Merge pull request #1606 from brauner/2017-06-01/lxc_setup_after_cgroup_unshare

call lxc_setup() after unshare(CLONE_NEWCGROUP)

Merge pull request #1606 from brauner/2017-06-01/lxc_setup_after_cgroup_unshare
c1cecfdd · Serge Hallyn · GitHub · fa1bafd3 · f4152036 · c1cecfdd
Commit c1cecfdd authored Jul 25, 2017 by Serge Hallyn Committed by GitHub Jul 25, 2017
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 13 deletions

conf.c src/lxc/conf.c +1 -1

start.c src/lxc/start.c +19 -12

sync.h src/lxc/sync.h +2 -0

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4237,7 +4237,7 @@ int lxc_setup(struct lxc_handler *handler)
 		return -1;
 	}
-	NOTICE("'%s' is setup.", name);
+	NOTICE("Container \"%s\" is set up", name);
 	return 0;
 }

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1012,12 +1012,6 @@ static int do_start(void *data)
 		     "standard file descriptors. Migration will not work.");
 	}
-	/* Setup the container, ip, names, utsname, ... */
-	if (lxc_setup(handler)) {
-		ERROR("Failed to setup container \"%s\".", handler->name);
-		goto out_warn_father;
-	}
 	/* Ask father to setup cgroups and wait for him to finish. */
 	if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP))
 		goto out_error;
@@ -1042,6 +1036,12 @@ static int do_start(void *data)
 		INFO("Unshared CLONE_NEWCGROUP.");
 	}
+	/* Setup the container, ip, names, utsname, ... */
+	if (lxc_setup(handler)) {
+		ERROR("Failed to setup container \"%s\".", handler->name);
+		goto out_warn_father;
+	}
 	/* Set the label to change to when we exec(2) the container's init. */
 	if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0)
 		goto out_warn_father;
@@ -1161,6 +1161,9 @@ static int do_start(void *data)
 	setsid();
+	if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP_LIMITS))
+		goto out_warn_father;
 	/* After this call, we are in error because this ops should not return
 	 * as it execs.
 	 */
@@ -1485,20 +1488,18 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
+	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+		goto out_delete_net;
 	if (!cgroup_setup_limits(handler, true)) {
 		ERROR("Failed to setup the devices cgroup for container \"%s\".", name);
 		goto out_delete_net;
 	}
+	TRACE("Set up cgroup device limits");
 	cgroup_disconnect();
 	cgroups_connected = false;
-	/* Read tty fds allocated by child. */
-	if (lxc_recv_ttys_from_child(handler) < 0) {
-		ERROR("Failed to receive tty info from child process.");
-		goto out_delete_net;
-	}
 	/* Tell the child to complete its initialization and wait for it to exec
 	 * or return an error. (The child will never return
 	 * LXC_SYNC_POST_CGROUP+1. It will either close the sync pipe, causing
@@ -1508,6 +1509,12 @@ static int lxc_spawn(struct lxc_handler *handler)
 	if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CGROUP))
 		return -1;
+	/* Read tty fds allocated by child. */
+	if (lxc_recv_ttys_from_child(handler) < 0) {
+		ERROR("Failed to receive tty info from child process.");
+		goto out_delete_net;
+	}
 	if (handler->ops->post_start(handler, handler->data))
 		goto out_abort;

--- a/src/lxc/sync.h
+++ b/src/lxc/sync.h
@@ -30,6 +30,8 @@ enum {
 	LXC_SYNC_CONFIGURE,
 	LXC_SYNC_POST_CONFIGURE,
 	LXC_SYNC_CGROUP,
+	LXC_SYNC_CGROUP_UNSHARE,
+	LXC_SYNC_CGROUP_LIMITS,
 	LXC_SYNC_POST_CGROUP,
 	LXC_SYNC_RESTART,
 	LXC_SYNC_POST_RESTART,