lxc: don't try to hide parent cgroups inside container

On the host when we start a container, it will be
placed in a cgroup path of

   /machine.slice/machine-lxc\x2ddemo.scope

under /sys/fs/cgroup/*

Inside the containers' namespace we need to setup
/sys/fs/cgroup mounts, and currently will bind
mount /machine.slice/machine-lxc\x2ddemo.scope on
the host to appear as / in the container.

While this may sound nice, it confuses applications
dealing with cgroups, because /proc/$PID/cgroup
now does not match the directory in /sys/fs/cgroup

This particularly causes problems for systems and
will make it create repeated path components in
the cgroup for apps run in the container eg

  /machine.slice/machine-lxc\x2ddemo.scope/machine.slice/machine-lxc\x2ddemo.scope/user.slice/user-0.slice/session-61.scope

This also causes any systemd service that uses
sd-notify to fail to start, because when systemd
receives the notification it won't be able to
identify the corresponding unit it came from.
In particular this break rabbitmq-server startup

Future kernels will provide proper cgroup namespacing
which will handle this problem, but until that time
we should not try to play games with hiding parent
cgroups.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 6d221de2ccce7fae73f8b695b2d154ad5fd2f59d..2bd7064ea181f544c16ff84742c61bbb7197d4b5 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1196,6 +1196,7 @@ virCgroupAllowDevice;
 virCgroupAllowDeviceMajor;
 virCgroupAllowDevicePath;
 virCgroupAvailable;
+virCgroupBindMount;
 virCgroupControllerAvailable;
 virCgroupControllerTypeFromString;
 virCgroupControllerTypeToString;
@@ -1233,7 +1234,6 @@ virCgroupGetMemSwapUsage;
 virCgroupGetPercpuStats;
 virCgroupHasController;
 virCgroupHasEmptyTasks;
-virCgroupIsolateMount;
 virCgroupKill;
 virCgroupKillPainfully;
 virCgroupKillRecursive;

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index c5a70a12e86444f2e2ef412ece691373d3265c2d..a6805ac02f988f502372b5648734b9f51a05b112 100644 (file)
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1827,7 +1827,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
 
     /* Now we can re-mount the cgroups controllers in the
      * same configuration as before */
-    if (virCgroupIsolateMount(cgroup, "/.oldroot/", sec_mount_options) < 0)
+    if (virCgroupBindMount(cgroup, "/.oldroot/", sec_mount_options) < 0)
         goto cleanup;
 
     /* Mounts /dev */

diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index 7584ee4c243d9c177281387da6c0c07e4ef42d0a..d7f4065f4154ca7d1f79bd940b61e0858ff40396 100644 (file)
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -3917,8 +3917,8 @@ virCgroupGetFreezerState(virCgroupPtr group, char **state)
 
 
 int
-virCgroupIsolateMount(virCgroupPtr group, const char *oldroot,
-                      const char *mountopts)
+virCgroupBindMount(virCgroupPtr group, const char *oldroot,
+                   const char *mountopts)
 {
     int ret = -1;
     size_t i;
@@ -3954,10 +3954,9 @@ virCgroupIsolateMount(virCgroupPtr group, const char *oldroot,
 
         if (!virFileExists(group->controllers[i].mountPoint)) {
             char *src;
-            if (virAsprintf(&src, "%s%s%s",
+            if (virAsprintf(&src, "%s%s",
                             oldroot,
-                            group->controllers[i].mountPoint,
-                            group->controllers[i].placement) < 0)
+                            group->controllers[i].mountPoint) < 0)
                 goto cleanup;
 
             VIR_DEBUG("Create mount point '%s'",

diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index 63a9e1c05a1639070fcb413445f7301d23862e2b..d754b1f3bd7a942f7604c33a0e6762e61e66148f 100644 (file)
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -286,9 +286,9 @@ int virCgroupKill(virCgroupPtr group, int signum);
 int virCgroupKillRecursive(virCgroupPtr group, int signum);
 int virCgroupKillPainfully(virCgroupPtr group);
 
-int virCgroupIsolateMount(virCgroupPtr group,
-                          const char *oldroot,
-                          const char *mountopts);
+int virCgroupBindMount(virCgroupPtr group,
+                       const char *oldroot,
+                       const char *mountopts);
 
 bool virCgroupSupportsCpuBW(virCgroupPtr cgroup);