[lxc/lxc] c55353: use systemd dbus StartTransientUnit for unpriv cgr...
3 views
Skip to first unread message
Christian Brauner
Jun 21, 2022, 10:28:05 AM6/21/22
to lxc-...@lists.linuxcontainers.org
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: c55353f84a8c171d0ccb911e1d34a5ed5577def1
https://github.com/lxc/lxc/commit/c55353f84a8c171d0ccb911e1d34a5ed5577def1
Author: Serge Hallyn <se...@hallyn.com>
Date: 2022-06-21 (Tue, 21 Jun 2022)
Changed paths:
M .github/workflows/build.yml
M .github/workflows/coverity.yml
M .github/workflows/sanitizers.sh
M .github/workflows/sanitizers.yml
M meson.build
M meson_options.txt
M src/lxc/cgroups/cgfsng.c
M src/lxc/commands.c
M src/lxc/commands.h
M src/lxc/conf.c
M src/lxc/conf.h
M src/tests/oss-fuzz.sh
Log Message:
-----------
use systemd dbus StartTransientUnit for unpriv cgroup2
If, when init'ing cgroups for a container start, we detect that we
are an unprivileged user on a unified-hierarchy-only system, then we
try to request systemd, through dbus api, to create a new scope for
us with delegation. Call the cgroup it creates for us P1. We then
create P1/init, move ourselves into there, so we can enable the
controllers for delegation to P1's children through P1/cgroup.subtree_control.
On attach, we try to request systemd attach us to the container's
scope. We can't do that ourselves in the normal case, as root owns
our login cgroups.
Create a new command api for the lxc monitor to tell lxc-attach the
systemd scope to which to attach.
Changelog:
* free cgroup_meta.systemd_scope in lxc_conf_free (Thanks Tycho)
* fix some indent
* address some (not all) of brauner's feedback
Signed-off-by: Serge Hallyn <se...@hallyn.com>
Commit: 2e6e374c0a4c40fad15625014351fed47c11a0ed
https://github.com/lxc/lxc/commit/2e6e374c0a4c40fad15625014351fed47c11a0ed
Author: Christian Brauner <christia...@ubuntu.com>
Date: 2022-06-21 (Tue, 21 Jun 2022)
Changed paths:
M .github/workflows/build.yml
M .github/workflows/coverity.yml
M .github/workflows/sanitizers.sh
M .github/workflows/sanitizers.yml
M meson.build
M meson_options.txt
M src/lxc/cgroups/cgfsng.c
M src/lxc/commands.c
M src/lxc/commands.h
M src/lxc/conf.c
M src/lxc/conf.h
M src/tests/oss-fuzz.sh
Log Message:
-----------
Merge pull request #4153 from brauner/2022-06-21.unprivileged-cgroup2
use systemd dbus StartTransientUnit for unpriv cgroup2
Compare: https://github.com/lxc/lxc/compare/0a73102d43c0...2e6e374c0a4c
Home: https://github.com/lxc/lxc
Commit: c55353f84a8c171d0ccb911e1d34a5ed5577def1
https://github.com/lxc/lxc/commit/c55353f84a8c171d0ccb911e1d34a5ed5577def1
Author: Serge Hallyn <se...@hallyn.com>
Date: 2022-06-21 (Tue, 21 Jun 2022)
Changed paths:
M .github/workflows/build.yml
M .github/workflows/coverity.yml
M .github/workflows/sanitizers.sh
M .github/workflows/sanitizers.yml
M meson.build
M meson_options.txt
M src/lxc/cgroups/cgfsng.c
M src/lxc/commands.c
M src/lxc/commands.h
M src/lxc/conf.c
M src/lxc/conf.h
M src/tests/oss-fuzz.sh
Log Message:
-----------
use systemd dbus StartTransientUnit for unpriv cgroup2
If, when init'ing cgroups for a container start, we detect that we
are an unprivileged user on a unified-hierarchy-only system, then we
try to request systemd, through dbus api, to create a new scope for
us with delegation. Call the cgroup it creates for us P1. We then
create P1/init, move ourselves into there, so we can enable the
controllers for delegation to P1's children through P1/cgroup.subtree_control.
On attach, we try to request systemd attach us to the container's
scope. We can't do that ourselves in the normal case, as root owns
our login cgroups.
Create a new command api for the lxc monitor to tell lxc-attach the
systemd scope to which to attach.
Changelog:
* free cgroup_meta.systemd_scope in lxc_conf_free (Thanks Tycho)
* fix some indent
* address some (not all) of brauner's feedback
Signed-off-by: Serge Hallyn <se...@hallyn.com>
Commit: 2e6e374c0a4c40fad15625014351fed47c11a0ed
https://github.com/lxc/lxc/commit/2e6e374c0a4c40fad15625014351fed47c11a0ed
Author: Christian Brauner <christia...@ubuntu.com>
Date: 2022-06-21 (Tue, 21 Jun 2022)
Changed paths:
M .github/workflows/build.yml
M .github/workflows/coverity.yml
M .github/workflows/sanitizers.sh
M .github/workflows/sanitizers.yml
M meson.build
M meson_options.txt
M src/lxc/cgroups/cgfsng.c
M src/lxc/commands.c
M src/lxc/commands.h
M src/lxc/conf.c
M src/lxc/conf.h
M src/tests/oss-fuzz.sh
Log Message:
-----------
Merge pull request #4153 from brauner/2022-06-21.unprivileged-cgroup2
use systemd dbus StartTransientUnit for unpriv cgroup2
Compare: https://github.com/lxc/lxc/compare/0a73102d43c0...2e6e374c0a4c
Reply all
Reply to author
Forward
0 new messages