Skip to content

L
lxc
Unverified Commit 76f0e2e7 by Christian Brauner
Options

confile: add lxc.cgroup.keep

This adds the new lxc.cgroup.keep config key. The key can be used to instruct LXC to not escape to never escape to the root cgroup. This makes it easy for users to adhere to restrictions enforced by cgroup2 and systemd. Specifically, this makes it possible to run LXC containers as systemd services. Note that cgroup v1 is considered legacy and will not see additional controllers being added to it. This means that it is safe to use lxc.cgroup.keep as config key since there is no "keep" controller. The only way a conflict can be introduced is if the user is creating a named controller. I think this case can be safely ignored since it is super rare and also the users problem. Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com> Cc: Felix Abecassis <fabecassis@nvidia.com> Cc: Jonathan Calmels <jcalmels@nvidia.com>
parent a7c4ddea
Showing with 43 additions and 0 deletions
src/lxc/conf.h
...@@ -76,6 +76,7 @@ struct lxc_cgroup { ...@@ -76,6 +76,7 @@ struct lxc_cgroup {
struct /* meta */ { struct /* meta */ {
char *controllers; char *controllers;
char *dir; char *dir;
bool keep;
}; };
}; };
}; };
......
src/lxc/confile.c
...@@ -92,6 +92,7 @@ lxc_config_define(cap_keep); ...@@ -92,6 +92,7 @@ lxc_config_define(cap_keep);
lxc_config_define(cgroup_controller); lxc_config_define(cgroup_controller);
lxc_config_define(cgroup2_controller); lxc_config_define(cgroup2_controller);
lxc_config_define(cgroup_dir); lxc_config_define(cgroup_dir);
lxc_config_define(cgroup_keep);
lxc_config_define(console_buffer_size); lxc_config_define(console_buffer_size);
lxc_config_define(console_logfile); lxc_config_define(console_logfile);
lxc_config_define(console_path); lxc_config_define(console_path);
...@@ -167,6 +168,7 @@ static struct lxc_config_t config[] = { ...@@ -167,6 +168,7 @@ static struct lxc_config_t config[] = {
{ "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, }, { "lxc.cap.keep", set_config_cap_keep, get_config_cap_keep, clr_config_cap_keep, },
{ "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, }, { "lxc.cgroup2", set_config_cgroup2_controller, get_config_cgroup2_controller, clr_config_cgroup2_controller, },
{ "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, }, { "lxc.cgroup.dir", set_config_cgroup_dir, get_config_cgroup_dir, clr_config_cgroup_dir, },
{ "lxc.cgroup.keep", set_config_cgroup_keep, get_config_cgroup_keep, clr_config_cgroup_keep, },
{ "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, }, { "lxc.cgroup", set_config_cgroup_controller, get_config_cgroup_controller, clr_config_cgroup_controller, },
{ "lxc.console.buffer.size", set_config_console_buffer_size, get_config_console_buffer_size, clr_config_console_buffer_size, }, { "lxc.console.buffer.size", set_config_console_buffer_size, get_config_console_buffer_size, clr_config_console_buffer_size, },
{ "lxc.console.logfile", set_config_console_logfile, get_config_console_logfile, clr_config_console_logfile, }, { "lxc.console.logfile", set_config_console_logfile, get_config_console_logfile, clr_config_console_logfile, },
...@@ -1395,6 +1397,32 @@ static int set_config_cgroup_dir(const char *key, const char *value, ...@@ -1395,6 +1397,32 @@ static int set_config_cgroup_dir(const char *key, const char *value,
return set_config_string_item(&lxc_conf->cgroup_meta.dir, value); return set_config_string_item(&lxc_conf->cgroup_meta.dir, value);
} }
static int set_config_cgroup_keep(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
unsigned int converted;
int ret;
if (lxc_config_value_empty(value))
return clr_config_cgroup_keep(key, lxc_conf, NULL);
ret = lxc_safe_uint(value, &converted);
if (ret < 0)
return -ret;
if (converted == 1) {
lxc_conf->cgroup_meta.keep = true;
return 0;
}
if (converted == 0) {
lxc_conf->cgroup_meta.keep = false;
return 0;
}
return -EINVAL;
}
static int set_config_prlimit(const char *key, const char *value, static int set_config_prlimit(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data) struct lxc_conf *lxc_conf, void *data)
{ {
...@@ -3187,6 +3215,13 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen, ...@@ -3187,6 +3215,13 @@ static int get_config_cgroup_dir(const char *key, char *retv, int inlen,
return fulllen; return fulllen;
} }
static inline int get_config_cgroup_keep(const char *key, char *retv, int inlen,
struct lxc_conf *lxc_conf, void *data)
{
return lxc_get_conf_int(lxc_conf, retv, inlen,
lxc_conf->cgroup_meta.keep);
}
static int get_config_idmaps(const char *key, char *retv, int inlen, static int get_config_idmaps(const char *key, char *retv, int inlen,
struct lxc_conf *c, void *data) struct lxc_conf *c, void *data)
{ {
...@@ -3927,6 +3962,13 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf, ...@@ -3927,6 +3962,13 @@ static int clr_config_cgroup_dir(const char *key, struct lxc_conf *lxc_conf,
return 0; return 0;
} }
static inline int clr_config_cgroup_keep(const char *key,
struct lxc_conf *lxc_conf, void *data)
{
lxc_conf->cgroup_meta.keep = false;
return 0;
}
static inline int clr_config_idmaps(const char *key, struct lxc_conf *c, static inline int clr_config_idmaps(const char *key, struct lxc_conf *c,
void *data) void *data)
{ {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment