From: Daniel P. Berrange Date: Thu, 14 Apr 2016 14:19:56 +0000 (+0100) Subject: virsh: make lxc-enter-namespace also join the cgroups X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=291e1a470c004484d94497ebe3dae5b42bbff1c1;p=libvirt.git virsh: make lxc-enter-namespace also join the cgroups Extend the lxc-enter-namespace command so that it joins the containers' cgroups before starting new namespaces. This ensures that the commands run have the normal resource limits applied Signed-off-by: Daniel P. Berrange --- diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 11116a90ad..02be58f19a 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -9334,6 +9334,9 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd) 0) < 0) _exit(EXIT_CANCELED); + if (virDomainLxcEnterCGroup(dom, 0) < 0) + _exit(EXIT_CANCELED); + if (virDomainLxcEnterNamespace(dom, nfdlist, fdlist, diff --git a/tools/virsh.pod b/tools/virsh.pod index 6844823b34..1e5666064a 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -4195,9 +4195,10 @@ omitted. Enter the namespace of I and execute the command C passing the requested args. The binary path is relative to the container root filesystem, not the host root filesystem. The binary will inherit the -environment variables / console visible to virsh. This command only works -when connected to the LXC hypervisor driver. This command succeeds only -if C has 0 exit status. +environment variables / console visible to virsh. The command will be run +with the same sVirt context and cgroups placement as processes within the +container. This command only works when connected to the LXC hypervisor +driver. This command succeeds only if C has 0 exit status. By default the new process will run with the security label of the new parent container. Use the I<--noseclabel> option to instead have the