[Devel] [PATCH RHEL7 COMMIT] ve/cgroups: Allow to attach a single threaded task only into a container
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Oct 29 05:48:09 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-229.7.2.vz7.9.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.9.5
------>
commit 60d2e26e61f30d30a9b181bc34e49ec81b1b3d90
Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Date: Thu Oct 29 16:48:05 2015 +0400
ve/cgroups: Allow to attach a single threaded task only into a container
In commit e4abbcde75125568a855058f965ad3aa191fe52a we've
allowed to attach non-self into container. Still there
were an assumption that we might need multithreaded
kernel threads to be connected into container (sounds
like a new term in kernel development :-).
Thus lets simplify the test: we only require the
"init" to be moved into a container. The rest of
process tree is usually forked()/cloned() from it
automatically obtaining same container's cgroup.
I leave an old test for kernel thread here because
not sure if lack of it cause any problem. Lets
step safe first.
Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Nikita Spiridonov <nspiridonov at odin.com>
CC: Konstantin Khorenko <khorenko at odin.com>
CC: Pavel Emelyanov <xemul at odin.com>
CC: Andrey Vagin <avagin at odin.com>
---
kernel/ve/ve.c | 29 ++++++++++++++++-------------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index d86efb9..e9219e6 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -704,7 +704,6 @@ static void ve_destroy(struct cgroup *cg)
static int ve_can_attach(struct cgroup *cg, struct cgroup_taskset *tset)
{
struct ve_struct *ve = cgroup_ve(cg);
- struct task_struct *task;
if (!ve->veid)
return -ENOENT;
@@ -713,25 +712,29 @@ static int ve_can_attach(struct cgroup *cg, struct cgroup_taskset *tset)
return -EBUSY;
/*
- * We either moving the whole group of threads,
- * either a single thread process.
+ * We allow only one single-threaded process to attach
+ * into a container, which usually stands for "init"
+ * process. The rest of processes should be forked
+ * from the "init".
*/
if (cgroup_taskset_size(tset) == 1) {
- task = cgroup_taskset_first(tset);
- if (!thread_group_empty(task))
+ struct task_struct *task = cgroup_taskset_first(tset);
+
+ if (!thread_group_leader(task) ||
+ !thread_group_empty(task))
return -EINVAL;
- }
- /*
- * Forbid userspace tasks to enter during starting or stopping.
- * Permit attaching kernel threads for this containers.
- */
- if (!ve->is_running && (ve->ve_ns || nr_threads_ve(ve))) {
- cgroup_taskset_for_each(task, cg, tset) {
+ /*
+ * XXX Still permit attaching kernel threads
+ * for this container. Wonder if we really need it,
+ * looks like some legacy code chunk.
+ */
+ if (!ve->is_running && (ve->ve_ns || nr_threads_ve(ve))) {
if (!(task->flags & PF_KTHREAD))
return -EPIPE;
}
- }
+ } else
+ return -EINVAL;
return 0;
}
More information about the Devel
mailing list