From: "Serge E. Hallyn" <serge@hallyn.com>
To: Aditya Kali <adityakali@google.com>
Cc: tj@kernel.org, lizefan@huawei.com, serge.hallyn@ubuntu.com,
luto@amacapital.net, cgroups@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
mingo@redhat.com, containers@lists.linux-foundation.org,
jnagal@google.com
Subject: Re: [PATCHv1 8/8] cgroup: mount cgroupns-root when inside non-init cgroupns
Date: Fri, 17 Oct 2014 14:19:57 +0200 [thread overview]
Message-ID: <20141017121957.GA10235@mail.hallyn.com> (raw)
In-Reply-To: <1413235430-22944-9-git-send-email-adityakali@google.com>
Quoting Aditya Kali (adityakali@google.com):
> This patch enables cgroup mounting inside userns when a process
> as appropriate privileges. The cgroup filesystem mounted is
> rooted at the cgroupns-root. Thus, in a container-setup, only
> the hierarchy under the cgroupns-root is exposed inside the container.
> This allows container management tools to run inside the containers
> without depending on any global state.
> In order to support this, a new kernfs api is added to lookup the
> dentry for the cgroupns-root.
>
> Signed-off-by: Aditya Kali <adityakali@google.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
> ---
> fs/kernfs/mount.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
> include/linux/kernfs.h | 2 ++
> kernel/cgroup.c | 47 +++++++++++++++++++++++++++++++++++++++++++++--
> 3 files changed, 95 insertions(+), 2 deletions(-)
>
> diff --git a/fs/kernfs/mount.c b/fs/kernfs/mount.c
> index f973ae9..e334f45 100644
> --- a/fs/kernfs/mount.c
> +++ b/fs/kernfs/mount.c
> @@ -62,6 +62,54 @@ struct kernfs_root *kernfs_root_from_sb(struct super_block *sb)
> return NULL;
> }
>
> +/**
> + * kernfs_make_root - create new root dentry for the given kernfs_node.
> + * @sb: the kernfs super_block
> + * @kn: kernfs_node for which a dentry is needed
> + *
> + * This can used used by callers which want to mount only a part of the kernfs
> + * as root of the filesystem.
> + */
> +struct dentry *kernfs_obtain_root(struct super_block *sb,
> + struct kernfs_node *kn)
> +{
> + struct dentry *dentry;
> + struct inode *inode;
> +
> + BUG_ON(sb->s_op != &kernfs_sops);
> +
> + /* inode for the given kernfs_node should already exist. */
> + inode = ilookup(sb, kn->ino);
> + if (!inode) {
> + pr_debug("kernfs: could not get inode for '");
> + pr_cont_kernfs_path(kn);
> + pr_cont("'.\n");
> + return ERR_PTR(-EINVAL);
> + }
> +
> + /* instantiate and link root dentry */
> + dentry = d_obtain_root(inode);
> + if (!dentry) {
> + pr_debug("kernfs: could not get dentry for '");
> + pr_cont_kernfs_path(kn);
> + pr_cont("'.\n");
> + return ERR_PTR(-ENOMEM);
> + }
> +
> + /* If this is a new dentry, set it up. We need kernfs_mutex because this
> + * may be called by callers other than kernfs_fill_super. */
> + mutex_lock(&kernfs_mutex);
> + if (!dentry->d_fsdata) {
> + kernfs_get(kn);
> + dentry->d_fsdata = kn;
> + } else {
> + WARN_ON(dentry->d_fsdata != kn);
> + }
> + mutex_unlock(&kernfs_mutex);
> +
> + return dentry;
> +}
> +
> static int kernfs_fill_super(struct super_block *sb, unsigned long magic)
> {
> struct kernfs_super_info *info = kernfs_info(sb);
> diff --git a/include/linux/kernfs.h b/include/linux/kernfs.h
> index 3c2be75..b9538e0 100644
> --- a/include/linux/kernfs.h
> +++ b/include/linux/kernfs.h
> @@ -274,6 +274,8 @@ void kernfs_put(struct kernfs_node *kn);
> struct kernfs_node *kernfs_node_from_dentry(struct dentry *dentry);
> struct kernfs_root *kernfs_root_from_sb(struct super_block *sb);
>
> +struct dentry *kernfs_obtain_root(struct super_block *sb,
> + struct kernfs_node *kn);
> struct kernfs_root *kernfs_create_root(struct kernfs_syscall_ops *scops,
> unsigned int flags, void *priv);
> void kernfs_destroy_root(struct kernfs_root *root);
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index 2fc0dfa..ef27dc4 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -1302,6 +1302,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
>
> memset(opts, 0, sizeof(*opts));
>
> + /* Implicitly add CGRP_ROOT_SANE_BEHAVIOR if inside a non-init cgroup
> + * namespace.
