[systemd-commits] 6 commits - TODO src/core src/nspawn
Lennart Poettering
lennart at kemper.freedesktop.org
Sun Feb 23 18:39:04 PST 2014
TODO | 18 -----------
src/core/cgroup.c | 41 ++++++++++++++-----------
src/core/dbus-cgroup.c | 13 +++++++-
src/core/dbus-manager.c | 1
src/core/unit.c | 3 -
src/nspawn/nspawn.c | 78 +++++++++++++++++++++++++++++++++++++++++++-----
6 files changed, 109 insertions(+), 45 deletions(-)
New commits:
commit 01efdf13a6ee9a14fd6d8b41a5d522d5917e1fbc
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 03:38:24 2014 +0100
cgroup: certain cgroup attributes are not available in the root cgroup, hence don't bother
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 50de02d..1327486 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -268,6 +268,7 @@ fail:
}
void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const char *path) {
+ bool is_root;
int r;
assert(c);
@@ -276,7 +277,11 @@ void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const cha
if (mask == 0)
return;
- if (mask & CGROUP_CPU) {
+ /* Some cgroup attributes are not support on the root cgroup,
+ * hence silently ignore */
+ is_root = isempty(path) || path_equal(path, "/");
+
+ if ((mask & CGROUP_CPU) && !is_root) {
char buf[DECIMAL_STR_MAX(unsigned long) + 1];
sprintf(buf, "%lu\n", c->cpu_shares);
@@ -292,23 +297,25 @@ void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const cha
CGroupBlockIODeviceWeight *w;
CGroupBlockIODeviceBandwidth *b;
- sprintf(buf, "%lu\n", c->blockio_weight);
- r = cg_set_attribute("blkio", path, "blkio.weight", buf);
- if (r < 0)
- log_warning("Failed to set blkio.weight on %s: %s", path, strerror(-r));
+ if (!is_root) {
+ sprintf(buf, "%lu\n", c->blockio_weight);
+ r = cg_set_attribute("blkio", path, "blkio.weight", buf);
+ if (r < 0)
+ log_warning("Failed to set blkio.weight on %s: %s", path, strerror(-r));
- /* FIXME: no way to reset this list */
- LIST_FOREACH(device_weights, w, c->blockio_device_weights) {
- dev_t dev;
+ /* FIXME: no way to reset this list */
+ LIST_FOREACH(device_weights, w, c->blockio_device_weights) {
+ dev_t dev;
- r = lookup_blkio_device(w->path, &dev);
- if (r < 0)
- continue;
+ r = lookup_blkio_device(w->path, &dev);
+ if (r < 0)
+ continue;
- sprintf(buf, "%u:%u %lu", major(dev), minor(dev), w->weight);
- r = cg_set_attribute("blkio", path, "blkio.weight_device", buf);
- if (r < 0)
- log_error("Failed to set blkio.weight_device on %s: %s", path, strerror(-r));
+ sprintf(buf, "%u:%u %lu", major(dev), minor(dev), w->weight);
+ r = cg_set_attribute("blkio", path, "blkio.weight_device", buf);
+ if (r < 0)
+ log_error("Failed to set blkio.weight_device on %s: %s", path, strerror(-r));
+ }
}
/* FIXME: no way to reset this list */
@@ -342,7 +349,7 @@ void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const cha
log_error("Failed to set memory.limit_in_bytes on %s: %s", path, strerror(-r));
}
- if (mask & CGROUP_DEVICE) {
+ if ((mask & CGROUP_DEVICE) && !is_root) {
CGroupDeviceAllow *a;
if (c->device_allow || c->device_policy != CGROUP_AUTO)
@@ -350,7 +357,7 @@ void cgroup_context_apply(CGroupContext *c, CGroupControllerMask mask, const cha
else
r = cg_set_attribute("devices", path, "devices.allow", "a");
if (r < 0)
- log_error("Failed to reset devices.list on %s: %s", path, strerror(-r));
+ log_warning("Failed to reset devices.list on %s: %s", path, strerror(-r));
if (c->device_policy == CGROUP_CLOSED ||
(c->device_policy == CGROUP_AUTO && c->device_allow)) {
commit c35fa384d00dc5dc7d9f339113b015a3f8a5cf79
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 03:20:54 2014 +0100
core: gc half-created stub units
diff --git a/src/core/unit.c b/src/core/unit.c
index a59556d..1bbcb39 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -259,9 +259,6 @@ int unit_set_description(Unit *u, const char *description) {
bool unit_check_gc(Unit *u) {
assert(u);
- if (u->load_state == UNIT_STUB)
- return true;
-
if (UNIT_VTABLE(u)->no_gc)
return true;
commit b272b74dfd2284838db737f62a77fb5ece227bea
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 03:20:24 2014 +0100
core: expose root control group on the bus
We expose the control group of the units on the bus, so let's also
expose the root control group.
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 75004cb..86816f6 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1577,6 +1577,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
SD_BUS_PROPERTY("DefaultStandardError", "s", bus_property_get_exec_output, offsetof(Manager, default_std_output), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_WRITABLE_PROPERTY("RuntimeWatchdogUSec", "t", bus_property_get_usec, property_set_runtime_watchdog, offsetof(Manager, runtime_watchdog), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_WRITABLE_PROPERTY("ShutdownWatchdogUSec", "t", bus_property_get_usec, bus_property_set_usec, offsetof(Manager, shutdown_watchdog), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("ControlGroup", "s", NULL, offsetof(Manager, cgroup_root), 0),
SD_BUS_METHOD("GetUnit", "s", "o", method_get_unit, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("GetUnitByPID", "u", "o", method_get_unit_by_pid, SD_BUS_VTABLE_UNPRIVILEGED),
commit 9e281251e99bbbbcb0366575b5195c36fc9483d7
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 03:03:05 2014 +0100
update TODO
diff --git a/TODO b/TODO
index 55d2210..a2ba0f5 100644
--- a/TODO
+++ b/TODO
@@ -36,15 +36,6 @@ Features:
man pages maybe called "systemd.link(5)", "systemd.network(5)" and
"systemd.netdev(5)" or so.
-* extend device cgroup controller support to allow enabling groups of
- device nodes, so that pts can be allowed in whole. For that,
- introduce the syntax "block-XYZ" and "char-XYZ" in addition to the
- existing "/dev/foobar", where XYZ then is looked up in /proc/devices
- and mapped to one or more majors.
-
-* Add all pts device nodes to those allowed by default when the device
- controller is used.
-
* "busctl status" works only as root on dbus1, since we cannot read
/proc/$PID/exe
@@ -256,11 +247,6 @@ Features:
* timedate: have global on/off switches for auto-time (NTP), and auto-timezone that connman can subscribe to.
-* dev-setup.c: when running in a container, create a tiny stub udev
- database with the systemd tag set for all network interfaces found,
- so that libudev reports them as present, and systemd's .device units
- will be activated.
-
* merge unit_kill_common() and unit_kill_context()
* introduce ExecCondition= in services
@@ -454,11 +440,9 @@ Features:
* nspawn:
- nspawn: consider changing users for -u with /usr/bin/getent, so that NSS resolving works correctly
- - nspawn: implement personality changes a la linux32(8)
- nspawn: --read-only is not applied recursively to submounts
- - nspawn: make use of device cgroup controller by default
- bind mount read-only the cgroup tree higher than nspawn
- - nspawn: make it work for dwalsh and shared /usr containers -- tmpfs mounts as command line parameters, selinux exec context
+ - nspawn: make it work for dwalsh and shared /usr containers -- tmpfs mounts as command line parameters
- refuses to boot containers without /etc/machine-id (OK?), and with empty /etc/machine-id (not OK).
- support taking a btrfs snapshot at startup and dropping it afterwards
- maybe: hookup nspawn and PrivateNetwork=yes with "ip netns"
commit 9457ac5b4e755e9019ead2f564124df5d35ee7cf
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 03:00:38 2014 +0100
nspawn: make use of the devices cgroup controller by default
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 2441758..de74a43 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1188,22 +1188,86 @@ static int register_machine(pid_t pid) {
(uint32_t) pid,
strempty(arg_directory));
} else {
- r = sd_bus_call_method(
+ _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
+
+ r = sd_bus_message_new_method_call(
bus,
+ &m,
"org.freedesktop.machine1",
"/org/freedesktop/machine1",
"org.freedesktop.machine1.Manager",
- "CreateMachine",
- &error,
- NULL,
- "sayssusa(sv)",
+ "CreateMachine");
+ if (r < 0) {
+ log_error("Failed to create message: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_bus_message_append(
+ m,
+ "sayssus",
arg_machine,
SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
"nspawn",
"container",
(uint32_t) pid,
- strempty(arg_directory),
- !isempty(arg_slice), "Slice", "s", arg_slice);
+ strempty(arg_directory));
+ if (r < 0) {
+ log_error("Failed to append message arguments: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_bus_message_open_container(m, 'a', "(sv)");
+ if (r < 0) {
+ log_error("Failed to open container: %s", strerror(-r));
+ return r;
+ }
+
+ if (!isempty(arg_slice)) {
+ r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
+ if (r < 0) {
+ log_error("Failed to append slice: %s", strerror(-r));
+ return r;
+ }
+ }
+
+ r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
+ if (r < 0) {
+ log_error("Failed to add device policy: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 8,
+ /* Allow the container to
+ * access and create the API
+ * device nodes, so that
+ * PrivateDevices= in the
+ * container can work
+ * fine */
+ "/dev/null", "rwm",
+ "/dev/zero", "rwm",
+ "/dev/full", "rwm",
+ "/dev/random", "rwm",
+ "/dev/urandom", "rwm",
+ "/dev/tty", "rwm",
+ /* Allow the container
+ * access to ptys. However,
+ * do not permit the
+ * container to ever create
+ * these device nodes. */
+ "/dev/pts/ptmx", "rw",
+ "char-pts", "rw");
+ if (r < 0) {
+ log_error("Failed to add device whitelist: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_bus_message_close_container(m);
+ if (r < 0) {
+ log_error("Failed to close container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_bus_call(bus, m, 0, &error, NULL);
}
if (r < 0) {
commit 9c96019d3183ef93e243416f4c17334ee9108b47
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 02:59:57 2014 +0100
cgroup: parse array cgroup properties correctly when they aren't at the end of the message
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index b8a7725..775825b 100644
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -278,6 +278,10 @@ int bus_cgroup_set_property(
if (r < 0)
return r;
+ r = sd_bus_message_exit_container(message);
+ if (r < 0)
+ return r;
+
if (mode != UNIT_CHECK) {
CGroupBlockIODeviceBandwidth *a, *next;
_cleanup_free_ char *buf = NULL;
@@ -356,6 +360,10 @@ int bus_cgroup_set_property(
n++;
}
+ r = sd_bus_message_exit_container(message);
+ if (r < 0)
+ return r;
+
if (mode != UNIT_CHECK) {
_cleanup_free_ char *buf = NULL;
_cleanup_fclose_ FILE *f = NULL;
@@ -481,7 +489,6 @@ int bus_cgroup_set_property(
a->r = !!strchr(rwm, 'r');
a->w = !!strchr(rwm, 'w');
a->m = !!strchr(rwm, 'm');
-
}
n++;
@@ -489,6 +496,10 @@ int bus_cgroup_set_property(
if (r < 0)
return r;
+ r = sd_bus_message_exit_container(message);
+ if (r < 0)
+ return r;
+
if (mode != UNIT_CHECK) {
_cleanup_free_ char *buf = NULL;
_cleanup_fclose_ FILE *f = NULL;
More information about the systemd-commits
mailing list