@@ -13,91 +13,13 @@ set -e
1313# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
1414export container=docker
1515
16- # as of docker 1.8, cgroups will be mounted in the container
17- if ! mountpoint -q /sys/fs/cgroup; then
18-
19- # First, make sure that cgroups are mounted correctly.
20- CGROUP=/cgroup
21-
22- mkdir -p " $CGROUP "
23-
24- if ! mountpoint -q " $CGROUP " ; then
25- mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || {
26- echo >&2 ' Could not make a tmpfs mount. Did you use --privileged?'
27- exit 1
28- }
29- fi
30-
31- # Mount the cgroup hierarchies exactly as they are in the parent system.
32- for HIER in $( cut -d: -f2 /proc/1/cgroup) ; do
33-
34- SUBSYSTEMS=" ${HIER% name=* } "
35-
36- # If cgroup hierarchy is named(mounted with "-o name=foo") we
37- # need to mount it in $CGROUP/foo to create exect same
38- # directoryes as on host. Else we need to mount it as is e.g.
39- # "subsys1,subsys2" if it has two subsystems
40-
41- # Named, control-less cgroups are mounted with "-o name=foo"
42- # (and appear as such under /proc/<pid>/cgroup) but are usually
43- # mounted on a directory named "foo" (without the "name=" prefix).
44- # Systemd and OpenRC (and possibly others) both create such a
45- # cgroup. So just mount them on directory $CGROUP/foo.
46-
47- OHIER=$HIER
48- HIER=" ${HIER#* name=} "
49-
50- mkdir -p " $CGROUP /$HIER "
51-
52- if ! mountpoint -q " $CGROUP /$HIER " ; then
53- mount -n -t cgroup -o " $OHIER " " $CGROUP /$HIER "
54- fi
55-
56- # Likewise, on at least one system, it has been reported that
57- # systemd would mount the CPU and CPU accounting controllers
58- # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu"
59- # but on a directory called "cpu,cpuacct" (note the inversion
60- # in the order of the groups). This tries to work around it.
61-
62- if [ " $HIER " = ' cpuacct,cpu' ; then
63- ln -s " $HIER " " $CGROUP /cpu,cpuacct"
64- fi
65-
66- # If hierarchy has multiple subsystems, in /proc/<pid>/cgroup
67- # we will see ":subsys1,subsys2,subsys3,name=foo:" substring,
68- # we need to mount it to "$CGROUP/foo" and if there were no
69- # name to "$CGROUP/subsys1,subsys2,subsys3", so we must create
70- # symlinks for docker daemon to find these subsystems:
71- # ln -s $CGROUP/foo $CGROUP/subsys1
72- # ln -s $CGROUP/subsys1,subsys2,subsys3 $CGROUP/subsys1
73-
74- if [ " $SUBSYSTEMS " != " ${SUBSYSTEMS// ,/ } " ; then
75- SUBSYSTEMS=" ${SUBSYSTEMS// ,/ } "
76- for SUBSYS in $SUBSYSTEMS
77- do
78- ln -s " $CGROUP /$HIER " " $CGROUP /$SUBSYS "
79- done
80- fi
81- done
82- fi
83-
8416if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
8517 mount -t securityfs none /sys/kernel/security || {
8618 echo >&2 ' Could not mount /sys/kernel/security.'
8719 echo >&2 ' AppArmor detection and --privileged mode might break.'
8820 }
8921fi
9022
91- # Note: as I write those lines, the LXC userland tools cannot setup
92- # a "sub-container" properly if the "devices" cgroup is not in its
93- # own hierarchy. Let's detect this and issue a warning.
94- if ! grep -q :devices: /proc/1/cgroup; then
95- echo >&2 ' WARNING: the "devices" cgroup should be in its own hierarchy.'
96- fi
97- if ! grep -qw devices /proc/1/cgroup; then
98- echo >&2 ' WARNING: it looks like the "devices" cgroup is not mounted.'
99- fi
100-
10123# Mount /tmp (conditionally)
10224if ! mountpoint -q /tmp; then
10325 mount -t tmpfs none /tmp
0 commit comments