[Devel] [PATCH RH7] ve/cgroup: hide ve and ub cgroups in CT

[Pavel Tikhomirov]

Reasons:
1) We don't need to show these cgroups in CT, they are vz specific,
and nobody should use them inside.
2) Docker from v17.11 checks that all cgroups are mounted, but we
don't mount beancounter and ve, thus docker fails.

Still show ve and ub for pseudosuper, so that these change does not
influence criu. I checked that with these patch c/r of container works
fine and values in ve cgroup files persist.

Docker ct starts fine after these change.

https://jira.sw.ru/browse/PSBM-80421

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/cgroup.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5c4af09..2471f37 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -5011,6 +5011,20 @@ static int __init cgroup_wq_init(void)
 }
 core_initcall(cgroup_wq_init);
 
+static int ve_hide_cgroups(struct cgroupfs_root *root)
+{
+	struct ve_struct *ve = get_exec_env();
+	unsigned long hidden_mask = (1UL << ve_subsys_id)
+				    | (1UL << ub_subsys_id);
+
+	/*
+	 * Hide ve and ub cgroups in CT for docker,
+	 * still showing them to pseudosuper (criu)
+	 */
+	return !ve_is_super(ve) && !ve->is_pseudosuper
+	       && (root->subsys_mask & hidden_mask);
+}
+
 /*
  * proc_cgroup_show()
  *  - Print task's cgroup paths into seq_file, one line for each hierarchy
@@ -5052,6 +5066,8 @@ int proc_cgroup_show(struct seq_file *m, void *v)
 		struct cgroup *cgrp;
 		int count = 0;
 
+		if (ve_hide_cgroups(root))
+			continue;
 		seq_printf(m, "%d:", root->hierarchy_id);
 		for_each_subsys(root, ss)
 			seq_printf(m, "%s%s", count++ ? "," : "", ss->name);
@@ -5096,6 +5112,9 @@ static int proc_cgroupstats_show(struct seq_file *m, void *v)
 
 		if (ss == NULL)
 			continue;
+		if (ve_hide_cgroups(ss->root))
+			continue;
+
 		num = _cg_virtualized(ss->root->number_of_cgroups);
 		seq_printf(m, "%s\t%d\t%d\t%d\n",
 			   ss->name, ss->root->hierarchy_id,
-- 
1.8.3.1