]>
Commit | Line | Data |
---|---|---|
ccb4cabe SH |
1 | /* |
2 | * lxc: linux Container library | |
3 | * | |
4 | * Copyright © 2016 Canonical Ltd. | |
5 | * | |
6 | * Authors: | |
7 | * Serge Hallyn <serge.hallyn@ubuntu.com> | |
8 | * | |
9 | * This library is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU Lesser General Public | |
11 | * License as published by the Free Software Foundation; either | |
12 | * version 2.1 of the License, or (at your option) any later version. | |
13 | * | |
14 | * This library is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | * Lesser General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU Lesser General Public | |
20 | * License along with this library; if not, write to the Free Software | |
21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
22 | */ | |
23 | ||
24 | /* | |
25 | * cgfs-ng.c: this is a new, simplified implementation of a filesystem | |
26 | * cgroup backend. The original cgfs.c was designed to be as flexible | |
27 | * as possible. It would try to find cgroup filesystems no matter where | |
28 | * or how you had them mounted, and deduce the most usable mount for | |
29 | * each controller. It also was not designed for unprivileged use, as | |
30 | * that was reserved for cgmanager. | |
31 | * | |
32 | * This new implementation assumes that cgroup filesystems are mounted | |
33 | * under /sys/fs/cgroup/clist where clist is either the controller, or | |
34 | * a comman-separated list of controllers. | |
35 | */ | |
36 | #include "config.h" | |
37 | #include <stdio.h> | |
38 | #include <stdio.h> | |
39 | #include <stdlib.h> | |
40 | #include <errno.h> | |
41 | #include <sys/types.h> | |
42 | #include <unistd.h> | |
43 | #include <dirent.h> | |
44 | #include <grp.h> | |
45 | ||
46 | #include "log.h" | |
47 | #include "cgroup.h" | |
48 | #include "utils.h" | |
49 | #include "commands.h" | |
50 | ||
51 | lxc_log_define(lxc_cgfsng, lxc); | |
52 | ||
53 | static struct cgroup_ops cgfsng_ops; | |
54 | ||
ccb4cabe SH |
55 | /* |
56 | * A descriptor for a mounted hierarchy | |
57 | * @controllers: either NULL, or a null-terminated list of all | |
58 | * the co-mounted controllers | |
59 | * @mountpoint: the mountpoint we will use. It will be either | |
60 | * /sys/fs/cgroup/controller or /sys/fs/cgroup/controllerlist | |
61 | * @base_cgroup: the cgroup under which the container cgroup path | |
62 | is created. This will be either the caller's cgroup (if not | |
63 | root), or init's cgroup (if root). | |
64 | */ | |
65 | struct hierarchy { | |
66 | char **controllers; | |
67 | char *mountpoint; | |
68 | char *base_cgroup; | |
69 | char *fullcgpath; | |
70 | }; | |
71 | ||
72 | /* | |
73 | * The cgroup data which is attached to the lxc_handler. | |
74 | * @hierarchies - a NULL-terminated array of struct hierarchy, one per | |
75 | * hierarchy. No duplicates. First sufficient, writeable mounted | |
76 | * hierarchy wins | |
77 | * @cgroup_use - a copy of the lxc.cgroup.use | |
78 | * @cgroup_pattern - a copy of the lxc.cgroup.pattern | |
79 | * @container_cgroup - if not null, the cgroup which was created for | |
80 | * the container. For each hierarchy, it is created under the | |
81 | * @hierarchy->base_cgroup directory. Relative to the base_cgroup | |
82 | * it is the same for all hierarchies. | |
83 | * @name - the container name | |
84 | */ | |
85 | struct cgfsng_handler_data { | |
86 | struct hierarchy **hierarchies; | |
87 | char *cgroup_use; | |
88 | char *cgroup_pattern; | |
89 | char *container_cgroup; // cgroup we created for the container | |
