Merge pull request #3396 from brauner/2020-05-03/fixes

cgroup: fixes

Merge pull request #3396 from brauner/2020-05-03/fixes
33b8e598 · Stéphane Graber · GitHub · 95d4c1c4 · 4547e73e · 33b8e598
Unverified Commit 33b8e598 authored May 03, 2020 by Stéphane Graber Committed by GitHub May 03, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 58 additions and 3 deletions

common.conf.in config/templates/common.conf.in +31 -0

userns.conf.in config/templates/userns.conf.in +8 -0

cgfsng.c src/lxc/cgroups/cgfsng.c +19 -3

No files found.
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -15,6 +15,8 @@ lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
+# Default legacy cgroup configuration
+#
 # CGroup whitelist
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
@@ -42,6 +44,35 @@ lxc.cgroup.devices.allow = c 136:* rwm
 ### fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
+# Default unified cgroup configuration
+#
+# CGroup whitelist
+lxc.cgroup2.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup2.devices.allow = c *:* m
+lxc.cgroup2.devices.allow = b *:* m
+## Allow specific devices
+### /dev/null
+lxc.cgroup2.devices.allow = c 1:3 rwm
+### /dev/zero
+lxc.cgroup2.devices.allow = c 1:5 rwm
+### /dev/full
+lxc.cgroup2.devices.allow = c 1:7 rwm
+### /dev/tty
+lxc.cgroup2.devices.allow = c 5:0 rwm
+### /dev/console
+lxc.cgroup2.devices.allow = c 5:1 rwm
+### /dev/ptmx
+lxc.cgroup2.devices.allow = c 5:2 rwm
+### /dev/random
+lxc.cgroup2.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup2.devices.allow = c 1:9 rwm
+### /dev/pts/*
+lxc.cgroup2.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup2.devices.allow = c 10:229 rwm
 # Setup the default mounts
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0

--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
 # CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+#
+# Default legacy cgroup configuration
+#
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
+# Default unified cgroup configuration
+#
+lxc.cgroup2.devices.deny =
+lxc.cgroup2.devices.allow =
 # Start with a full set of capabilities in user namespaces.
 lxc.cap.drop =
 lxc.cap.keep =

--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1826,11 +1826,24 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 		wants_force_mount = true;
 	}
-	if (!wants_force_mount){
+	if (!wants_force_mount) {
 		if (!lxc_list_empty(&handler->conf->keepcaps))
 			wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps);
 		else
 			wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps);
+		/*
+		 * Most recent distro versions currently have init system that
+		 * do support cgroup2 but do not mount it by default unless
+		 * explicitly told so even if the host is cgroup2 only. That
+		 * means they often will fail to boot. Fix this by pre-mounting
+		 * cgroup2 by default. We will likely need to be doing this a
+		 * few years until all distros have switched over to cgroup2 at
+		 * which point we can safely assume that their init systems
+		 * will mount it themselves.
+		 */
+		if (pure_unified_layout(ops))
+			wants_force_mount = true;
 	}
 	has_cgns = cgns_supported();
@@ -2928,9 +2941,12 @@ __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops,
 		return ret_set_errno(false, EINVAL);
 	conf = handler->conf;
-	if (lxc_list_empty(&conf->cgroup2))
-		return true;
 	cgroup_settings = &conf->cgroup2;
+	if (lxc_list_empty(cgroup_settings))
+		return true;
+	if (!pure_unified_layout(ops))
+		return log_warn_errno(true, EINVAL, "Ignoring cgroup2 limits on legacy cgroup system");
 	if (!ops->unified)
 		return false;