fix the ns_cgroup vs clone_children

The following patch fixes the bug where the clone_children compatibility flag is available with the ns_cgroup subsystem. The 2.6.37 kernel version should be the only one which is concerned by this modification, please refer to Documentation/feature-removal-schedule.txt and look for ns_cgroup. The problem is coming from we check for clone_children and we set it automatically and then we try to create a new cgroup. As the ns_cgroup is present the cgroup already exists and we are not allowed to attach our pid to a new cgroup. The next error will be when we try to create a new container because we enabled the clone_children flag and the ns_cgroup is present, it is not allowed by the kernel. The patch fix this by checking the mount options. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

fix the ns_cgroup vs clone_children
5193cc3d · Daniel Lezcano · Daniel Lezcano · 57f61aa7 · 5193cc3d
Commit 5193cc3d authored Jan 09, 2011 by Daniel Lezcano Committed by Daniel Lezcano Jan 09, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 76 additions and 6 deletions

cgroup.c src/lxc/cgroup.c +76 -6

No files found.
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -45,10 +45,15 @@
 lxc_log_define(lxc_cgroup, lxc);
-#define MTAB "/etc/mtab"
+#define MTAB "/proc/mounts"
 static char nsgroup_path[MAXPATHLEN];
+enum {
+	CGROUP_NS_CGROUP = 1,
+	CGROUP_CLONE_CHILDREN,
+};
 static int get_cgroup_mount(const char *mtab, char *mnt)
 {
        struct mntent *mntent;
@@ -58,7 +63,7 @@ static int get_cgroup_mount(const char *mtab, char *mnt)
        file = setmntent(mtab, "r");
        if (!file) {
                SYSERROR("failed to open %s", mtab);
-                goto out;
+		return -1;
        }
        while ((mntent = getmntent(file))) {
@@ -81,7 +86,57 @@ static int get_cgroup_mount(const char *mtab, char *mnt)
 	DEBUG("using cgroup mounted at '%s'", mnt);
        fclose(file);
-out:
+        return err;
+}
+static int get_cgroup_flags(const char *mtab, int *flags)
+{
+        struct mntent *mntent;
+        FILE *file = NULL;
+        int err = -1;
+        file = setmntent(mtab, "r");
+        if (!file) {
+                SYSERROR("failed to open %s", mtab);
+		return -1;
+        }
+	*flags = 0;
+        while ((mntent = getmntent(file))) {
+		/* there is a cgroup mounted named "lxc" */
+		if (!strcmp(mntent->mnt_fsname, "lxc") &&
+		    !strcmp(mntent->mnt_type, "cgroup")) {
+			if (hasmntopt(mntent, "ns"))
+				*flags |= CGROUP_NS_CGROUP;
+			if (hasmntopt(mntent, "clone_children"))
+				*flags |= CGROUP_CLONE_CHILDREN;
+			err = 0;
+			break;
+		}
+		/* fallback to the first non-lxc cgroup found */
+                if (!strcmp(mntent->mnt_type, "cgroup") && err) {
+			if (hasmntopt(mntent, "ns"))
+				*flags |= CGROUP_NS_CGROUP;
+			if (hasmntopt(mntent, "clone_children"))
+				*flags |= CGROUP_CLONE_CHILDREN;
+			err = 0;
+		}
+        };
+	DEBUG("cgroup flags is 0x%x", *flags);
+        fclose(file);
        return err;
 }
@@ -151,6 +206,7 @@ int lxc_cgroup_create(const char *name, pid_t pid)
 	char cgmnt[MAXPATHLEN];
 	char cgname[MAXPATHLEN];
 	char clonechild[MAXPATHLEN];
+	int flags;
 	if (get_cgroup_mount(MTAB, cgmnt)) {
 		ERROR("cgroup is not mounted");
@@ -168,14 +224,28 @@ int lxc_cgroup_create(const char *name, pid_t pid)
 		return -1;
 	}
-	snprintf(clonechild, MAXPATHLEN, "%s/cgroup.clone_children", cgmnt);
+	if (get_cgroup_flags(MTAB, &flags)) {
+		SYSERROR("failed to get cgroup flags");
+		return -1;
+	}
-	/* we check if the kernel has ns_cgroup or clone_children */
+	/* We have the deprecated ns_cgroup subsystem */
-	if (access(clonechild, F_OK)) {
+	if (flags & CGROUP_NS_CGROUP) {
 		WARN("using deprecated ns_cgroup");
 		return lxc_rename_nsgroup(cgmnt, cgname, pid);
 	}
+	/* we check if the kernel has clone_children, at this point if there
+	 * no clone_children neither ns_cgroup, that means the cgroup is mounted
+	 * without the ns_cgroup and it has not the compatibility flag
+	 */
+	if (access(clonechild, F_OK)) {
+		ERROR("no ns_cgroup option specified");
+		return -1;
+	}
+	snprintf(clonechild, MAXPATHLEN, "%s/cgroup.clone_children", cgmnt);
 	/* we enable the clone_children flag of the cgroup */
 	if (cgroup_enable_clone_children(clonechild)) {
 		SYSERROR("failed to enable 'clone_children flag");