[Devel] [PATCH RHEL10 COMMIT] ve/cgroup: Allow attaching to VE root cgroup from VE via cgroup-v2

Konstantin Khorenko khorenko at virtuozzo.com
Fri Oct 10 19:30:19 MSK 2025 

The commit is pushed to "branch-rh10-6.12.0-55.13.1.2.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.10.vz10
------>
commit b45a461e9d470ca98e6813d3c72302b111d38023
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Wed Sep 17 18:16:04 2025 +0800

    ve/cgroup: Allow attaching to VE root cgroup from VE via cgroup-v2
    
    Before that fix, when we first entered ve cgroup and then tried to
    attach to unified cgroup, we saw vzctl exec/stop produce error:
    
    Error writing to /sys/fs/cgroup/machine.slice/<ve>/cgroup.procs data='<pid>': Operation not permitted
    
    as we were already in ve and ve-restriction to attach to root ve unified
    cgroup applied, we should just remove this restriction..
    
    We only had it enabled for corresponding cgroup-v1 files, now let's also
    enable for cgroup-v2 files too.
    
    Fixes: ad418fb3f8775 ("ve/cgroup: Allow to write to several safe cgroup files from CT")
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Feature: cgroup: whitelist of writeable files in CT
---
 kernel/cgroup/cgroup.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 067d7eb0f655e..9d75e0a7b675c 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5631,7 +5631,7 @@ static struct cftype cgroup_base_files[] = {
 	},
 	{
 		.name = "cgroup.procs",
-		.flags = CFTYPE_NS_DELEGATABLE,
+		.flags = CFTYPE_NS_DELEGATABLE | CFTYPE_VE_WRITABLE,
 		.file_offset = offsetof(struct cgroup, procs_file),
 		.release = cgroup_procs_release,
 		.seq_start = cgroup_procs_start,
@@ -5641,7 +5641,7 @@ static struct cftype cgroup_base_files[] = {
 	},
 	{
 		.name = "cgroup.threads",
-		.flags = CFTYPE_NS_DELEGATABLE,
+		.flags = CFTYPE_NS_DELEGATABLE | CFTYPE_VE_WRITABLE,
 		.release = cgroup_procs_release,
 		.seq_start = cgroup_threads_start,
 		.seq_next = cgroup_procs_next,

More information about the Devel mailing list