-	if (cgns_supported() && unshare(CLONE_NEWCGROUP) != 0) {
-		SYSERROR("Failed to unshare cgroup namespace");
-		goto out_warn_father;
-	}
-
 	setsid();
 
 	/* after this call, we are in error because this
@@ -1135,7 +1130,11 @@ static int lxc_spawn(struct lxc_handler *handler)
 	flags = handler->clone_flags;
 	if (handler->clone_flags & CLONE_NEWUSER)
 		flags &= ~CLONE_NEWNET;
-	handler->pid = lxc_clone(do_start, handler, handler->clone_flags);
+	if (cgns_supported()) {
+		handler->clone_flags |= CLONE_NEWCGROUP;
+		flags |= CLONE_NEWCGROUP;
+	}
+	handler->pid = lxc_clone(do_start, handler, flags);
 	if (handler->pid < 0) {
 		SYSERROR("failed to fork into a new namespace");
 		goto out_delete_net;

More information about the lxc-devel mailing list