> + */
> + if (current->nsproxy->cgroup_ns != &init_cgroup_ns) {
> + opts->flags |= CGRP_ROOT_SANE_BEHAVIOR;
> + }
> +
> while ((token = strsep(&o, ",")) != NULL) {
> nr_opts++;
>
> @@ -1391,7 +1398,7 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
>
> if (opts->flags & CGRP_ROOT_SANE_BEHAVIOR) {
> pr_warn("sane_behavior: this is still under development and its behaviors will change, proceed at your own risk\n");
> - if (nr_opts != 1) {
> + if (nr_opts > 1) {
> pr_err("sane_behavior: no other mount options allowed\n");
> return -EINVAL;
> }
> @@ -1581,6 +1588,15 @@ static void init_cgroup_root(struct cgroup_root *root,
> set_bit(CGRP_CPUSET_CLONE_CHILDREN, &root->cgrp.flags);
> }
>
> +struct dentry *cgroupns_get_root(struct super_block *sb,
> + struct cgroup_namespace *ns)
> +{
> + struct dentry *nsdentry;
> +
> + nsdentry = kernfs_obtain_root(sb, ns->root_cgrp->kn);
> + return nsdentry;
> +}
> +
> static int cgroup_setup_root(struct cgroup_root *root, unsigned int ss_mask)
> {
> LIST_HEAD(tmp_links);
> @@ -1684,6 +1700,14 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
> int ret;
> int i;
> bool new_sb;
> + struct cgroup_namespace *ns =
> + get_cgroup_ns(current->nsproxy->cgroup_ns);
> +
> + /* Check if the caller has permission to mount. */
> + if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) {
> + put_cgroup_ns(ns);
> + return ERR_PTR(-EPERM);
> + }
>
> /*
> * The first time anyone tries to mount a cgroup, enable the list
> @@ -1816,11 +1840,28 @@ out_free:
> kfree(opts.release_agent);
> kfree(opts.name);
>
> - if (ret)
> + if (ret) {
> + put_cgroup_ns(ns);
> return ERR_PTR(ret);
> + }
>
> dentry = kernfs_mount(fs_type, flags, root->kf_root,
> CGROUP_SUPER_MAGIC, &new_sb);
> +
> + if (!IS_ERR(dentry)) {
> + /* If this mount is for a non-init cgroup namespace, then
> + * Instead of root's dentry, we return the dentry specific to
> + * the cgroupns->root_cgrp.
> + */
> + if (ns != &init_cgroup_ns) {
> + struct dentry *nsdentry;
> +
> + nsdentry = cgroupns_get_root(dentry->d_sb, ns);
> + dput(dentry);
> + dentry = nsdentry;
> + }
> + }
> +
> if (IS_ERR(dentry) || !new_sb)
> cgroup_put(&root->cgrp);
>
> @@ -1833,6 +1874,7 @@ out_free:
> deactivate_super(pinned_sb);
> }
>
> + put_cgroup_ns(ns);
> return dentry;
> }
>
> @@ -1861,6 +1903,7 @@ static struct file_system_type cgroup_fs_type = {
> .name = "cgroup",
> .mount = cgroup_mount,
> .kill_sb = cgroup_kill_sb,
> + .fs_flags = FS_USERNS_MOUNT,
> };
>
> static struct kobject *cgroup_kobj;
> --
> 2.1.0.rc2.206.gedb03e5
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2014-10-17 12:20 UTC|newest]
Thread overview: 157+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <adityakali-cgroupns>
2014-07-17 19:52 ` [PATCH 0/5] RFC: CGroup Namespaces Aditya Kali
2014-07-17 19:52 ` [PATCH 1/5] kernfs: Add API to get generate relative kernfs path Aditya Kali
2014-07-24 15:10 ` Serge Hallyn
2014-07-17 19:52 ` [PATCH 2/5] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace Aditya Kali
2014-07-24 17:01 ` Serge Hallyn
2014-07-31 19:48 ` Aditya Kali
2014-08-04 23:12 ` Serge Hallyn
2014-07-17 19:52 ` [PATCH 3/5] cgroup: add function to get task's cgroup on default hierarchy Aditya Kali
2014-07-24 16:59 ` Serge Hallyn
2014-07-17 19:52 ` [PATCH 4/5] cgroup: export cgroup_get() and cgroup_put() Aditya Kali
2014-07-24 17:03 ` Serge Hallyn
2014-07-17 19:52 ` [PATCH 5/5] cgroup: introduce cgroup namespaces Aditya Kali
