Misc fixes for LXC cgroups setup

When using the 'ns' cgroup controller, the moment a process calls 'unshare(CLONE_NEWNS)', it will be given a private cgroup tree under its current location. This really messages up the LXC controller process, because it ends up creating the containers' cgroup in the wrong place. The fix is fairly easy, just move the cgroup setup before the code which calls unshare(). The 'ns' controller will still create extra undesired cgroups, but they at least won't break libvirt's setup now. The patch also adds a missing cgroups allow rule for /dev/tty device node

Misc fixes for LXC cgroups setup
When using the 'ns' cgroup controller, the moment a process calls 'unshare(CLONE_NEWNS)', it will be given a private cgroup tree under its current location. This really messages up the LXC controller process, because it ends up creating the containers' cgroup in the wrong place. The fix is fairly easy, just move the cgroup setup before the code which calls unshare(). The 'ns' controller will still create extra undesired cgroups, but they at least won't break libvirt's setup now. The patch also adds a missing cgroups allow rule for /dev/tty device node
57db02e8 · Daniel P. Berrange · ede3bc11 · 57db02e8 · 57db02e8
显示空白变更内容
内联并排

Showing with 6 addition and 4 deletion

src/lxc/lxc_container.h src/lxc/lxc_container.h +1 -0

src/lxc/lxc_controller.c src/lxc/lxc_controller.c +5 -4

未找到文件。
--- a/src/lxc/lxc_container.h
+++ b/src/lxc/lxc_container.h
@@ -39,6 +39,7 @@ enum {
 #define LXC_DEV_MIN_URANDOM 9
 #define LXC_DEV_MAJ_TTY     5
+#define LXC_DEV_MIN_TTY     0
 #define LXC_DEV_MIN_CONSOLE 1
 #define LXC_DEV_MIN_PTMX    2

--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -78,6 +78,7 @@ static int lxcSetContainerResources(virDomainDefPtr def)
        {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_FULL},
        {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_RANDOM},
        {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_URANDOM},
+        {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_TTY},
        {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_CONSOLE},
        {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX},
        {0,   0, 0}};
@@ -301,7 +302,7 @@ static int lxcControllerMain(int monitor,
    fdArray[0].active = 0;
    fdArray[1].fd = contPty;
    fdArray[1].active = 0;
+    VIR_ERROR("monitor=%d client=%d appPty=%d contPty=%d", monitor,client, appPty, contPty);
    /* create the epoll fild descriptor */
    epollFd = epoll_create(2);
    if (0 > epollFd) {
@@ -516,6 +517,9 @@ lxcControllerRun(virDomainDefPtr def,
    root = virDomainGetRootFilesystem(def);
+    if (lxcSetContainerResources(def) < 0)
+        goto cleanup;
    /*
     * If doing a chroot style setup, we need to prepare
     * a private /dev/pts for the child now, which they
@@ -599,9 +603,6 @@ lxcControllerRun(virDomainDefPtr def,
    }
-    if (lxcSetContainerResources(def) < 0)
-        goto cleanup;
    if ((container = lxcContainerStart(def,
                                       nveths,
                                       veths,