上記の非特権コンテナの要件に
- Kernel: 3.13 + a couple of staging patches (which Ubuntu has in its kernel)
- User namespaces enabled in the kernel
- A very recent version of shadow that supports subuid/subgid
- Per-user cgroups on all controllers (which I turned on a couple of weeks ago)
- LXC 1.0 beta2 or higher (released two days ago)
- A version of PAM with a loginuid patch that’s yet to be in any released version
とある.
- まず lxc/src/lxc/cgroup.c で
static bool find_cgroup_hierarchies(struct cgroup_meta_data *meta_data, bool all_kernel_subsystems, bool all_named_subsystems, const char **subsystem_whitelist) { FILE *proc_self_cgroup; char *line = NULL; size_t sz = 0; int r; bool bret = false; size_t hierarchy_capacity = 0; proc_self_cgroup = fopen_cloexec("/proc/self/cgroup", "r"); /* if for some reason (because of setns() and pid namespace for example) , * /proc/self is not valid, we try /proc/1/cgroup... */ if (!proc_self_cgroup) proc_self_cgroup = fopen_cloexec("/proc/1/cgroup", "r"); if (!proc_self_cgroup) return false; while (getline(&line, &sz, proc_self_cgroup) != -1) { /* file format: hierarchy:subsystems:group, * we only extract hierarchy and subsystems * here */
こんなコードがあり,/proc/self/cgroup から「現在の cgroup」を取得するようになってる
- Ubuntu 14.04 だと一般ユーザでログインすると
karma@lxctest02:~$ id uid=1000(karma) gid=1000(karma) groups=1000(karma),27(sudo) karma@lxctest02:~$ cat /proc/self/cgroup 11:name=systemd:/user/1000.user/5.session 10:hugetlb:/user/1000.user/5.session 9:perf_event:/user/1000.user/5.session 8:blkio:/user/1000.user/5.session 7:freezer:/user/1000.user/5.session 6:devices:/user/1000.user/5.session 5:memory:/user/1000.user/5.session 4:cpuacct:/user/1000.user/5.session 3:cpu:/user/1000.user/5.session 2:cpuset:/user/1000.user/5.session
- ここは書き込み権がある
karma@lxctest02:~$ LANG=C ls -ld /sys/fs/cgroup/cpu/user/1000.user/5.session drwxr-xr-x 2 karma karma 0 Jan 20 10:37 /sys/fs/cgroup/cpu/user/1000.user/5.session
- ちなみに普通に echo $$ > tasks みたいに cgroup に登録する.以下のコード
#!/bin/bash for c in /sys/fs/cgroup/* do sudo mkdir $c/karma sudo chown -R karma: $c/karma if [ `basename $c` = "cpuset" ]; then echo 0 > $c/karma/cpuset.cpus echo 0 > $c/karma/cpuset.mems fi echo $PID > $c/karma/tasks doneを実行すると,当然
karma@lxctest02:~$ cat /proc/self/cgroup 11:name=systemd:/karma 10:hugetlb:/karma 9:perf_event:/karma 8:blkio:/karma 7:freezer:/karma 6:devices:/karma 5:memory:/karma 4:cpuacct:/karma 3:cpu:/karma 2:cpuset:/karma
- /sys/fs/cgroup/user/1000.user/5.session みたいなのは誰が作ってるのか? どうも systemd のデーモンのどれかっぽい.(pam_loginuid 使って?)
int cg_path_get_session(const char *path, char **session) { const char *e, *n; char *s; assert(path); assert(session); e = path_startswith(path, "/user/"); if (!e) return -ENOENT; /* Skip the user name */ e = skip_label(e); if (!e) return -ENOENT; n = strchrnul(e, '/'); if (n - e < 8) return -ENOENT; if (memcmp(n - 8, ".session", 8) != 0) return -ENOENT; s = strndup(e, n - e - 8); if (!s) return -ENOMEM; *session = s; return 0; }
systemd/src/shared/cgroup-util.c