[lxc-devel] [lxc/master] Add two auto mount options:
keloyang on Github
lxc-bot at linuxcontainers.org
Wed Feb 7 11:03:27 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 950 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180207/0fad45de/attachment.bin>
-------------- next part --------------
From 1f13c2810f50106ed5354b33e0fb00d686dc2757 Mon Sep 17 00:00:00 2001
From: Shukui Yang <yangshukui at huawei.com>
Date: Wed, 7 Feb 2018 14:04:41 -0500
Subject: [PATCH] Add auto mount options: *cgroup-self:ro partial mount by lxc
itself, no lxc/containerid r/o *cgroup-self:rw partial mount by lxc itself,
no lxc/containerid r/w
Signed-off-by: Shukui Yang <yangshukui at huawei.com>
---
src/lxc/cgroups/cgfsng.c | 26 ++++++++++++++++++++------
src/lxc/conf.h | 13 ++++++++-----
src/lxc/confile.c | 2 ++
3 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index f4bec7f52..41f6fa38b 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1938,8 +1938,6 @@ static int do_secondstage_mounts_if_needed(int type, struct hierarchy *h,
}
char *sourcepath = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL);
int flags = MS_BIND;
- if (type == LXC_AUTO_CGROUP_RO)
- flags |= MS_RDONLY;
INFO("Mounting %s onto %s", sourcepath, cgpath);
if (mount(sourcepath, cgpath, "cgroup", flags, NULL) < 0) {
free(sourcepath);
@@ -1947,6 +1945,18 @@ static int do_secondstage_mounts_if_needed(int type, struct hierarchy *h,
cgpath);
return -1;
}
+ if (type == LXC_AUTO_CGROUP_RO ||
+ type == LXC_AUTO_CGROUP_SELF_RO){
+ flags |= MS_RDONLY;
+ flags |= MS_REMOUNT;
+ INFO("ReMounting %s onto %s with readoly flag", sourcepath, cgpath);
+ if (mount(sourcepath, cgpath, "cgroup", flags, NULL) < 0) {
+ free(sourcepath);
+ SYSERROR("Error mounting cgroup %s onto %s", h->controllers[0],
+ cgpath);
+ return -1;
+ }
+ }
free(sourcepath);
INFO("Completed second stage cgroup automounts for %s", cgpath);
return 0;
@@ -1993,6 +2003,7 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
struct lxc_handler *handler = hdata;
struct cgfsng_handler_data *d = handler->cgroup_data;
bool has_cgns = false, has_sys_admin = true;
+ char *container_cgroup = "";
if ((type & LXC_AUTO_CGROUP_MASK) == 0)
return true;
@@ -2002,10 +2013,13 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
else
has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+ if (type != LXC_AUTO_CGROUP_SELF_RO &&
+ type != LXC_AUTO_CGROUP_SELF_RW){
+ if (has_cgns && has_sys_admin )
+ return true;
- if (has_cgns && has_sys_admin)
- return true;
-
+ container_cgroup = d->container_cgroup;
+ }
tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL);
if (type == LXC_AUTO_CGROUP_NOSPEC)
@@ -2060,7 +2074,7 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
free(controllerpath);
continue;
}
- path2 = must_make_path(controllerpath, h->base_cgroup, d->container_cgroup, NULL);
+ path2 = must_make_path(controllerpath, h->base_cgroup, container_cgroup, NULL);
if (mkdir_p(path2, 0755) < 0) {
free(controllerpath);
free(path2);
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 2346b717f..1d5680a47 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -223,9 +223,12 @@ enum {
LXC_AUTO_CGROUP_RO = 0x010, /* /sys/fs/cgroup (partial mount, read-only) */
LXC_AUTO_CGROUP_RW = 0x020, /* /sys/fs/cgroup (partial mount, read-write) */
LXC_AUTO_CGROUP_MIXED = 0x030, /* /sys/fs/cgroup (partial mount, paths r/o, cgroup r/w) */
- LXC_AUTO_CGROUP_FULL_RO = 0x040, /* /sys/fs/cgroup (full mount, read-only) */
- LXC_AUTO_CGROUP_FULL_RW = 0x050, /* /sys/fs/cgroup (full mount, read-write) */
- LXC_AUTO_CGROUP_FULL_MIXED = 0x060, /* /sys/fs/cgroup (full mount, parent r/o, own r/w) */
+ LXC_AUTO_CGROUP_SELF_RO = 0x040, /* /sys/fs/cgroup (partial mount by lxc itself, no lxc/containerid r/o) */
+ LXC_AUTO_CGROUP_SELF_RW = 0x050, /* /sys/fs/cgroup (partial mount by lxc itself, no lxc/containerid r/w) */
+ LXC_AUTO_CGROUP_FULL_RO = 0x060, /* /sys/fs/cgroup (full mount, read-only) */
+ LXC_AUTO_CGROUP_FULL_RW = 0x070, /* /sys/fs/cgroup (full mount, read-write) */
+ LXC_AUTO_CGROUP_FULL_MIXED = 0x080, /* /sys/fs/cgroup (full mount, parent r/o, own r/w) */
+
/* These are defined in such a way as to retain
* binary compatibility with earlier versions of
* this code. If the previous mask is applied,
@@ -233,9 +236,9 @@ enum {
* variants, which is safe. */
LXC_AUTO_CGROUP_NOSPEC = 0x0B0, /* /sys/fs/cgroup (partial mount, r/w or mixed, depending on caps) */
LXC_AUTO_CGROUP_FULL_NOSPEC = 0x0E0, /* /sys/fs/cgroup (full mount, r/w or mixed, depending on caps) */
- LXC_AUTO_CGROUP_MASK = 0x0F0,
+ LXC_AUTO_CGROUP_MASK = 0x1F0,
- LXC_AUTO_ALL_MASK = 0x0FF, /* all known settings */
+ LXC_AUTO_ALL_MASK = 0x1FF, /* all known settings */
};
/*
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index fa4f84da9..509c3b4e6 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1770,6 +1770,8 @@ static int set_config_mount_auto(const char *key, const char *value,
{ "cgroup-full:mixed", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_MIXED },
{ "cgroup-full:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RO },
{ "cgroup-full:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_FULL_RW },
+ { "cgroup-self:ro", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_SELF_RO },
+ { "cgroup-self:rw", LXC_AUTO_CGROUP_MASK, LXC_AUTO_CGROUP_SELF_RW },
/* For adding anything that is just a single on/off, but has no
* options: keep mask and flag identical and just define the enum
* value as an unused bit so far
More information about the lxc-devel
mailing list