2014-07-17 19:57 ` Andy Lutomirski
2014-07-17 20:55 ` Aditya Kali
2014-07-18 16:51 ` Andy Lutomirski
2014-07-18 18:51 ` Aditya Kali
2014-07-18 18:57 ` Andy Lutomirski
2014-07-21 22:11 ` Aditya Kali
2014-07-21 22:16 ` Andy Lutomirski
2014-07-23 19:52 ` Aditya Kali
2014-07-18 16:00 ` [PATCH 0/5] RFC: CGroup Namespaces Serge Hallyn
2014-07-24 16:10 ` Serge Hallyn
2014-07-24 16:36 ` Serge Hallyn
2014-07-25 19:29 ` Aditya Kali
2014-07-25 20:27 ` Andy Lutomirski
2014-07-29 4:51 ` Serge E. Hallyn
2014-07-29 15:08 ` Andy Lutomirski
2014-07-29 16:06 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 0/8] " Aditya Kali
2014-10-13 21:23 ` [PATCHv1 1/8] kernfs: Add API to generate relative kernfs path Aditya Kali
2014-10-16 16:07 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 2/8] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace Aditya Kali
2014-10-16 16:08 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 3/8] cgroup: add function to get task's cgroup on default hierarchy Aditya Kali
2014-10-16 16:13 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 4/8] cgroup: export cgroup_get() and cgroup_put() Aditya Kali
2014-10-16 16:14 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 5/8] cgroup: introduce cgroup namespaces Aditya Kali
2014-10-16 16:37 ` Serge E. Hallyn
2014-10-24 1:03 ` Aditya Kali
2014-10-25 3:16 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 6/8] cgroup: restrict cgroup operations within task's cgroupns Aditya Kali
2014-10-17 9:28 ` Serge E. Hallyn
2014-10-22 19:06 ` Aditya Kali
2014-10-19 4:57 ` Eric W. Biederman
2014-10-13 21:23 ` [PATCHv1 7/8] cgroup: cgroup namespace setns support Aditya Kali
2014-10-16 21:12 ` Serge E. Hallyn
2014-10-16 21:17 ` Andy Lutomirski
2014-10-16 21:22 ` Aditya Kali
2014-10-16 21:47 ` Serge E. Hallyn
2014-10-19 5:23 ` Eric W. Biederman
2014-10-19 18:26 ` Andy Lutomirski
2014-10-20 4:55 ` Eric W.Biederman
2014-10-21 0:20 ` Andy Lutomirski
2014-10-21 4:49 ` Eric W. Biederman
2014-10-21 5:03 ` Andy Lutomirski
2014-10-21 5:42 ` Eric W. Biederman
2014-10-21 5:49 ` Andy Lutomirski
2014-10-21 18:49 ` Aditya Kali
2014-10-21 19:02 ` Andy Lutomirski
2014-10-21 22:33 ` Aditya Kali
2014-10-21 22:42 ` Andy Lutomirski
2014-10-22 0:46 ` Aditya Kali
2014-10-22 0:58 ` Andy Lutomirski
2014-10-22 18:37 ` Aditya Kali
2014-10-22 18:50 ` Andy Lutomirski
2014-10-22 19:42 ` Tejun Heo
2014-10-17 9:52 ` Serge E. Hallyn
2014-10-13 21:23 ` [PATCHv1 8/8] cgroup: mount cgroupns-root when inside non-init cgroupns Aditya Kali
2014-10-17 12:19 ` Serge E. Hallyn [this message]
2014-10-14 22:42 ` [PATCHv1 0/8] CGroup Namespaces Andy Lutomirski
2014-10-14 23:33 ` Aditya Kali
2014-10-19 4:54 ` Eric W. Biederman
2015-07-22 18:10 ` Vincent Batts
2014-10-31 19:18 ` [PATCHv2 0/7] " Aditya Kali
2014-10-31 19:18 ` [PATCHv2 1/7] kernfs: Add API to generate relative kernfs path Aditya Kali
2014-10-31 19:18 ` [PATCHv2 2/7] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace Aditya Kali
2014-10-31 19:18 ` [PATCHv2 3/7] cgroup: add function to get task's cgroup on default hierarchy Aditya Kali
2014-10-31 19:18 ` [PATCHv2 4/7] cgroup: export cgroup_get() and cgroup_put() Aditya Kali
2014-10-31 19:18 ` [PATCHv2 5/7] cgroup: introduce cgroup namespaces Aditya Kali
2014-11-01 0:02 ` Andy Lutomirski
2014-11-01 0:58 ` Eric W. Biederman
2014-11-03 23:42 ` Aditya Kali
2014-11-03 23:40 ` Aditya Kali
2014-11-04 1:56 ` Aditya Kali