90 | char *name; // container name | |
91 | }; | |
92 | ||
93 | static void free_string_list(char **clist) | |
94 | { | |
95 | if (clist) { | |
96 | int i; | |
97 | ||
98 | for (i = 0; clist[i]; i++) | |
99 | free(clist[i]); | |
100 | free(clist); | |
101 | } | |
102 | } | |
103 | ||
104 | /* Re-alllocate a pointer, do not fail */ | |
105 | static void *must_realloc(void *orig, size_t sz) | |
106 | { | |
107 | void *ret; | |
108 | ||
109 | do { | |
110 | ret = realloc(orig, sz); | |
111 | } while (!ret); | |
112 | return ret; | |
113 | } | |
114 | ||
115 | /* Allocate a pointer, do not fail */ | |
116 | static void *must_alloc(size_t sz) | |
117 | { | |
118 | return must_realloc(NULL, sz); | |
119 | } | |
120 | ||
121 | /* return copy of string @entry; do not fail. */ | |
122 | static char *must_copy_string(const char *entry) | |
123 | { | |
124 | char *ret; | |
125 | ||
126 | if (!entry) | |
127 | return NULL; | |
128 | do { | |
129 | ret = strdup(entry); | |
130 | } while (!ret); | |
131 | return ret; | |
132 | } | |
133 | ||
134 | /* | |
135 | * This is a special case - return a copy of @entry | |
136 | * prepending 'name='. I.e. turn systemd into name=systemd. | |
137 | * Do not fail. | |
138 | */ | |
139 | static char *must_prefix_named(char *entry) | |
140 | { | |
141 | char *ret; | |
142 | size_t len = strlen(entry); | |
143 | ||
144 | ret = must_alloc(len + 6); | |
145 | snprintf(ret, len + 6, "name=%s", entry); | |
146 | return ret; | |
147 | } | |
148 | ||
149 | /* | |
150 | * Given a pointer to a null-terminated array of pointers, realloc to | |
151 | * add one entry, and point the new entry to NULL. Do not fail. Return | |
152 | * the index to the second-to-last entry - that is, the one which is | |
153 | * now available for use (keeping the list null-terminated). | |
154 | */ | |
155 | static int append_null_to_list(void ***list) | |
156 | { | |
157 | int newentry = 0; | |
158 | ||
159 | if (*list) | |
160 | for (; (*list)[newentry]; newentry++); | |
161 | ||
162 | *list = must_realloc(*list, (newentry + 2) * sizeof(void **)); | |
163 | (*list)[newentry + 1] = NULL; | |
164 | return newentry; | |
165 | } | |
166 | ||
167 | /* | |
168 | * Given a null-terminated array of strings, check whether @entry | |
169 | * is one of the strings | |
170 | */ | |
171 | static bool string_in_list(char **list, const char *entry) | |
172 | { | |
173 | int i; | |
174 | ||
175 | if (!list) | |
176 | return false; | |
177 | for (i = 0; list[i]; i++) | |
178 | if (strcmp(list[i], entry) == 0) | |
179 | return true; | |
180 | ||
181 | return false; | |
182 | } | |
183 | ||
184 | /* | |
185 | * append an entry to the clist. Do not fail. | |
186 | * *clist must be NULL the first time we are called. | |
187 | * | |
188 | * We also handle named subsystems here. Any controller which is not a | |
189 | * kernel subsystem, we prefix 'name='. Any which is both a kernel and | |
190 | * named subsystem, we refuse to use because we're not sure which we | |
191 | * have here. (TODO - we could work around this in some cases by just | |
192 | * remounting to be unambiguous, or by comparing mountpoint contents | |
193 | * with current cgroup) | |
194 | * | |
195 | * The last entry will always be NULL. | |
196 | */ | |
197 | static void must_append_controller(char **klist, char **nlist, char ***clist, char *entry) | |
198 | { | |
199 | int newentry; | |
200 | char *copy; | |
201 | ||
202 | if (string_in_list(klist, entry) && string_in_list(nlist, entry)) { | |
203 | ERROR("Refusing to use ambiguous controller '%s'", entry); | |
