On Fri, Oct 03, 2008 at 08:40:24AM -0700, Dan Smith wrote:
This patch adds code to the controller to set up a cgroup named after the domain name, set the memory limit, and restrict devices. It also adds bits to lxc_driver to properly clean up the cgroup on domain death.
If virCgroupHaveSupport() says that no support is available, then we just allow the domain creation to proceed as it did before without resource controls in place.
+ struct cgroup_device_policy devices[] = { + {'c', VIR_CG_DEV_MAJ_MEMORY, VIR_CG_DEV_MIN_NULL}, + {'c', VIR_CG_DEV_MAJ_MEMORY, VIR_CG_DEV_MIN_ZERO}, + {'c', VIR_CG_DEV_MAJ_MEMORY, VIR_CG_DEV_MIN_FULL}, + {'c', VIR_CG_DEV_MAJ_MEMORY, VIR_CG_DEV_MIN_RANDOM}, + {'c', VIR_CG_DEV_MAJ_MEMORY, VIR_CG_DEV_MIN_URANDOM}, + {'c', VIR_CG_DEV_MAJ_TTY, VIR_CG_DEV_MIN_CONSOLE}, + {0, 0, 0}};
You're going to hate me for suggesting more changes, but.... This list of devices is currently duplicated in two places - once here where we set permissions, and again when we actually create the container and populate its /dev/ in lxc_container.c. Could do with a master list of device nodes used by both. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|