[lxc-devel] [lxc/lxc] f41520: start: lxc_setup() after unshare(CLONE_NEWCGROUP)
GitHub
noreply at github.com
Tue Jul 25 15:18:14 UTC 2017
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: f4152036dd29d59c99e6a9415d6ea121f69c88ec
https://github.com/lxc/lxc/commit/f4152036dd29d59c99e6a9415d6ea121f69c88ec
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2017-07-24 (Mon, 24 Jul 2017)
Changed paths:
M src/lxc/conf.c
M src/lxc/start.c
M src/lxc/sync.h
Log Message:
-----------
start: lxc_setup() after unshare(CLONE_NEWCGROUP)
When the running kernel supports cgroup namespaces and users want to manually
set up cgroups via lxc.hook.mount before the init binary starts the cgroup
namespace needs to be already unshared. Otherwise the view on the cgroup mounts
is wrong. This commit places the call to lxc_setup() after the
LXC_SYNC_POST_CGROUP barrier.
Before this commit, the tty fds we allocate from a fresh devpts instance in the
container's namespaces before the init binary starts were referring to the
host's cgroup namespace since lxc_setup() was called before
unshare(CLONE_NEWCGROUP). Although not a security risk at this point since
setns() restricts its calls to /proc/<self>/ns files it's still better to do it
*after* the cgroup namespace has been unshared.
Adding a Suggested-by line for the lxc.mount.hook fix for Quentin.
Closes #1597.
Suggested-by: Quentin Dufour <quentin at dufour.tk>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: c1cecfdd050818865653d7941d7bae5d755246ae
https://github.com/lxc/lxc/commit/c1cecfdd050818865653d7941d7bae5d755246ae
Author: Serge Hallyn <serge at hallyn.com>
Date: 2017-07-25 (Tue, 25 Jul 2017)
Changed paths:
M src/lxc/conf.c
M src/lxc/start.c
M src/lxc/sync.h
Log Message:
-----------
Merge pull request #1606 from brauner/2017-06-01/lxc_setup_after_cgroup_unshare
call lxc_setup() after unshare(CLONE_NEWCGROUP)
Compare: https://github.com/lxc/lxc/compare/fa1bafd3f0e5...c1cecfdd0508
More information about the lxc-devel
mailing list