[Devel] [PATCH RHEL7 COMMIT] ve/cgroup: Temporarily allow to mount cgroups from VE

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 17 03:40:14 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.14
------>
commit e899169a4e3f0a8d2507e79c137bc7540dde2108
Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Date:   Wed Jun 17 14:40:14 2015 +0400

    ve/cgroup: Temporarily allow to mount cgroups from VE
    
    When restore container criu prepares that named cgroups yard
    where it mount cgroups by its own. Strictly speaking we need
    "restoring" state for VE when we would allow to mount cgroups
    from inside of VE context until restore is complete. But while
    we have not yet implemented such state lets allow to mount
    cgroups to not block conatiners c/r testing.
    
    khorenko@:
    
     | The CRIU issue is to handled either via "restoring" state or
     | (which i like much more) to create venet directly via netlink.
    
    We'll disable this back in the scope of
    https://jira.sw.ru/browse/PSBM-34291
    
    Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
    
    CC: Andrey Vagin <avagin at virtuozzo.com>
    CC: Vladimir Davydov <vdavydov at virtuozzo.com>
    CC: Konstantin Khorenko <khorenko at virtuozzo.com>
    CC: Pavel Emelyanov <xemul at virtuozzo.com>
---
 kernel/cgroup.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index c376a87..b073fba 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1587,8 +1587,17 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
 	struct inode *inode;
 
 #ifdef CONFIG_VE
-	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT))
-		return ERR_PTR(-EACCES);
+	if (!ve_is_super(get_exec_env()) && !(flags & MS_KERNMOUNT)) {
+		/*
+		 * We should allow mounting cgroups from inside of
+		 * VE only when VE inside a special "restoring" state.
+		 * At moment we don't have yet this state implemented
+		 * but to not block the container from the restore
+		 * lets allow this temporarily.
+		 */
+		/* return ERR_PTR(-EACCES); */
+		pr_warn_once("FIXME: Mounting cgroups from inside of VE, restore?");
+	}
 #endif
 
 	/* First find the desired set of subsystems */

More information about the Devel mailing list