-
Accomodate stricter devices cgroup rules · 283678edSerge Hallyn authored
3.10 kernel comes with proper hierarchical enforcement of devices cgroup. To keep that code somewhat sane, certain things are not allowed. Switching from default-allow to default-deny and vice versa are not allowed when there are children cgroups. (This *could* be simplified in the kernel by checking that all child cgroups are unpopulated, but that has not yet been done and may be rejected) The mountcgroup hook causes lxc-start to break with 3.10 kernels, because you cannot write 'a' to devices.deny once you have a child cgroup. With this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets the container's devices cgroup, and (c) setup_cgroup() during lxc startup ignores failures to write to devices subsystem if we are already in a child of the container's new cgroup. ((a) is not really related to this bug, but is definately needed. The followup work of making the other hooks use the passed-in lxcpath is still to be done) Signed-off-by:Serge Hallyn <serge.hallyn@ubuntu.com>
283678ed
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| include | Loading commit data... | |
| lua-lxc | Loading commit data... | |
| lxc | Loading commit data... | |
| python-lxc | Loading commit data... | |
| tests | Loading commit data... | |
| Makefile.am | Loading commit data... |