[lxc-devel] [lxc/master] cgroup: fixes

Sun May 3 10:04:20 UTC 2020

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 422 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200503/4c825e01/attachment.bin>
-------------- next part --------------
From 0e7a013ee850f5388f17e562e663268f24903a9b Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Sun, 3 May 2020 11:59:15 +0200
Subject: [PATCH 1/2] cgroups: ignore cgroup2 limits on non-cgroup2 layouts

Mixing cgroup2 and legacy cgroup systems such that some controllers are enabled
in legacy cgroup hierarchies and other controllers in the unified hierarchies
is simply not something we're supporting. Even systemd's hybrid layout (crazy)
doesn't bind controllers to the unified cgroup hierarchy.

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny at gmx.de>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 37309c9ead..7dfdc4e2d5 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2928,9 +2928,12 @@ __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops,
 		return ret_set_errno(false, EINVAL);
 	conf = handler->conf;
 
-	if (lxc_list_empty(&conf->cgroup2))
-		return true;
 	cgroup_settings = &conf->cgroup2;
+	if (lxc_list_empty(cgroup_settings))
+		return true;
+
+	if (!pure_unified_layout(ops))
+		return log_warn_errno(true, EINVAL, "Ignoring cgroup2 limits on legacy cgroup system");
 
 	if (!ops->unified)
 		return false;

From 8dd7f9052fef12c4516fa7f62e267554a489fd9f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Sun, 3 May 2020 12:01:44 +0200
Subject: [PATCH 2/2] common.conf: add cgroup2 default device limits

Fixes: #3183
Cc: Thomas Moschny <thomas.moschny at gmx.de>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 config/templates/common.conf.in | 31 +++++++++++++++++++++++++++++++
 config/templates/userns.conf.in |  8 ++++++++
 2 files changed, 39 insertions(+)

diff --git a/config/templates/common.conf.in b/config/templates/common.conf.in
index c4b3bdcce8..286c5e4a3e 100644
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -15,6 +15,8 @@ lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 
+# Default legacy cgroup configuration
+#
 # CGroup whitelist
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
@@ -42,6 +44,35 @@ lxc.cgroup.devices.allow = c 136:* rwm
 ### fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 
+# Default unified cgroup configuration
+#
+# CGroup whitelist
+lxc.cgroup2.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup2.devices.allow = c *:* m
+lxc.cgroup2.devices.allow = b *:* m
+## Allow specific devices
+### /dev/null
+lxc.cgroup2.devices.allow = c 1:3 rwm
+### /dev/zero
+lxc.cgroup2.devices.allow = c 1:5 rwm
+### /dev/full
+lxc.cgroup2.devices.allow = c 1:7 rwm
+### /dev/tty
+lxc.cgroup2.devices.allow = c 5:0 rwm
+### /dev/console
+lxc.cgroup2.devices.allow = c 5:1 rwm
+### /dev/ptmx
+lxc.cgroup2.devices.allow = c 5:2 rwm
+### /dev/random
+lxc.cgroup2.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup2.devices.allow = c 1:9 rwm
+### /dev/pts/*
+lxc.cgroup2.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup2.devices.allow = c 10:229 rwm
+
 # Setup the default mounts
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index 19013da5b3..69d9926809 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -1,7 +1,15 @@
 # CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+#
+# Default legacy cgroup configuration
+#
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Default unified cgroup configuration
+#
+lxc.cgroup2.devices.deny =
+lxc.cgroup2.devices.allow =
+
 # Start with a full set of capabilities in user namespaces.
 lxc.cap.drop =
 lxc.cap.keep =
