[Devel] [PATCH RHEL7 COMMIT] ve/cgroup: Allow mounting existing cgroups inside container

Wed, 20 May 2015 05:28:47 -0700 

The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.4
------>
commit 8d96fa6e147c9c335a35ef01afe2a876ed3e007f
Author: Cyrill Gorcunov <gorcu...@odin.com>
Date:   Wed May 20 16:13:25 2015 +0400

    ve/cgroup: Allow mounting existing cgroups inside container
    
    Previously we allowed to mount existing cgroups inside container
    but then it cause a suspicion that if container is mounting too
    many existing cgoroups this might affect the node's performance.
    So we disabled this ability. Still because restore procedure is
    running from inside of VE being restored itself we need to allow
    mount existing cgroups back because CRIU restores cgroups and
    all their contents on its own. So if won't the CRIU will fail.
    
    That said probably we should provide some steer via sysfs so
    node admin would be able to limit the summary number of
    cgroups mounted inside container.
    
    khorenko@: this is a temporary solution, we allow this in order
    not to block CT online migration via CRIU further integration.
    
    We'll disable this functionality later in the scope of:
    https://jira.sw.ru/browse/PSBM-33664
    
    Signed-off-by: Cyrill Gorcunov <gorcu...@odin.com>
    
    CC: Vladimir Davydov <vdavy...@odin.com>
    CC: Konstantin Khorenko <khore...@odin.com>
    CC: Pavel Emelyanov <xe...@odin.com>
    CC: Andrey Vagin <ava...@odin.com>
---
 kernel/cgroup.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index f897042..58caa0d 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1585,17 +1585,6 @@ static struct dentry *cgroup_mount(struct 
file_system_type *fs_type,
        if (ret)
                goto out_err;
 
-#ifdef CONFIG_VE
-       /*
-        * Cgroups mounting from inside of VE is not allowed
-        * until we get some iron prove that we are to.
-        */
-       if (!ve_is_super(get_exec_env())) {
-               ret = -EACCES;
-               goto out_err;
-       }
-#endif
-
        /*
         * Allocate a new cgroup root. We may not need it if we're
         * reusing an existing hierarchy.
@@ -1626,6 +1615,19 @@ static struct dentry *cgroup_mount(struct 
file_system_type *fs_type,
                int i;
                struct css_set *cg;
 
+#ifdef CONFIG_VE
+               /*
+                * We don't allow to mount new roots from inside
+                * of container (but have to allow mounting existing
+                * cgroups, because the VE restore procedure is
+                * implemented from inside of container environment).
+                */
+               if (!ve_is_super(get_exec_env())) {
+                       ret = -EACCES;
+                       goto drop_new_super;
+               }
+#endif
+
                BUG_ON(sb->s_root != NULL);
 
                ret = cgroup_get_rootdir(sb);
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to