提交 6fb42d7c 编写于 作者: R Richard Weinberger 提交者: Daniel P. Berrange

Ensure systemd cgroup ownership is delegated to container with userns

This function is needed for user namespaces, where we need to chmod()
the cgroup to the initial uid/gid such that systemd is allowed to
use the cgroup.
Signed-off-by: NRichard Weinberger <richard@nod.at>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 8ca5f46c
...@@ -1067,6 +1067,7 @@ virCgroupSetMemory; ...@@ -1067,6 +1067,7 @@ virCgroupSetMemory;
virCgroupSetMemoryHardLimit; virCgroupSetMemoryHardLimit;
virCgroupSetMemorySoftLimit; virCgroupSetMemorySoftLimit;
virCgroupSetMemSwapHardLimit; virCgroupSetMemSwapHardLimit;
virCgroupSetOwner;
virCgroupSupportsCpuBW; virCgroupSupportsCpuBW;
......
...@@ -484,6 +484,18 @@ virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def) ...@@ -484,6 +484,18 @@ virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def)
&cgroup) < 0) &cgroup) < 0)
goto cleanup; goto cleanup;
/* setup control group permissions for user namespace */
if (def->idmap.uidmap) {
if (virCgroupSetOwner(cgroup,
def->idmap.uidmap[0].target,
def->idmap.gidmap[0].target,
(1 << VIR_CGROUP_CONTROLLER_SYSTEMD)) < 0) {
virCgroupFree(&cgroup);
cgroup = NULL;
goto cleanup;
}
}
cleanup: cleanup:
return cgroup; return cgroup;
} }
......
...@@ -3608,6 +3608,76 @@ cleanup: ...@@ -3608,6 +3608,76 @@ cleanup:
} }
int virCgroupSetOwner(virCgroupPtr cgroup,
uid_t uid,
gid_t gid,
int controllers)
{
int ret = -1;
size_t i;
char *base = NULL, *entry = NULL;
DIR *dh = NULL;
for (i = 0; i < VIR_CGROUP_CONTROLLER_LAST; i++) {
struct dirent *de;
if (!((1 << i) & controllers))
continue;
if (!cgroup->controllers[i].mountPoint)
continue;
if (virAsprintf(&base, "%s%s", cgroup->controllers[i].mountPoint,
cgroup->controllers[i].placement) < 0)
goto cleanup;
if (!(dh = opendir(base))) {
virReportSystemError(errno,
_("Unable to open dir '%s'"), base);
goto cleanup;
}
while ((de = readdir(dh)) != NULL) {
if (STREQ(de->d_name, ".") ||
STREQ(de->d_name, ".."))
continue;
if (virAsprintf(&entry, "%s/%s", base, de->d_name) < 0)
goto cleanup;
if (chown(entry, uid, gid) < 0) {
virReportSystemError(errno,
_("cannot chown '%s' to (%u, %u)"),
entry, uid, gid);
goto cleanup;
}
VIR_FREE(entry);
}
if (chown(base, uid, gid) < 0) {
virReportSystemError(errno,
_("cannot chown '%s' to (%u, %u)"),
base, uid, gid);
goto cleanup;
}
VIR_FREE(base);
closedir(dh);
dh = NULL;
}
ret = 0;
cleanup:
if (dh)
closedir(dh);
VIR_FREE(entry);
VIR_FREE(base);
return ret;
}
/** /**
* virCgroupSupportsCpuBW(): * virCgroupSupportsCpuBW():
* Check whether the host supports CFS bandwidth. * Check whether the host supports CFS bandwidth.
......
...@@ -249,4 +249,9 @@ int virCgroupIsolateMount(virCgroupPtr group, ...@@ -249,4 +249,9 @@ int virCgroupIsolateMount(virCgroupPtr group,
bool virCgroupSupportsCpuBW(virCgroupPtr cgroup); bool virCgroupSupportsCpuBW(virCgroupPtr cgroup);
int virCgroupSetOwner(virCgroupPtr cgroup,
uid_t uid,
gid_t gid,
int controllers);
#endif /* __VIR_CGROUP_H__ */ #endif /* __VIR_CGROUP_H__ */
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册