[lxc-devel] [lxd/master] lxd/apparmor: Disable cgroup2 on legacy hosts

stgraber on Github lxc-bot at linuxcontainers.org
Thu Aug 13 21:53:33 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200813/68cb0bcc/attachment.bin>
-------------- next part --------------
From 8256b04c5a8ac98da9a8a7cef8ddf1ccac5dfd51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 11 Aug 2020 14:27:34 -0400
Subject: [PATCH] lxd/apparmor: Disable cgroup2 on legacy hosts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/apparmor/instance.go     | 4 +++-
 lxd/apparmor/instance_lxc.go | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lxd/apparmor/instance.go b/lxd/apparmor/instance.go
index 1a2f9b23b7..1944f7bb4b 100644
--- a/lxd/apparmor/instance.go
+++ b/lxd/apparmor/instance.go
@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/lxc/lxd/lxd/cgroup"
 	"github.com/lxc/lxd/lxd/project"
 	"github.com/lxc/lxd/lxd/state"
 	"github.com/lxc/lxd/shared"
@@ -159,7 +160,8 @@ func instanceProfile(state *state.State, inst instance) (string, error) {
 	var sb *strings.Builder = &strings.Builder{}
 	err = lxcProfileTpl.Execute(sb, map[string]interface{}{
 		"feature_unix":     unixSupported,
-		"feature_cgns":     shared.PathExists("/proc/self/ns/cgroup"),
+		"feature_cgns":     state.OS.CGInfo.Namespacing,
+		"feature_cgroup2":  state.OS.CGInfo.Layout == cgroup.CgroupsUnified || state.OS.CGInfo.Layout == cgroup.CgroupsHybrid,
 		"feature_stacking": state.OS.AppArmorStacking && !state.OS.AppArmorStacked,
 		"namespace":        InstanceNamespaceName(inst),
 		"nesting":          inst.IsNesting(),
diff --git a/lxd/apparmor/instance_lxc.go b/lxd/apparmor/instance_lxc.go
index 3962e4f0fb..b9c3fcb7db 100644
--- a/lxd/apparmor/instance_lxc.go
+++ b/lxd/apparmor/instance_lxc.go
@@ -453,8 +453,10 @@ profile "{{ .name }}" flags=(attach_disconnected,mediate_deleted) {
 
   ### Feature: cgroup namespace
   mount fstype=cgroup -> /sys/fs/cgroup/**,
+{{- if .feature_cgroup2 }}
   mount fstype=cgroup2 -> /sys/fs/cgroup/**,
 {{- end }}
+{{- end }}
 
 {{- if .feature_stacking }}

More information about the lxc-devel mailing list