Move check for cgroup devices ACL upfront in LXC hotplug

The check for whether the cgroup devices ACL is available is done quite late during LXC hotplug - in fact after the device node is already created in the container in some cases. Better to do it upfront so we fail immediately. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-02-22 03:12:22 +00:00 · 2014-02-05 17:48:03 +00:00 · 2014-02-05 17:48:03 +00:00 · c3eb12cace
commit c3eb12cace
parent d24e6b8b1e
1 changed files with 12 additions and 24 deletions
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@ -3675,6 +3675,12 @@ lxcDomainAttachDeviceDiskLive(virLXCDriverPtr driver,
        goto cleanup;
    }

+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
+        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                       _("devices cgroup isn't mounted"));
+        goto cleanup;
+    }
+
    if (def->type != VIR_DOMAIN_DISK_TYPE_BLOCK) {
        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                       _("Can't setup disk for non-block device"));
@ -3742,12 +3748,6 @@ lxcDomainAttachDeviceDiskLive(virLXCDriverPtr driver,
                                        vm->def, def) < 0)
        goto cleanup;

-    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
-        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
-                       _("devices cgroup isn't mounted"));
-        goto cleanup;
-    }
-
    if (virCgroupAllowDevicePath(priv->cgroup, def->src,
                                 (def->readonly ?
                                  VIR_CGROUP_DEVICE_READ :
@ -3944,12 +3944,6 @@ lxcDomainAttachDeviceHostdevSubsysUSBLive(virLXCDriverPtr driver,
                    def->source.subsys.u.usb.device) < 0)
        goto cleanup;

-    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
-        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
-                       _("devices cgroup isn't mounted"));
-        goto cleanup;
-    }
-
    if (!(usb = virUSBDeviceNew(def->source.subsys.u.usb.bus,
                                def->source.subsys.u.usb.device, vroot)))
        goto cleanup;
@ -4097,12 +4091,6 @@ lxcDomainAttachDeviceHostdevStorageLive(virLXCDriverPtr driver,
                                          vm->def, def, vroot) < 0)
        goto cleanup;

-    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
-        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
-                       _("devices cgroup isn't mounted"));
-        goto cleanup;
-    }
-
    if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.storage.block,
                                 VIR_CGROUP_DEVICE_RW |
                                 VIR_CGROUP_DEVICE_MKNOD) != 0) {
@ -4205,12 +4193,6 @@ lxcDomainAttachDeviceHostdevMiscLive(virLXCDriverPtr driver,
                                          vm->def, def, vroot) < 0)
        goto cleanup;

-    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
-        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
-                       _("devices cgroup isn't mounted"));
-        goto cleanup;
-    }
-
    if (virCgroupAllowDevicePath(priv->cgroup, def->source.caps.u.misc.chardev,
                                 VIR_CGROUP_DEVICE_RW |
                                 VIR_CGROUP_DEVICE_MKNOD) != 0) {
@ -4286,6 +4268,12 @@ lxcDomainAttachDeviceHostdevLive(virLXCDriverPtr driver,
        return -1;
    }

+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) {
+        virReportError(VIR_ERR_OPERATION_INVALID, "%s",
+                       _("devices cgroup isn't mounted"));
+        return -1;
+    }
+
    switch (dev->data.hostdev->mode) {
    case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
        return lxcDomainAttachDeviceHostdevSubsysLive(driver, vm, dev);