[Devel] [PATCH RH7] cgroup: fix mangle root in CT

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Wed Aug 19 00:35:22 PDT 2015 

cgroups with depth level more than 2 were not mangled inside a
container, that might caused problems with docker, docker were able
to see in /proc/self/cgroup paths relative to host.

PSBM-38634

But it is not docker specific:

CT-103 /# mkdir /sys/fs/cgroup/devices/test.slice
CT-103 /# mkdir /sys/fs/cgroup/devices/test.slice/test.scope
CT-103 /# sleep 1000&
[1] 578
CT-103 /# echo 578 > /sys/fs/cgroup/devices/test.slice/test.scope/tasks

with patch:

CT-103 /# cat /proc/578/cgroup
16:ve:/
15:hugetlb:/
14:perf_event:/
12:net_cls:/
11:freezer:/
10:devices:/test.slice/test.scope
6:name=systemd:/user-0.slice/session-c109.scope
5:cpuset:/
4:cpuacct,cpu:/
3:beancounter:/
2:memory:/
1:blkio:/

without:

CT-103 /# cat /proc/480/cgroup
16:ve:/
15:hugetlb:/
14:perf_event:/
12:net_cls:/
11:freezer:/
10:devices:/103/test.slice/test.scope
6:name=systemd:/user.slice/user-0.slice/session-c2.scope
5:cpuset:/
4:cpuacct,cpu:/
3:beancounter:/
2:memory:/
1:blkio:/

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/cgroup.c | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index b073fba..7abc8f3 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1823,6 +1823,7 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen)
 {
 	int ret = -ENAMETOOLONG;
 	char *start;
+	struct ve_struct *ve = get_exec_env();
 
 	if (!cgrp->parent) {
 		if (strlcpy(buf, "/", buflen) >= buflen)
@@ -1830,21 +1831,6 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen)
 		return 0;
 	}
 
-#ifdef CONFIG_VE
-	/*
-	 * Containers cgroups are bind-mounted from node
-	 * so they are like '/' from inside, thus we have
-	 * to mangle cgroup path output.
-	 */
-	if (!ve_is_super(get_exec_env())) {
-		if (cgrp->parent && !cgrp->parent->parent) {
-			if (strlcpy(buf, "/", buflen) >= buflen)
-				return -ENAMETOOLONG;
-			return 0;
-		}
-	}
-#endif
-
 	start = buf + buflen - 1;
 	*start = '\0';
 
@@ -1853,6 +1839,25 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen)
 		const char *name = cgroup_name(cgrp);
 		int len;
 
+#ifdef CONFIG_VE
+		if (!ve_is_super(ve) && cgrp->parent && !cgrp->parent->parent) {
+			/*
+			 * Containers cgroups are bind-mounted from node
+			 * so they are like '/' from inside, thus we have
+			 * to mangle cgroup path output. Effectively it is
+			 * enough to remove two topmost cgroups from path.
+			 * e.g. in ct 101: /101/test.slice/test.scope ->
+			 * /test.slice/test.scope
+			 */
+			if (*start != '/') {
+				if (--start < buf)
+					goto out;
+				*start = '/';
+			}
+			break;
+		}
+#endif
+
 		len = strlen(name);
 		if ((start -= len) < buf)
 			goto out;
-- 
1.9.3

More information about the Devel mailing list