introduce lxc.cgroup.dir.{monitor,container,container.inner} #3353
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Testsuite passed |
brauner
requested changes
Apr 3, 2020
Blub
force-pushed
the
lxc.cgroup.dir-components
branch
from
8f1e561
to
f16d703
Compare
Blub
changed the title
This is a new approach to lxc#1302 with a container-side configuration instead of a global boolean flag. Contrary to the previous PR using an optional additional parameter for the get-cgroup command, this introduces two new additional commands to get the limiting cgroup path and cgroup2 file descriptor. If the limiting option is not in use, these behave identical to their full-path counterparts. If these variables are used the payload will end up in the concatenation of lxc.cgroup.dir.container and lxc.cgroup.dir.container.inner (which may be empty), and the monitor will end up in lxc.cgruop.dir.monitor. The directories are fixed, no retry count logic is applied, failing to create these directories will simply be a hard error. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Blub
force-pushed
the
lxc.cgroup.dir-components
branch
from
f16d703
to
a900cba
Compare
added 3 commits
April 3, 2020 20:07
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
brauner
changed the title
brauner
approved these changes
Apr 3, 2020
|
Thank you very much for that! Should make privileged containers safer! |
|
Nice. |
raboof
pushed a commit
to raboof/pve-container
that referenced
this pull request
May 16, 2020
See: lxc/lxc#3353 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.
Contrary to the previous PR using an optional additional
parameter for the get-cgroup command, this introduces two
new additional commands to get the limiting cgroup path and
cgroup2 file descriptor. If the limiting option is not in
use, these behave identical to their full-path counterparts.
If these variables are used the payload will end up in the
concatenation of lxc.cgroup.dir.payload and
lxc.cgroup.dir.namespace (namespace may be empty), and the
monitor will end up in lxc.cgruop.dir.monitor. The
directories are fixed, no retry count logic is applied,
failing to create these directories will simply be a hard
error.
Signed-off-by: Wolfgang Bumiller w.bumiller@proxmox.com
Note that this is designed to be opt in, so if there are still some setup
issues with eg. the devices cgroup in v1 or with cgroupv2 (which I'll be
testing shortly), it still shouldn't affect existing configurations.
Posting this now for initial review.