[Devel] [PATCH RH7] cgroup: fix mangle root in CT

Pavel Tikhomirov ptikhomirov at odin.com
Wed Aug 19 00:49:24 PDT 2015 


On 08/19/2015 10:35 AM, Pavel Tikhomirov wrote:
> cgroups with depth level more than 2 were not mangled inside a
> container, that might caused problems with docker, docker were able
> to see in /proc/self/cgroup paths relative to host.
>
> PSBM-38634
>
> But it is not docker specific:
>
> CT-103 /# mkdir /sys/fs/cgroup/devices/test.slice
> CT-103 /# mkdir /sys/fs/cgroup/devices/test.slice/test.scope
> CT-103 /# sleep 1000&
> [1] 578
> CT-103 /# echo 578 > /sys/fs/cgroup/devices/test.slice/test.scope/tasks
>
> with patch:
>
> CT-103 /# cat /proc/578/cgroup
> 16:ve:/
> 15:hugetlb:/
> 14:perf_event:/
> 12:net_cls:/
> 11:freezer:/
> 10:devices:/test.slice/test.scope
> 6:name=systemd:/user-0.slice/session-c109.scope

The other thing, I'm not yet sure how to fix now, is that such process 
somehow gets out of ve-103.slice and is in 
/sys/fs/cgroup/systemd/user-0.slice/session-c109.scope if we look from host.

> 5:cpuset:/
> 4:cpuacct,cpu:/
> 3:beancounter:/
> 2:memory:/
> 1:blkio:/
>
> without:
>
> CT-103 /# cat /proc/480/cgroup
> 16:ve:/
> 15:hugetlb:/
> 14:perf_event:/
> 12:net_cls:/
> 11:freezer:/
> 10:devices:/103/test.slice/test.scope
> 6:name=systemd:/user.slice/user-0.slice/session-c2.scope
> 5:cpuset:/
> 4:cpuacct,cpu:/
> 3:beancounter:/
> 2:memory:/
> 1:blkio:/
>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
>   kernel/cgroup.c | 35 ++++++++++++++++++++---------------
>   1 file changed, 20 insertions(+), 15 deletions(-)
>
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index b073fba..7abc8f3 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -1823,6 +1823,7 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen)
>   {
>   	int ret = -ENAMETOOLONG;
>   	char *start;
> +	struct ve_struct *ve = get_exec_env();
>
>   	if (!cgrp->parent) {
>   		if (strlcpy(buf, "/", buflen) >= buflen)
> @@ -1830,21 +1831,6 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen)
>   		return 0;
>   	}
>
> -#ifdef CONFIG_VE
> -	/*
> -	 * Containers cgroups are bind-mounted from node
> -	 * so they are like '/' from inside, thus we have
> -	 * to mangle cgroup path output.
> -	 */
> -	if (!ve_is_super(get_exec_env())) {
> -		if (cgrp->parent && !cgrp->parent->parent) {
> -			if (strlcpy(buf, "/", buflen) >= buflen)
> -				return -ENAMETOOLONG;
> -			return 0;
> -		}
> -	}
> -#endif
> -
>   	start = buf + buflen - 1;
>   	*start = '\0';
>
> @@ -1853,6 +1839,25 @@ int cgroup_path(const struct cgroup *cgrp, char *buf, int buflen)
>   		const char *name = cgroup_name(cgrp);
>   		int len;
>
> +#ifdef CONFIG_VE
> +		if (!ve_is_super(ve) && cgrp->parent && !cgrp->parent->parent) {
> +			/*
> +			 * Containers cgroups are bind-mounted from node
> +			 * so they are like '/' from inside, thus we have
> +			 * to mangle cgroup path output. Effectively it is
> +			 * enough to remove two topmost cgroups from path.
> +			 * e.g. in ct 101: /101/test.slice/test.scope ->
> +			 * /test.slice/test.scope
> +			 */
> +			if (*start != '/') {
> +				if (--start < buf)
> +					goto out;
> +				*start = '/';
> +			}
> +			break;
> +		}
> +#endif
> +
>   		len = strlen(name);
>   		if ((start -= len) < buf)
>   			goto out;
>

-- 
Best regards, Tikhomirov Pavel
Software Developer, Odin.

More information about the Devel mailing list