[lxc-devel] [lxc/lxc] 9fac8f: container start: clone newcgroup immediately

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 9fac8fbbd9801867c5329ba43a9cbc0f0e80e14c
      https://github.com/lxc/lxc/commit/9fac8fbbd9801867c5329ba43a9cbc0f0e80e14c
  Author: Serge Hallyn <serge at hallyn.com>
  Date:   2016-06-25 (Sat, 25 Jun 2016)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  container start: clone newcgroup immediately

rather than waiting and later unsharing.

This "makes the creation of a new cgroup early enough that the existing
cgroup mounts are visible.  Which means any fancy permission checks
I dream will work on a future version of liblxc."

This also includes what should be a tiny improvement regarding netns,
though it's conceivable it'll break something.  Remember that with new
kernels we need to unshare netns after we've become the root user in the
new userns, so that netns files are owned by that root.  But we were
passing the unfiltered handler->clone_flags to the original clone().
This just resulted in a temporary extra netns generation, but still
worked since our target netns, which we passed our devices into, was
created late enough.

Signed-off-by: Serge Hallyn <serge at hallyn.com>
Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>


  Commit: b4b43e9e3270a2ab014ee5fbd4590bb3a321835c
      https://github.com/lxc/lxc/commit/b4b43e9e3270a2ab014ee5fbd4590bb3a321835c
  Author: Christian Brauner <christian.brauner at canonical.com>
  Date:   2016-11-02 (Wed, 02 Nov 2016)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  Merge pull request #1058 from hallyn/2016-06-24/eric.cgns

container start: clone newcgroup immediately


Compare: https://github.com/lxc/lxc/compare/0fa988d1ace8...b4b43e9e3270