[lxc-devel] [lxc/lxc] fc4612: cgroups: ensure no garbage is returned
Stéphane Graber
noreply at github.com
Fri Feb 19 17:05:12 UTC 2021
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: fc4612cb398d3091854708a822680a9cc2c60d04
https://github.com/lxc/lxc/commit/fc4612cb398d3091854708a822680a9cc2c60d04
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: ensure no garbage is returned
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: a134099de529d5436a359b109dfdf44e13470451
https://github.com/lxc/lxc/commit/a134099de529d5436a359b109dfdf44e13470451
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/cgroups/cgroup2_devices.c
M src/lxc/cgroups/cgroup2_devices.h
M src/lxc/commands.c
M src/lxc/conf.c
M src/lxc/conf.h
Log Message:
-----------
cgroups: make device cgroup handling smarter and simpler
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 60532b18f4cce4e444c467209ce440a730ab4e01
https://github.com/lxc/lxc/commit/60532b18f4cce4e444c467209ce440a730ab4e01
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/cgroups/cgroup2_devices.c
M src/lxc/cgroups/cgroup2_devices.h
Log Message:
-----------
commands: only update bpf device program if really needed
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: a0f0e9df1d0a2291ae50165f45a2adc3e31b37c2
https://github.com/lxc/lxc/commit/a0f0e9df1d0a2291ae50165f45a2adc3e31b37c2
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgroup2_devices.c
Log Message:
-----------
bpf: comment bpf_cgroup_devices_update()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 159702774c56a0e7898570ff0c0673d20c972c96
https://github.com/lxc/lxc/commit/159702774c56a0e7898570ff0c0673d20c972c96
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/cgroups/cgroup2_devices.c
M src/lxc/cgroups/cgroup2_devices.h
Log Message:
-----------
bpf: fix typos
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: d6c06927dff74122f8bd2cc357b828fcc81f8650
https://github.com/lxc/lxc/commit/d6c06927dff74122f8bd2cc357b828fcc81f8650
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: improve lxc_clear_cgroups()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: a7744f125e65de7a5f70511049b89ecd844bd5e1
https://github.com/lxc/lxc/commit/a7744f125e65de7a5f70511049b89ecd844bd5e1
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/conf.c
M src/lxc/conf.h
Log Message:
-----------
conf: expose lxc_clear_cgroup2_devices()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 30bfbd3ff1638b57949db66060317a0a34d2b838
https://github.com/lxc/lxc/commit/30bfbd3ff1638b57949db66060317a0a34d2b838
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: tweak bpf_device_cgroup_prepare()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 0ede37250ceaf602e974cb00ef2563a2308553f4
https://github.com/lxc/lxc/commit/0ede37250ceaf602e974cb00ef2563a2308553f4
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M src/lxc/cgroups/cgroup2_devices.c
M src/lxc/cgroups/cgroup2_devices.h
Log Message:
-----------
bpf: update device cgroup semantics
LXC has supported the bpf device controlller for a while now. A bpf device
program can be attached to the container's cgroup if this is a pure cgroup2
host.
The format for specifying device rules for the cgroup2 bpf device controller is
the same as for the legacy cgroup device controller; only the configuration key
prefix has to change. Specifically, device rules for the legacy cgroup device
controller are specified by via lxc.cgroup.devices.{allow,deny} whereas for the
cgroup2 bpf device controller lxc.cgroup2.devices.{allow,deny} must be used.
The following semantics apply:
1. The device rule "lxc.cgroup2.devices.deny = a" will cause LXC to instruct
the kernel to block access to all devices by default. To grant access to
devices "allow device rules" must be added via the
"lxc.cgroup2.devices.allow" key. This is referred to as a "allowlist" device
program.
2. The device rule "lxc.cgroup2.devices.allow = a" will cause LXC to instruct
the kernel to allow access to all devices by default. To deny access to
devices "deny device rules" must be added via "lxc.cgroup2.devices.deny"
key. This is referred to as a "denylist" device program.
3. Specifying a rule as explained in 1. or 2. will cause all previous rules to
be cleared, i.e. the device list will be reset.
For example the set of rules:
lxc.cgroup2.devices.deny = a
lxc.cgroup2.devices.allow = c *:* m
lxc.cgroup2.devices.allow = b *:* m
lxc.cgroup2.devices.allow = c 1:3 rwm
implements a "allowlist" device program, i.e. the kernel will block access to
all devices not specifically allowed in this list. This particular program
states that all character and block devices might be created but only /dev/null
might be read or written.
If we to switch to the set of rules to:
lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
then LXC would instruct the kernel to implement a "denylist", i.e. the kernel
will allow access to all devices not specifically denied in this list. This
particular program states that no character devices or block devices might be
created and that /dev/null is not allow allowed to be read, written, or
created.
Consider the same program but followed by a rule as explained in 1. or 2.:
lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
lxc.cgroup2.devices.allow = a
The last line will cause LXC to reset the device list without changing the type
of device program.
lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
lxc.cgroup2.devices.deny = a
The last line will cause LXC to reset the device list and switch from a
"allowlist" program to a "denylist" program.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: e9b3d28df4235c29a27d70ac57fe738c9f0e32bd
https://github.com/lxc/lxc/commit/e9b3d28df4235c29a27d70ac57fe738c9f0e32bd
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M doc/lxc.container.conf.sgml.in
Log Message:
-----------
doc: add missing ".[controller file] suffix to lxc.cgroup{2}. key explanations
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 5025f3a69053bbddbe6c76ffb55b4bbd5759dcc8
https://github.com/lxc/lxc/commit/5025f3a69053bbddbe6c76ffb55b4bbd5759dcc8
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M doc/lxc.container.conf.sgml.in
Log Message:
-----------
doc: epxlain eBPF-based device controller semantics
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 54dbe498b9d370a21add7f4e74fcf3c42905e3e8
https://github.com/lxc/lxc/commit/54dbe498b9d370a21add7f4e74fcf3c42905e3e8
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M doc/lxc.container.conf.sgml.in
Log Message:
-----------
doc: tweak cgroup headline
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: c33840f6f997fa4946eefbd3b88008cbcab20ea2
https://github.com/lxc/lxc/commit/c33840f6f997fa4946eefbd3b88008cbcab20ea2
Author: Stéphane Graber <stgraber at ubuntu.com>
Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths:
M doc/lxc.container.conf.sgml.in
M src/lxc/cgroups/cgfsng.c
M src/lxc/cgroups/cgroup2_devices.c
M src/lxc/cgroups/cgroup2_devices.h
M src/lxc/commands.c
M src/lxc/conf.c
M src/lxc/conf.h
Log Message:
-----------
Merge pull request #3684 from brauner/2021-02-18/fixes_2
bpf: device cgroup improvements
Compare: https://github.com/lxc/lxc/compare/02882d8358f4...c33840f6f997
More information about the lxc-devel
mailing list