From 291e1a470c004484d94497ebe3dae5b42bbff1c1 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 14 Apr 2016 15:19:56 +0100 Subject: [PATCH] virsh: make lxc-enter-namespace also join the cgroups Extend the lxc-enter-namespace command so that it joins the containers' cgroups before starting new namespaces. This ensures that the commands run have the normal resource limits applied Signed-off-by: Daniel P. Berrange --- tools/virsh-domain.c | 3 +++ tools/virsh.pod | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 11116a90ad..02be58f19a 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -9334,6 +9334,9 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd) 0) < 0) _exit(EXIT_CANCELED); + if (virDomainLxcEnterCGroup(dom, 0) < 0) + _exit(EXIT_CANCELED); + if (virDomainLxcEnterNamespace(dom, nfdlist, fdlist, diff --git a/tools/virsh.pod b/tools/virsh.pod index 6844823b34..1e5666064a 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -4195,9 +4195,10 @@ omitted. Enter the namespace of I and execute the command C passing the requested args. The binary path is relative to the container root filesystem, not the host root filesystem. The binary will inherit the -environment variables / console visible to virsh. This command only works -when connected to the LXC hypervisor driver. This command succeeds only -if C has 0 exit status. +environment variables / console visible to virsh. The command will be run +with the same sVirt context and cgroups placement as processes within the +container. This command only works when connected to the LXC hypervisor +driver. This command succeeds only if C has 0 exit status. By default the new process will run with the security label of the new parent container. Use the I<--noseclabel> option to instead have the