差分

このページの2つのバージョン間の差分を表示します。

--- linux:lxc:非特権コンテナメモ [2014/01/20 10:22] – 作成 tenforward
+++ linux:lxc:非特権コンテナメモ [2014/01/20 10:45] (現在) – tenforward
@@ 行 1: / 行 1: @@
   * https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
+上記の非特権コンテナの要件に
+  * Kernel: 3.13 + a couple of staging patches (which Ubuntu has in its kernel)
+  * User namespaces enabled in the kernel
+  * A very recent version of shadow that supports subuid/subgid
+  * Per-user cgroups on all controllers (which I turned on a couple of weeks ago)
+  * LXC 1.0 beta2 or higher (released two days ago)
+  * A version of PAM with a loginuid patch that’s yet to be in any released version
+とある．
+  * まず lxc/src/lxc/cgroup.c で<code c>
+static bool find_cgroup_hierarchies(struct cgroup_meta_data *meta_data,
+        bool all_kernel_subsystems, bool all_named_subsystems,
+        const char **subsystem_whitelist)
+{
+        FILE *proc_self_cgroup;
+        char *line = NULL;
+        size_t sz = 0;
+        int r;
+        bool bret = false;
+        size_t hierarchy_capacity = 0;
+        proc_self_cgroup = fopen_cloexec("/proc/self/cgroup", "r");
+        /* if for some reason (because of setns() and pid namespace for example)
+,
+         * /proc/self is not valid, we try /proc/1/cgroup... */
+        if (!proc_self_cgroup)
+                proc_self_cgroup = fopen_cloexec("/proc/1/cgroup", "r");
+        if (!proc_self_cgroup)
+                return false;
+        while (getline(&line, &sz, proc_self_cgroup) != -1) {
+                /* file format: hierarchy:subsystems:group,
+                 * we only extract hierarchy and subsystems
+                 * here */
+</code>こんなコードがあり，/proc/self/cgroup から「現在の cgroup」を取得するようになってる
+  * Ubuntu 14.04 だと一般ユーザでログインすると<code>karma@lxctest02:~$ id
+uid=1000(karma) gid=1000(karma) groups=1000(karma),27(sudo)
+karma@lxctest02:~$ cat /proc/self/cgroup
+:name=systemd:/user/1000.user/5.session
+:hugetlb:/user/1000.user/5.session
+:perf_event:/user/1000.user/5.session
+:blkio:/user/1000.user/5.session
+:freezer:/user/1000.user/5.session
+:devices:/user/1000.user/5.session
+:memory:/user/1000.user/5.session
+:cpuacct:/user/1000.user/5.session
+:cpu:/user/1000.user/5.session
+:cpuset:/user/1000.user/5.session</code>
+  * ここは書き込み権がある <code>karma@lxctest02:~$ LANG=C ls -ld /sys/fs/cgroup/cpu/user/1000.user/5.session
+drwxr-xr-x 2 karma karma 0 Jan 20 10:37 /sys/fs/cgroup/cpu/user/1000.user/5.session</code>
+  * ちなみに普通に echo $$ > tasks みたいに cgroup に登録する．以下のコード <code>#!/bin/bash
+for c in /sys/fs/cgroup/*
+do
+  sudo mkdir $c/karma
+  sudo chown -R karma: $c/karma
+  if [ `basename $c` = "cpuset" ]; then
+    echo 0 > $c/karma/cpuset.cpus
+    echo 0 > $c/karma/cpuset.mems
+  fi
+  echo $PID > $c/karma/tasks
+done</code> を実行すると，当然 <code>karma@lxctest02:~$ cat /proc/self/cgroup
+:name=systemd:/karma
+:hugetlb:/karma
+:perf_event:/karma
+:blkio:/karma
+:freezer:/karma
+:devices:/karma
+:memory:/karma
+:cpuacct:/karma
+:cpu:/karma
+:cpuset:/karma</code>
+  * /sys/fs/cgroup/user/1000.user/5.session みたいなのは誰が作ってるのか? どうも systemd のデーモンのどれかっぽい．(pam_loginuid 使って?) <code c>int cg_path_get_session(const char *path, char **session) {
+        const char *e, *n;
+        char *s;
+        assert(path);
+        assert(session);
+        e = path_startswith(path, "/user/");
+        if (!e)
+                return -ENOENT;
+        /* Skip the user name */
+        e = skip_label(e);
+        if (!e)
+                return -ENOENT;
+        n = strchrnul(e, '/');
+        if (n - e < 8)
+                return -ENOENT;
+        if (memcmp(n - 8, ".session", 8) != 0)
+                return -ENOENT;
+        s = strndup(e, n - e - 8);
+        if (!s)
+                return -ENOMEM;
+        *session = s;
+        return 0;
+}</code> systemd/src/shared/cgroup-util.c