[Devel] [PATCH 2/2] cgroup: dont check debug cgroup at container start

Valeriy Vdovin valeriy.vdovin at virtuozzo.com
Wed Apr 21 18:36:01 MSK 2021


Fixes: 1d668375f702847d11301882cb36ddc750226ed2
A follow up fix for a cherry-picked cset validation code that
runs at container start.
The validation code consists of 2 functions is_virtualized_cgroup
and css_has_host_cgroups. Both check that cgroup_mark_ve_roots
is safe to proceed. In case if container is started with invalid
configuration they will forbit further ve root marking.

The fix is needed due to the new debug cgroup which appeared in
VZ8.
- vzctl doesn't know about debug cgroup and does not create a
  subfolder for it.
- The validation code detects it and forces cgroup_mark_ve_roots
  to return with -EINVAL.
- debug cgroup is only present kernel debug configuration so it
  only plays role in development builds.
- also debug cgroup does not have any value for virtualization.
- That is why we can just skip it's validation and ignore it
  totally at VE_ROOT marking procedure.

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
---
 kernel/cgroup/cgroup.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 75447685f258..eeced498b121 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -1928,6 +1928,10 @@ static int cgroup_add_file(struct cgroup_subsys_state *css, struct cgroup *cgrp,
 #ifdef CONFIG_VE
 static inline bool is_virtualized_cgroup(struct cgroup *cgrp)
 {
+#if IS_ENABLED(CONFIG_CGROUP_DEBUG)
+	if (cgrp->subsys[debug_cgrp_id])
+		return false;
+#endif
 	if (cgrp->root->subsys_mask)
 		return true;
 
-- 
2.27.0



More information about the Devel mailing list