[Devel] [PATCH rh7] ve/cgroup: Temporarily allow to mount cgroups from VE

[Cyrill Gorcunov]

When restore container criu prepares that named cgroups yard
where it mount cgroups by its own. Strictly speaking we need
"restoring" state for VE when we would allow to mount cgroups
from inside of VE context until restore is complete. But while
we have not yet implemented such state lets allow to mount
cgroups to not block conatiners c/r testing.

khorenko@:

 | The CRIU issue is to handled either via "restoring" state or
 | (which i like much more) to create venet directly via netlink.

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
CC: Andrey Vagin <avagin at virtuozzo.com>
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
CC: Pavel Emelyanov <xemul at virtuozzo.com>
---
 kernel/cgroup.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

Index: linux-pcs7.git/kernel/cgroup.c
===================================================================
--- linux-pcs7.git.orig/kernel/cgroup.c
+++ linux-pcs7.git/kernel/cgroup.c
@@ -1587,8 +1587,17 @@ static struct dentry *cgroup_mount(struc
 	struct inode *inode;
 
 #ifdef CONFIG_VE
-	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT))
-		return ERR_PTR(-EACCES);
+	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT)) {
+		/*
+		 * We should allow mounting cgroups from inside of
+		 * VE only when VE inside a special "restoring" state.
+		 * At moment we don't have yet this state implemented
+		 * but to not block the container from the restore
+		 * lets allow this temporarily.
+		 */
+		/* return ERR_PTR(-EACCES); */
+		pr_warn_once("FIXME: Mounting cgroups from inside of VE, restore?");
+	}
 #endif
 
 	/* First find the desired set of subsystems */