setup cgroups from parent

This is a first step to enabling user namespaces. When starting a container in a new user namespace, the child will not have the rights to write to the cgroup fs. (We can give it that right, but don't always want to have to). At the parent, we don't want to setup_cgroups() before the child has set itself up. But we also don't want to wait until it has started running it's init, since that is racy. Therefore introduce a new sync point. The child will let the parent know when it is ready to be confined, and wait for the parent to respond that it has done so. Then the child will finish constraining itself with LSM and seccomp and execute init. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

setup cgroups from parent
544a48a0 · Serge Hallyn · Stéphane Graber · c4ea60df · 544a48a0 · 544a48a0
Commit 544a48a0 authored Jan 14, 2013 by Serge Hallyn Committed by Stéphane Graber Jan 15, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 7 deletions

conf.c src/lxc/conf.c +0 -5

start.c src/lxc/start.c +24 -2

sync.h src/lxc/sync.h +2 -0

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2594,11 +2594,6 @@ int lxc_setup(const char *name, struct lxc_conf *lxc_conf)
 		}
 	}

-	if (setup_cgroup(name, &lxc_conf->cgroup)) {
-		ERROR("failed to setup the cgroups for '%s'", name);
-		return -1;
-	}
-
 	if (setup_console(&lxc_conf->rootfs, &lxc_conf->console, lxc_conf->ttydir)) {
 		ERROR("failed to setup the console for '%s'", name);
 		return -1;

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -597,6 +597,10 @@ static int do_start(void *data)
 		goto out_warn_father;
 	}

+	/* ask father to setup cgroups and wait for him to finish */
+	if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP))
+		return -1;
+
 	if (apparmor_load(handler) < 0)
 		goto out_warn_father;

@@ -630,6 +634,8 @@ static int do_start(void *data)
 	handler->ops->start(handler, handler->data);

 out_warn_father:
+	/* we want the parent to know something went wrong, so any
+	 * value other than what it expects is ok. */
 	lxc_sync_wake_parent(handler, LXC_SYNC_POST_CONFIGURE);
 	return -1;
 }
@@ -741,10 +747,26 @@ int lxc_spawn(struct lxc_handler *handler)
 		}
 	}

-	/* Tell the child to continue its initialization and wait for
-	 * it to exec or return an error
+	/* Tell the child to continue its initialization.  we'll get
+	 * LXC_SYNC_CGROUP when it is ready for us to setup cgroups
 	 */
 	if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
+		goto out_delete_net;
+
+	if (setup_cgroup(name, &handler->conf->cgroup)) {
+		ERROR("failed to setup the cgroups for '%s'", name);
+		goto out_delete_net;
+	}
+
+
+	/* Tell the child to complete its initialization and wait for
+	 * it to exec or return an error.  (the child will never
+	 * return LXC_SYNC_POST_CGROUP+1.  It will either close the
+	 * sync pipe, causing lxc_sync_barrier_child to return
+	 * success, or return a different value, causing us to error
+	 * out).
+	 */
+	if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CGROUP))
 		return -1;

 	if (detect_shared_rootfs())

--- a/src/lxc/sync.h
+++ b/src/lxc/sync.h
@@ -28,6 +28,8 @@ struct lxc_handler;
 enum {
 	LXC_SYNC_CONFIGURE,
 	LXC_SYNC_POST_CONFIGURE,
+	LXC_SYNC_CGROUP,
+	LXC_SYNC_POST_CGROUP,
 	LXC_SYNC_RESTART,
 	LXC_SYNC_POST_RESTART,
 };