1. 24 Feb, 2016 3 commits
    • Tycho Andersen's avatar
      pie: better detection of /proc belonging to pid ns · 1b291d8b
      Tycho Andersen authored
      While this commit is logically part of the "implement cgns support" commit,
      it's worth noting this separately I think: since cgns requires each task to
      look at its own proc file, we can now no longer dump unprivileged tasks
      whose /proc doesn't belong to them.
      
      This is because unprivileged tasks can't mount /proc, so if their /proc
      doesn't belong to them and they need to read it (because they're in a
      cgns), the pie code can't do anything about it.
      
      For cgns, we could solve this problem by simply fork()ing and setns()ing to
      the tasks pid and cgroup namespaces, and then reading the /proc from that
      task instead. (And perhaps we should implement it that way so we can still
      dump tasks whose /proc doesn't belong to them, although I don't think
      that's a common case.)
      Signed-off-by: 's avatarTycho Andersen <tycho.andersen@canonical.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@virtuozzo.com>
      1b291d8b
    • Tycho Andersen's avatar
      cgroup: add support for cgroup namespaces · 6e33d080
      Tycho Andersen authored
      cgroup namespaces are imminent to be merged into the kernel (indeed, they
      went into and out of 4.5 for minor issues), and will be carried as a
      patchset in the ubuntu 16.04 kernel. Here's an attempt at c/r.
      
      There are essentially three key steps:
        * on dump, in parse_task_cgroup, we should ask the task what cgroups it
          thinks it is in (unless it has the same cgroup ns id as its parent, then we
          should just take the prefixes from the parent's set), and set the prefix on
          the cg set
        * add a new restore step, prepare_cgroup_namespace(), which happens in
          prepare_task_cgroup() that does an unshare() if necessary
        * when restoring, in move_in_cgroup, if we're going to restore via usernsd,
          leave the full path. if not, use (cgset->path + len(cgset->cgns_prefix) as
          the path, since we will have already moved into the cgns_prefix and unshared.
      
      Another observation here is that we can support nesting, since these are
      restored heirarchically by nature.
      
      v2: * store cgns prefix length instead of full prefix in images
          * set has_cgroup_ns_id conditionally
          * drop unused argument to move_in_cgroup
          * add extra comments about what is happening when unsharing() on
            restore
          * add extra comments about what is happening when computing the actual
            cgns prefix
      Signed-off-by: 's avatarTycho Andersen <tycho.andersen@canonical.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@virtuozzo.com>
      6e33d080
    • Tycho Andersen's avatar
      cgroup: add a check for cgroup namespaces · a80dec3f
      Tycho Andersen authored
      v2: print a warning when cgroup ns is not present.
      Signed-off-by: 's avatarTycho Andersen <tycho.andersen@canonical.com>
      Signed-off-by: 's avatarPavel Emelyanov <xemul@virtuozzo.com>
      a80dec3f
  2. 20 Feb, 2016 25 commits
  3. 19 Feb, 2016 6 commits
  4. 18 Feb, 2016 6 commits