[lxc/lxc] c62b32: cgroups: populate hierarchy for device cgroup
1 view
Skip to first unread message
Petr Malat
Jul 22, 2021, 3:25:52 AM7/22/21
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/stable-4.0
Home: https://github.com/lxc/lxc
Commit: c62b32b0f202f764875619ddcbf0e651eec311ee
https://github.com/lxc/lxc/commit/c62b32b0f202f764875619ddcbf0e651eec311ee
Author: Stoiko Ivanov <s.iv...@proxmox.com>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: populate hierarchy for device cgroup
With the changes introduced in:
b7b1e3a34ce28b01206c48227930ff83d399e7b6
the hierarchy-struct did not have the path_lim set anymore, which is
needed by setup_limits_legacy (->cg_legacy_set_data->lxc_write_openat)
to actually access the cgroup directory.
The issue can be reproduced with a container config having
```
lxc.cgroup.devices.deny = a
```
(or any lxc.cgroup.devices entry) set on a system booted with
systemd.unified_cgroup_hierarchy=0.
This affects all privileged containers on PVE (due to the default
devices.deny entry).
Signed-off-by: Stoiko Ivanov <s.iv...@proxmox.com>
Commit: 5189fc482099d88768fcfb1a0edac51dd0bfff36
https://github.com/lxc/lxc/commit/5189fc482099d88768fcfb1a0edac51dd0bfff36
Author: Stoiko Ivanov <s.iv...@proxmox.com>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: remove unneeded variables from cgroup_tree_create
Signed-off-by: Stoiko Ivanov <s.iv...@proxmox.com>
Commit: 206128fc762fc07bdd064de837bff31d91aa77e7
https://github.com/lxc/lxc/commit/206128fc762fc07bdd064de837bff31d91aa77e7
Author: Petr Malat <o...@malat.biz>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
lxc_setup_ttys: Handle existing ttyN file without underlying device
If a device file is opened and there isn't the underlying device,
the open call fails with ENXIO, but the path can be opened with
O_PATH, which is enough for mounting over the device file.
Generalize this idea and use O_PATH for all cases when the file
is there. One still must check for both ENXIO and EEXIST as it's
unspecified what error is reported if multiple error conditions
occur at the same time.
Signed-off-by: Petr Malat <o...@malat.biz>
Commit: 72ddf4aa86c6b5d4761210c16c69761896dbbeaf
https://github.com/lxc/lxc/commit/72ddf4aa86c6b5d4761210c16c69761896dbbeaf
Author: Petr Malat <o...@malat.biz>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/cgroups/cgroup2_devices.c
Log Message:
-----------
bpf: bpf_devices_cgroup_supported() should check if bpf() is available
bpf_devices_cgroup_supported() tries to load a simple BPF program to
test if BPF works. This is problematic because the function used to load
the program - bpf_program_load_kernel() - emits an error to the log if
BPF is not enabled in the kernel although device controller is not
requested in the configuration. Users could interpret that as a problem.
Make bpf_devices_cgroup_supported() check if the BPF syscall is available
before calling bpf_program_load_kernel(). We can do it by passing a NULL
pointer instead of the syscall argument as the kernel returns either
ENOSYS, when the syscall is not implemented or EFAULT, when it is
implemented.
Signed-off-by: Petr Malat <o...@malat.biz>
Compare: https://github.com/lxc/lxc/compare/d867b94c22fc...72ddf4aa86c6
Home: https://github.com/lxc/lxc
Commit: c62b32b0f202f764875619ddcbf0e651eec311ee
https://github.com/lxc/lxc/commit/c62b32b0f202f764875619ddcbf0e651eec311ee
Author: Stoiko Ivanov <s.iv...@proxmox.com>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: populate hierarchy for device cgroup
With the changes introduced in:
b7b1e3a34ce28b01206c48227930ff83d399e7b6
the hierarchy-struct did not have the path_lim set anymore, which is
needed by setup_limits_legacy (->cg_legacy_set_data->lxc_write_openat)
to actually access the cgroup directory.
The issue can be reproduced with a container config having
```
lxc.cgroup.devices.deny = a
```
(or any lxc.cgroup.devices entry) set on a system booted with
systemd.unified_cgroup_hierarchy=0.
This affects all privileged containers on PVE (due to the default
devices.deny entry).
Signed-off-by: Stoiko Ivanov <s.iv...@proxmox.com>
Commit: 5189fc482099d88768fcfb1a0edac51dd0bfff36
https://github.com/lxc/lxc/commit/5189fc482099d88768fcfb1a0edac51dd0bfff36
Author: Stoiko Ivanov <s.iv...@proxmox.com>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: remove unneeded variables from cgroup_tree_create
Signed-off-by: Stoiko Ivanov <s.iv...@proxmox.com>
Commit: 206128fc762fc07bdd064de837bff31d91aa77e7
https://github.com/lxc/lxc/commit/206128fc762fc07bdd064de837bff31d91aa77e7
Author: Petr Malat <o...@malat.biz>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
lxc_setup_ttys: Handle existing ttyN file without underlying device
If a device file is opened and there isn't the underlying device,
the open call fails with ENXIO, but the path can be opened with
O_PATH, which is enough for mounting over the device file.
Generalize this idea and use O_PATH for all cases when the file
is there. One still must check for both ENXIO and EEXIST as it's
unspecified what error is reported if multiple error conditions
occur at the same time.
Signed-off-by: Petr Malat <o...@malat.biz>
Commit: 72ddf4aa86c6b5d4761210c16c69761896dbbeaf
https://github.com/lxc/lxc/commit/72ddf4aa86c6b5d4761210c16c69761896dbbeaf
Author: Petr Malat <o...@malat.biz>
Date: 2021-07-22 (Thu, 22 Jul 2021)
Changed paths:
M src/lxc/cgroups/cgroup2_devices.c
Log Message:
-----------
bpf: bpf_devices_cgroup_supported() should check if bpf() is available
bpf_devices_cgroup_supported() tries to load a simple BPF program to
test if BPF works. This is problematic because the function used to load
the program - bpf_program_load_kernel() - emits an error to the log if
BPF is not enabled in the kernel although device controller is not
requested in the configuration. Users could interpret that as a problem.
Make bpf_devices_cgroup_supported() check if the BPF syscall is available
before calling bpf_program_load_kernel(). We can do it by passing a NULL
pointer instead of the syscall argument as the kernel returns either
ENOSYS, when the syscall is not implemented or EFAULT, when it is
implemented.
Signed-off-by: Petr Malat <o...@malat.biz>
Compare: https://github.com/lxc/lxc/compare/d867b94c22fc...72ddf4aa86c6
Reply all
Reply to author
Forward
0 new messages