[lxc-devel] [lxc/lxc] 3f69fb: confile: add "force" to cgroup:{mixed, ro, rw}

Fri Feb 16 19:47:56 UTC 2018

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 3f69fb12c1c3ccbc0f1354a16dd56edaba5fe741
      https://github.com/lxc/lxc/commit/3f69fb12c1c3ccbc0f1354a16dd56edaba5fe741
  Author: Shukui Yang <yangshukui at huawei.com>
  Date:   2018-02-16 (Fri, 16 Feb 2018)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/cgroups/cgfsng.c
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c

  Log Message:
  -----------
  confile: add "force" to cgroup:{mixed,ro,rw}

This lets users specify
   lxc.mount.auto = cgroup:mixed:force
or
  lxc.mount.auto = cgroup:ro:force
or
  lxc.mount.auto = cgroup:rw:force

When cgroup namespaces are supported LXC will not mount cgroups for the
container since it assumes that the init system will mount cgroups itself if it
wants to. This assumption already broke when users wanted to run containers
without CAP_SYS_ADMIN. For example, systemd based containers wouldn't start
since systemd needs to mount cgroups (named systemd hierarchy for legacy
cgroups and the unified hierarchy for unified cgroups) to track processes. This
problem was solved by detecting whether the container had CAP_SYS_ADMIN. If it
didn't we performed the cgroup mounts for it.
However, there are more cases when we should be able to mount cgroups for the
container when cgroup namespaces are supported:
- init systems not mounting cgroups themselves:
  A init system that doesn't mount cgroups would not have cgroups available
  especially when combined with custom LSM profiles to prevent cgroup
  {u}mount()ing inside containers.
- application containers:
  Application containers will usually not mount by cgroups themselves.
- read-only cgroups:
  It is useful to be able to mount cgroups read-only to e.g. prevent
  changing cgroup limits from inside the container while at the same time
  allowing the applications to perform introspection on their own cgroups. This
  again is mostly useful for application containers. System containers running
  systemd will usually not work correctly when cgroups are mounted read-only.
To be fair, all of those use-cases could be covered by custom hooks or
lxc.mount.entry entries but exposing it through lxc.mount.auto takes care of
setting correct mount options and adding the necessary logic to e.g. mount
filesystem read-only correctly.

Currently we only extend this to cgroup:{mixed,ro,rw} but technically there's
no reason not to enable the same behavior for cgroup-full:{mixed,ro,rw} as
well. If someone requests this we can simply treat it as a bug and add "force"
for cgroup-full.

Replaces #2136.

Signed-off-by: Shukui Yang <yangshukui at huawei.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

  Commit: 8353b4c90ed18e570521134f2c60bef56a082b55
      https://github.com/lxc/lxc/commit/8353b4c90ed18e570521134f2c60bef56a082b55
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2018-02-16 (Fri, 16 Feb 2018)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

  Commit: ed06b69ce62c07eab30fd0b0b94d3d1d5f5fe729
      https://github.com/lxc/lxc/commit/ed06b69ce62c07eab30fd0b0b94d3d1d5f5fe729
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2018-02-16 (Fri, 16 Feb 2018)

  Changed paths:
    M CODING_STYLE.md

  Log Message:
  -----------
  CODING_STYLE: add section for str{n}cmp()

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

  Commit: e99cf4acfd12ec8053497495b937f465c4b1b530
      https://github.com/lxc/lxc/commit/e99cf4acfd12ec8053497495b937f465c4b1b530
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2018-02-16 (Fri, 16 Feb 2018)

  Changed paths:
    M src/tests/Makefile.am
    R src/tests/lxc-test-ubuntu

  Log Message:
  -----------
  tests: remove lxc-test-ubuntu

This is really taking a long time for not a lot of benefit.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

  Commit: 7e50ec0b5f727f3cbc99b2be9189e936857ce44e
      https://github.com/lxc/lxc/commit/7e50ec0b5f727f3cbc99b2be9189e936857ce44e
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2018-02-16 (Fri, 16 Feb 2018)

  Changed paths:
    M src/lxc/utils.c

  Log Message:
  -----------
  utils: fix lxc_p{close,open}()

If a file descriptor fd is opened by fdopen() and associated with a stream f
will **not** have been dup()ed. This means that fclose(f) will also close the
fd. So never call close(fd) after fdopen(fd) succeeded.
This fixes a double close() Stéphane and I observed when debugging on aarch64
and armf.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

  Commit: 47d4e397da6c23cb1793a39d1dab149b6d376236
      https://github.com/lxc/lxc/commit/47d4e397da6c23cb1793a39d1dab149b6d376236
  Author: Stéphane Graber <stgraber at stgraber.org>
  Date:   2018-02-16 (Fri, 16 Feb 2018)

  Changed paths:
    M CODING_STYLE.md
    M doc/lxc.container.conf.sgml.in
    M src/lxc/cgroups/cgfsng.c
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/utils.c
    M src/tests/Makefile.am
    R src/tests/lxc-test-ubuntu

  Log Message:
  -----------
  Merge pull request #2170 from brauner/2018-02-16/cgfsng_force_cgroup_mount

confile: add "force" to cgroup:{mixed,ro,rw}

Compare: https://github.com/lxc/lxc/compare/f3793175d696...47d4e397da6c