The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-123.1.2.vz7.5.4 ------> commit 8d96fa6e147c9c335a35ef01afe2a876ed3e007f Author: Cyrill Gorcunov <gorcu...@odin.com> Date: Wed May 20 16:13:25 2015 +0400
ve/cgroup: Allow mounting existing cgroups inside container Previously we allowed to mount existing cgroups inside container but then it cause a suspicion that if container is mounting too many existing cgoroups this might affect the node's performance. So we disabled this ability. Still because restore procedure is running from inside of VE being restored itself we need to allow mount existing cgroups back because CRIU restores cgroups and all their contents on its own. So if won't the CRIU will fail. That said probably we should provide some steer via sysfs so node admin would be able to limit the summary number of cgroups mounted inside container. khorenko@: this is a temporary solution, we allow this in order not to block CT online migration via CRIU further integration. We'll disable this functionality later in the scope of: https://jira.sw.ru/browse/PSBM-33664 Signed-off-by: Cyrill Gorcunov <gorcu...@odin.com> CC: Vladimir Davydov <vdavy...@odin.com> CC: Konstantin Khorenko <khore...@odin.com> CC: Pavel Emelyanov <xe...@odin.com> CC: Andrey Vagin <ava...@odin.com> --- kernel/cgroup.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index f897042..58caa0d 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -1585,17 +1585,6 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, if (ret) goto out_err; -#ifdef CONFIG_VE - /* - * Cgroups mounting from inside of VE is not allowed - * until we get some iron prove that we are to. - */ - if (!ve_is_super(get_exec_env())) { - ret = -EACCES; - goto out_err; - } -#endif - /* * Allocate a new cgroup root. We may not need it if we're * reusing an existing hierarchy. @@ -1626,6 +1615,19 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type, int i; struct css_set *cg; +#ifdef CONFIG_VE + /* + * We don't allow to mount new roots from inside + * of container (but have to allow mounting existing + * cgroups, because the VE restore procedure is + * implemented from inside of container environment). + */ + if (!ve_is_super(get_exec_env())) { + ret = -EACCES; + goto drop_new_super; + } +#endif + BUG_ON(sb->s_root != NULL); ret = cgroup_get_rootdir(sb); _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel