summaryrefslogtreecommitdiff
path: root/src/nspawn
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-09-03 20:10:00 +0200
committerLennart Poettering <lennart@poettering.net>2015-09-04 09:07:31 +0200
commit98e4d8d7635496cbf62c8127ce6a8e8f7604a031 (patch)
tree68abbb86889691edb419329c82fa36145b862b6b /src/nspawn
parent5f4c5fef66581383ee852b301db67f687663004c (diff)
nspawn: enable all controllers we can for the "payload" subcgroup we create
In the unified hierarchy delegating controller access is safe, hence make sure to enable all controllers for the "payload" subcgroup if we create it, so that the container will have all controllers enabled the nspawn service itself has.
Diffstat (limited to 'src/nspawn')
-rw-r--r--src/nspawn/nspawn.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index a56960506c..1c64c3e771 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4737,6 +4737,7 @@ static int create_subcgroup(pid_t pid) {
_cleanup_free_ char *cgroup = NULL;
const char *child;
int unified, r;
+ CGroupMask supported;
/* In the unified hierarchy inner nodes may only only contain
* subgroups, but not processes. Hence, if we running in the
@@ -4756,6 +4757,10 @@ static int create_subcgroup(pid_t pid) {
if (unified == 0)
return 0;
+ r = cg_mask_supported(&supported);
+ if (r < 0)
+ return log_error_errno(r, "Failed to determine supported controllers: %m");
+
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
if (r < 0)
return log_error_errno(r, "Failed to get our control group: %m");
@@ -4770,6 +4775,8 @@ static int create_subcgroup(pid_t pid) {
if (r < 0)
return log_error_errno(r, "Failed to create %s subcgroup: %m", child);
+ /* Try to enable as many controllers as possible for the new payload. */
+ (void) cg_enable_everywhere(supported, supported, cgroup);
return 0;
}