文書の過去の版を表示しています。
上記の非特権コンテナの要件に
- Kernel: 3.13 + a couple of staging patches (which Ubuntu has in its kernel)
- User namespaces enabled in the kernel
- A very recent version of shadow that supports subuid/subgid
- Per-user cgroups on all controllers (which I turned on a couple of weeks ago)
- LXC 1.0 beta2 or higher (released two days ago)
- A version of PAM with a loginuid patch that’s yet to be in any released version
とある.
- まず lxc/src/lxc/cgroup.c で
static bool find_cgroup_hierarchies(struct cgroup_meta_data *meta_data, bool all_kernel_subsystems, bool all_named_subsystems, const char **subsystem_whitelist) { FILE *proc_self_cgroup; char *line = NULL; size_t sz = 0; int r; bool bret = false; size_t hierarchy_capacity = 0; proc_self_cgroup = fopen_cloexec("/proc/self/cgroup", "r"); /* if for some reason (because of setns() and pid namespace for example) , * /proc/self is not valid, we try /proc/1/cgroup... */ if (!proc_self_cgroup) proc_self_cgroup = fopen_cloexec("/proc/1/cgroup", "r"); if (!proc_self_cgroup) return false; while (getline(&line, &sz, proc_self_cgroup) != -1) { /* file format: hierarchy:subsystems:group, * we only extract hierarchy and subsystems * here */
こんなコードがあり,/proc/self/cgroup から「現在の cgroup」を取得するようになってる
- Ubuntu 14.04 だと一般ユーザでログインすると
karma@lxctest02:~$ id uid=1000(karma) gid=1000(karma) groups=1000(karma),27(sudo) karma@lxctest02:~$ cat /proc/self/cgroup 11:name=systemd:/user/1000.user/5.session 10:hugetlb:/user/1000.user/5.session 9:perf_event:/user/1000.user/5.session 8:blkio:/user/1000.user/5.session 7:freezer:/user/1000.user/5.session 6:devices:/user/1000.user/5.session 5:memory:/user/1000.user/5.session 4:cpuacct:/user/1000.user/5.session 3:cpu:/user/1000.user/5.session 2:cpuset:/user/1000.user/5.session
- ここは書き込み権がある
karma@lxctest02:~$ LANG=C ls -ld /sys/fs/cgroup/cpu/user/1000.user/5.session drwxr-xr-x 2 karma karma 0 Jan 20 10:37 /sys/fs/cgroup/cpu/user/1000.user/5.session