* https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
上記の非特権コンテナの要件に
* Kernel: 3.13 + a couple of staging patches (which Ubuntu has in its kernel)
* User namespaces enabled in the kernel
* A very recent version of shadow that supports subuid/subgid
* Per-user cgroups on all controllers (which I turned on a couple of weeks ago)
* LXC 1.0 beta2 or higher (released two days ago)
* A version of PAM with a loginuid patch that’s yet to be in any released version
とある.
* まず lxc/src/lxc/cgroup.c で
static bool find_cgroup_hierarchies(struct cgroup_meta_data *meta_data,
bool all_kernel_subsystems, bool all_named_subsystems,
const char **subsystem_whitelist)
{
FILE *proc_self_cgroup;
char *line = NULL;
size_t sz = 0;
int r;
bool bret = false;
size_t hierarchy_capacity = 0;
proc_self_cgroup = fopen_cloexec("/proc/self/cgroup", "r");
/* if for some reason (because of setns() and pid namespace for example)
,
* /proc/self is not valid, we try /proc/1/cgroup... */
if (!proc_self_cgroup)
proc_self_cgroup = fopen_cloexec("/proc/1/cgroup", "r");
if (!proc_self_cgroup)
return false;
while (getline(&line, &sz, proc_self_cgroup) != -1) {
/* file format: hierarchy:subsystems:group,
* we only extract hierarchy and subsystems
* here */
こんなコードがあり,/proc/self/cgroup から「現在の cgroup」を取得するようになってる
* Ubuntu 14.04 だと一般ユーザでログインするとkarma@lxctest02:~$ id
uid=1000(karma) gid=1000(karma) groups=1000(karma),27(sudo)
karma@lxctest02:~$ cat /proc/self/cgroup
11:name=systemd:/user/1000.user/5.session
10:hugetlb:/user/1000.user/5.session
9:perf_event:/user/1000.user/5.session
8:blkio:/user/1000.user/5.session
7:freezer:/user/1000.user/5.session
6:devices:/user/1000.user/5.session
5:memory:/user/1000.user/5.session
4:cpuacct:/user/1000.user/5.session
3:cpu:/user/1000.user/5.session
2:cpuset:/user/1000.user/5.session
* ここは書き込み権がある karma@lxctest02:~$ LANG=C ls -ld /sys/fs/cgroup/cpu/user/1000.user/5.session
drwxr-xr-x 2 karma karma 0 Jan 20 10:37 /sys/fs/cgroup/cpu/user/1000.user/5.session
* ちなみに普通に echo $$ > tasks みたいに cgroup に登録する.以下のコード #!/bin/bash
for c in /sys/fs/cgroup/*
do
sudo mkdir $c/karma
sudo chown -R karma: $c/karma
if [ `basename $c` = "cpuset" ]; then
echo 0 > $c/karma/cpuset.cpus
echo 0 > $c/karma/cpuset.mems
fi
echo $PID > $c/karma/tasks
done を実行すると,当然 karma@lxctest02:~$ cat /proc/self/cgroup
11:name=systemd:/karma
10:hugetlb:/karma
9:perf_event:/karma
8:blkio:/karma
7:freezer:/karma
6:devices:/karma
5:memory:/karma
4:cpuacct:/karma
3:cpu:/karma
2:cpuset:/karma
* /sys/fs/cgroup/user/1000.user/5.session みたいなのは誰が作ってるのか? どうも systemd のデーモンのどれかっぽい.(pam_loginuid 使って?) int cg_path_get_session(const char *path, char **session) {
const char *e, *n;
char *s;
assert(path);
assert(session);
e = path_startswith(path, "/user/");
if (!e)
return -ENOENT;
/* Skip the user name */
e = skip_label(e);
if (!e)
return -ENOENT;
n = strchrnul(e, '/');
if (n - e < 8)
return -ENOENT;
if (memcmp(n - 8, ".session", 8) != 0)
return -ENOENT;
s = strndup(e, n - e - 8);
if (!s)
return -ENOMEM;
*session = s;
return 0;
} systemd/src/shared/cgroup-util.c