204 | ERROR("It is both a named and kernel subsystem"); | |
205 | return; | |
206 | } | |
207 | ||
208 | newentry = append_null_to_list((void ***)clist); | |
209 | ||
210 | if (strncmp(entry, "name=", 5) == 0) | |
211 | copy = must_copy_string(entry); | |
212 | else if (string_in_list(klist, entry)) | |
213 | copy = must_copy_string(entry); | |
214 | else | |
215 | copy = must_prefix_named(entry); | |
216 | ||
217 | (*clist)[newentry] = copy; | |
218 | } | |
219 | ||
220 | static void free_hierarchies(struct hierarchy **hlist) | |
221 | { | |
222 | if (hlist) { | |
223 | int i; | |
224 | ||
225 | for (i = 0; hlist[i]; i++) { | |
226 | free(hlist[i]->mountpoint); | |
227 | free(hlist[i]->base_cgroup); | |
228 | free(hlist[i]->fullcgpath); | |
229 | free_string_list(hlist[i]->controllers); | |
230 | } | |
231 | free(hlist); | |
232 | } | |
233 | } | |
234 | ||
235 | static void free_handler_data(struct cgfsng_handler_data *d) | |
236 | { | |
237 | free_hierarchies(d->hierarchies); | |
238 | free(d->cgroup_use); | |
239 | free(d->cgroup_pattern); | |
240 | free(d->container_cgroup); | |
241 | free(d->name); | |
242 | free(d); | |
243 | } | |
244 | ||
245 | /* | |
246 | * Given a handler's cgroup data, return the struct hierarchy for the | |
247 | * controller @c, or NULL if there is none. | |
248 | */ | |
249 | struct hierarchy *get_hierarchy(struct cgfsng_handler_data *d, const char *c) | |
250 | { | |
251 | int i; | |
252 | ||
253 | if (!d || !d->hierarchies) | |
254 | return NULL; | |
255 | for (i = 0; d->hierarchies[i]; i++) { | |
256 | if (string_in_list(d->hierarchies[i]->controllers, c)) | |
257 | return d->hierarchies[i]; | |
258 | } | |
259 | return NULL; | |
260 | } | |
261 | ||
e3a3fecf SH |
262 | static char *must_make_path(const char *first, ...) __attribute__((sentinel)); |
263 | ||
264 | /* Copy contents of parent(@path)/@file to @path/@file */ | |
265 | static bool copy_parent_file(char *path, char *file) | |
266 | { | |
267 | char *lastslash, *value = NULL, *fpath, oldv; | |
268 | int len = 0; | |
269 | int ret; | |
270 | ||
271 | lastslash = strrchr(path, '/'); | |
272 | if (!lastslash) { // bug... this shouldn't be possible | |
273 | ERROR("cgfsng:copy_parent_file: bad path %s", path); | |
274 | return false; | |
275 | } | |
276 | oldv = *lastslash; | |
277 | *lastslash = '\0'; | |
278 | fpath = must_make_path(path, file, NULL); | |
279 | len = lxc_read_from_file(fpath, NULL, 0); | |
280 | if (len <= 0) | |
281 | goto bad; | |
282 | value = must_alloc(len + 1); | |
283 | if (lxc_read_from_file(fpath, value, len) != len) | |
284 | goto bad; | |
285 | free(fpath); | |
286 | *lastslash = oldv; | |
287 | fpath = must_make_path(path, file, NULL); | |
288 | ret = lxc_write_to_file(fpath, value, len, false); | |
289 | if (ret < 0) | |
290 | SYSERROR("Unable to write %s to %s", value, fpath); | |
291 | free(fpath); | |
292 | free(value); | |
293 | return ret >= 0; | |
294 | ||
295 | bad: | |
296 | SYSERROR("Error reading '%s'", fpath); | |
297 | free(fpath); | |
298 | free(value); | |
299 | return false; | |
300 | } | |
301 | ||
302 | /* | |
303 | * Initialize the cpuset hierarchy in first directory of @gname and | |
304 | * set cgroup.clone_children so that children inherit settings. | |
305 | * Since the h->base_path is populated by init or ourselves, we know | |
306 | * it is already initialized. | |
307 | */ | |
308 | bool handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) | |
309 | { | |
310 | char *cgpath, *clonechildrenpath, v, *slash; | |
311 | ||