2014-10-31 19:19 ` [PATCHv2 6/7] cgroup: cgroup namespace setns support Aditya Kali
2014-10-31 19:19 ` [PATCHv2 7/7] cgroup: mount cgroupns-root when inside non-init cgroupns Aditya Kali
2014-11-01 0:07 ` Andy Lutomirski
2014-11-01 2:59 ` Eric W. Biederman
2014-11-01 3:29 ` Andy Lutomirski
2014-11-03 23:12 ` Aditya Kali
2014-11-03 23:15 ` Andy Lutomirski
2014-11-03 23:23 ` Aditya Kali
2014-11-03 23:48 ` Andy Lutomirski
2014-11-04 0:12 ` Aditya Kali
2014-11-04 0:17 ` Andy Lutomirski
2014-11-04 0:49 ` Aditya Kali
2014-11-04 13:57 ` Tejun Heo
2014-11-06 17:28 ` Aditya Kali
2014-11-01 1:09 ` Eric W. Biederman
2014-11-03 22:46 ` Aditya Kali
[not found] ` <CAGr1F2Hd_PS_AscBGMXdZC9qkHGRUp-MeQvJksDOQkRBB3RGoA@mail.gmail.com>
2014-11-03 22:56 ` Andy Lutomirski
2014-11-04 13:46 ` Tejun Heo
2014-11-04 15:00 ` Andy Lutomirski
2014-11-04 15:50 ` Serge E. Hallyn
2014-11-12 17:48 ` Aditya Kali
2014-11-04 1:59 ` Aditya Kali
2014-11-04 13:10 ` [PATCHv2 0/7] CGroup Namespaces Vivek Goyal
2014-11-06 17:33 ` Aditya Kali
2014-11-26 22:58 ` Richard Weinberger
2014-12-02 19:14 ` Aditya Kali
2014-12-05 1:55 ` [PATCHv3 0/8] " Aditya Kali
2014-12-05 1:55 ` [PATCHv3 1/8] kernfs: Add API to generate relative kernfs path Aditya Kali
2014-12-05 1:55 ` [PATCHv3 2/8] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace Aditya Kali
2014-12-05 1:55 ` [PATCHv3 3/8] cgroup: add function to get task's cgroup on default hierarchy Aditya Kali
2014-12-05 1:55 ` [PATCHv3 4/8] cgroup: export cgroup_get() and cgroup_put() Aditya Kali
2014-12-05 1:55 ` [PATCHv3 5/8] cgroup: introduce cgroup namespaces Aditya Kali
2014-12-12 8:54 ` Zefan Li
2014-12-05 1:55 ` [PATCHv3 6/8] cgroup: cgroup namespace setns support Aditya Kali
2014-12-05 1:55 ` [PATCHv3 7/8] cgroup: mount cgroupns-root when inside non-init cgroupns Aditya Kali
2014-12-12 8:55 ` Zefan Li
2014-12-05 1:55 ` [PATCHv3 8/8] cgroup: Add documentation for cgroup namespaces Aditya Kali
2014-12-12 8:54 ` Zefan Li
2015-01-05 22:54 ` Aditya Kali
2014-12-14 23:05 ` Richard Weinberger
2015-01-05 22:48 ` Aditya Kali
2015-01-05 22:52 ` Richard Weinberger
2015-01-05 23:53 ` Eric W. Biederman
2015-01-06 0:07 ` Richard Weinberger
2015-01-06 0:10 ` Aditya Kali
2015-01-06 0:17 ` Richard Weinberger
2015-01-06 23:20 ` Aditya Kali
2015-01-06 23:39 ` Richard Weinberger
2015-01-07 9:28 ` Richard Weinberger
2015-01-07 14:45 ` Eric W. Biederman
2015-01-07 19:30 ` Serge E. Hallyn
2015-01-07 22:14 ` Eric W. Biederman
2015-01-07 22:45 ` Tejun Heo
2015-01-07 23:02 ` Eric W. Biederman
2015-01-07 23:06 ` Tejun Heo
2015-01-07 23:09 ` Eric W. Biederman
2015-01-07 23:16 ` Tejun Heo
2015-01-07 23:27 ` Eric W. Biederman
2015-01-07 23:35 ` Tejun Heo
2015-02-11 3:46 ` Serge E. Hallyn
2015-02-11 4:09 ` Tejun Heo
2015-02-11 4:29 ` Serge E. Hallyn
2015-02-11 5:02 ` Eric W. Biederman
2015-02-11 5:17 ` Tejun Heo
2015-02-11 6:29 ` Eric W. Biederman
2015-02-11 14:36 ` Tejun Heo
2015-02-11 16:00 ` Serge E. Hallyn
2015-02-11 16:03 ` Tejun Heo
2015-02-11 16:18 ` Serge E. Hallyn
2015-02-11 5:10 ` Tejun Heo
2015-01-07 18:57 ` Aditya Kali
2014-12-05 3:20 ` [PATCHv3 0/8] CGroup Namespaces Aditya Kali
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141017121957.GA10235@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=adityakali@google.com \
--cc=cgroups@vger.kernel.org \
--cc=containers@lists.linux-foundation.org \
--cc=jnagal@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).