[lxc-devel] [lxc/master] cgfsng: close tiny race window

brauner on Github lxc-bot at linuxcontainers.org
Wed Oct 3 10:29:01 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181003/80134e63/attachment.bin>
-------------- next part --------------
From 362a380fbb2f9925385defe5ee90134608c5b341 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 3 Oct 2018 12:20:49 +0200
Subject: [PATCH 1/2] Revert "Revert "cgfsng: avoid tiny race window""

This reverts commit c5e7a7acbf23f0c267179b3318af41423b39493a.
---
 src/lxc/cgroups/cgfsng.c | 58 +++++++++++++++++++++++++++++-----------
 src/lxc/utils.c          | 25 ++++++++++-------
 2 files changed, 57 insertions(+), 26 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 0fc9b11d2..ec4501c33 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1257,13 +1257,50 @@ static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname)
 	return bret;
 }
 
+static int mkdir_eexist_on_last(const char *dir, mode_t mode)
+{
+	const char *tmp = dir;
+	const char *orig = dir;
+	size_t orig_len;
+
+	orig_len = strlen(dir);
+	do {
+		int ret;
+		size_t cur_len;
+		char *makeme;
+
+		dir = tmp + strspn(tmp, "/");
+		tmp = dir + strcspn(dir, "/");
+
+		errno = ENOMEM;
+		cur_len = dir - orig;
+		makeme = strndup(orig, cur_len);
+		if (!makeme)
+			return -1;
+
+		ret = mkdir(makeme, mode);
+		if (ret < 0) {
+			if ((errno != EEXIST) || (orig_len == cur_len)) {
+				SYSERROR("Failed to create directory \"%s\"", makeme);
+				free(makeme);
+				return -1;
+			}
+		}
+		free(makeme);
+
+	} while (tmp != dir);
+
+	return 0;
+}
+
 static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname)
 {
 	int ret;
 
 	h->monitor_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL);
-	if (dir_exists(h->monitor_full_path)) {
-		ERROR("The cgroup \"%s\" already existed", h->monitor_full_path);
+	ret = mkdir_eexist_on_last(h->monitor_full_path, 0755);
+	if (ret < 0) {
+		ERROR("Failed to create cgroup \"%s\"", h->monitor_full_path);
 		return false;
 	}
 
@@ -1272,12 +1309,6 @@ static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname)
 		return false;
 	}
 
-	ret = mkdir_p(h->monitor_full_path, 0755);
-	if (ret < 0) {
-		ERROR("Failed to create cgroup \"%s\"", h->monitor_full_path);
-		return false;
-	}
-
 	return cg_unified_create_cgroup(h, cgname);
 }
 
@@ -1286,8 +1317,9 @@ static bool container_create_path_for_hierarchy(struct hierarchy *h, char *cgnam
 	int ret;
 
 	h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL);
-	if (dir_exists(h->container_full_path)) {
-		ERROR("The cgroup \"%s\" already existed", h->container_full_path);
+	ret = mkdir_eexist_on_last(h->container_full_path, 0755);
+	if (ret < 0) {
+		ERROR("Failed to create cgroup \"%s\"", h->container_full_path);
 		return false;
 	}
 
@@ -1296,12 +1328,6 @@ static bool container_create_path_for_hierarchy(struct hierarchy *h, char *cgnam
 		return false;
 	}
 
-	ret = mkdir_p(h->container_full_path, 0755);
-	if (ret < 0) {
-		ERROR("Failed to create cgroup \"%s\"", h->container_full_path);
-		return false;
-	}
-
 	return cg_unified_create_cgroup(h, cgname);
 }
 
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index ff6ea3fd7..1af6f512c 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -221,26 +221,31 @@ extern int get_u16(unsigned short *val, const char *arg, int base)
 	return 0;
 }
 
-extern int mkdir_p(const char *dir, mode_t mode)
+int mkdir_p(const char *dir, mode_t mode)
 {
 	const char *tmp = dir;
 	const char *orig = dir;
-	char *makeme;
-
 	do {
+		int ret;
+		char *makeme;
+
 		dir = tmp + strspn(tmp, "/");
 		tmp = dir + strcspn(dir, "/");
 
+		errno = ENOMEM;
 		makeme = strndup(orig, dir - orig);
-		if (*makeme) {
-			if (mkdir(makeme, mode) && errno != EEXIST) {
-				SYSERROR("failed to create directory '%s'", makeme);
-				free(makeme);
-				return -1;
-			}
+		if (!makeme)
+			return -1;
+
+		ret = mkdir(makeme, mode);
+		if (ret < 0 && errno != EEXIST) {
+			SYSERROR("Failed to create directory \"%s\"", makeme);
+			free(makeme);
+			return -1;
 		}
 		free(makeme);
-	} while(tmp != dir);
+
+	} while (tmp != dir);
 
 	return 0;
 }

From c85cc6c9ccd7b9555b336c68a60d337d776e14a8 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 3 Oct 2018 12:23:36 +0200
Subject: [PATCH 2/2] cgfsng: handle v1 cpuset hierarchy first

If the value of cgroup.clone_children in our immediate ancestor cgroup
is 0 then the cpuset of any cgroups we create in subtrees will be empty
and hence we'll copy an empty cpuset at which point we cannot enter the
cpuset cgroup.
Avoid this problem by initializing cgroup.clone_children to 1 an copying
the initialized cpuset of our immediate ancestor. Note, that the cpuset
of our immediate ancestor must be initialized and ours as well otherwise
we couldn't be located in this cgroup.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index ec4501c33..97913209c 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1297,6 +1297,11 @@ static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname)
 {
 	int ret;
 
+	if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
+		ERROR("Failed to handle legacy cpuset controller");
+		return false;
+	}
+
 	h->monitor_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL);
 	ret = mkdir_eexist_on_last(h->monitor_full_path, 0755);
 	if (ret < 0) {
@@ -1304,11 +1309,6 @@ static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname)
 		return false;
 	}
 
-	if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
-		ERROR("Failed to handle legacy cpuset controller");
-		return false;
-	}
-
 	return cg_unified_create_cgroup(h, cgname);
 }
 
@@ -1316,6 +1316,11 @@ static bool container_create_path_for_hierarchy(struct hierarchy *h, char *cgnam
 {
 	int ret;
 
+	if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
+		ERROR("Failed to handle legacy cpuset controller");
+		return false;
+	}
+
 	h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL);
 	ret = mkdir_eexist_on_last(h->container_full_path, 0755);
 	if (ret < 0) {
@@ -1323,11 +1328,6 @@ static bool container_create_path_for_hierarchy(struct hierarchy *h, char *cgnam
 		return false;
 	}
 
-	if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
-		ERROR("Failed to handle legacy cpuset controller");
-		return false;
-	}
-
 	return cg_unified_create_cgroup(h, cgname);
 }
 


More information about the lxc-devel mailing list