312 | if (!string_in_list(h->controllers, "cpuset")) | |
313 | return true; | |
314 | ||
315 | if (*cgname == '/') | |
316 | cgname++; | |
317 | slash = strchr(cgname, '/'); | |
318 | if (slash) | |
319 | *slash = '\0'; | |
320 | ||
321 | cgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL); | |
322 | if (slash) | |
323 | *slash = '/'; | |
324 | if (mkdir(cgpath, 0755) < 0 && errno != EEXIST) { | |
325 | SYSERROR("Failed to create '%s'", cgpath); | |
326 | free(cgpath); | |
327 | return false; | |
328 | } | |
329 | clonechildrenpath = must_make_path(cgpath, "cgroup.clone_children", NULL); | |
330 | if (!file_exists(clonechildrenpath)) { /* unified hierarchy doesn't have clone_children */ | |
331 | free(clonechildrenpath); | |
332 | free(cgpath); | |
333 | return true; | |
334 | } | |
335 | if (lxc_read_from_file(clonechildrenpath, &v, 1) < 0) { | |
336 | SYSERROR("Failed to read '%s'", clonechildrenpath); | |
337 | free(clonechildrenpath); | |
338 | free(cgpath); | |
339 | return false; | |
340 | } | |
341 | ||
342 | if (v == '1') { /* already set for us by someone else */ | |
343 | free(clonechildrenpath); | |
344 | free(cgpath); | |
345 | return true; | |
346 | } | |
347 | ||
348 | /* copy parent's settings */ | |
349 | if (!copy_parent_file(cgpath, "cpuset.cpus") || | |
350 | !copy_parent_file(cgpath, "cpuset.mems")) { | |
351 | free(cgpath); | |
352 | free(clonechildrenpath); | |
353 | return false; | |
354 | } | |
355 | free(cgpath); | |
356 | ||
357 | if (lxc_write_to_file(clonechildrenpath, "1", 1, false) < 0) { | |
358 | /* Set clone_children so children inherit our settings */ | |
359 | SYSERROR("Failed to write 1 to %s", clonechildrenpath); | |
360 | free(clonechildrenpath); | |
361 | return false; | |
362 | } | |
363 | free(clonechildrenpath); | |
364 | return true; | |
365 | } | |
366 | ||
ccb4cabe SH |
367 | /* |
368 | * Given two null-terminated lists of strings, return true if any string | |
369 | * is in both. | |
370 | */ | |
371 | static bool controller_lists_intersect(char **l1, char **l2) | |
372 | { | |
373 | int i; | |
374 | ||
375 | if (!l1 || !l2) | |
376 | return false; | |
377 | ||
378 | for (i = 0; l1[i]; i++) { | |
379 | if (string_in_list(l2, l1[i])) | |
380 | return true; | |
381 | } | |
382 | return false; | |
383 | } | |
384 | ||
385 | /* | |
386 | * For a null-terminated list of controllers @clist, return true if any of | |
387 | * those controllers is already listed the null-terminated list of | |
388 | * hierarchies @hlist. Realistically, if one is present, all must be present. | |
389 | */ | |
390 | static bool controller_list_is_dup(struct hierarchy **hlist, char **clist) | |
391 | { | |
392 | int i; | |
393 | ||
394 | if (!hlist) | |
395 | return false; | |
396 | for (i = 0; hlist[i]; i++) | |
397 | if (controller_lists_intersect(hlist[i]->controllers, clist)) | |
398 | return true; | |
399 | return false; | |
400 | ||
401 | } | |
402 | ||
403 | /* | |
404 | * Return true if the controller @entry is found in the null-terminated | |
405 | * list of hierarchies @hlist | |
406 | */ | |
407 | static bool controller_found(struct hierarchy **hlist, char *entry) | |
408 | { | |
409 | int i; | |
410 | if (!hlist) | |
411 | return false; | |
412 | ||
413 | for (i = 0; hlist[i]; i++) | |
414 | if (string_in_list(hlist[i]->controllers, entry)) | |
415 | return true; | |
416 | return false; | |
417 | } | |
418 | ||
419 | /* | |
420 | * Return true if all of the controllers which we require have been | |
421 | * found. The required list is systemd, freezer, and anything in | |
422 | * lxc.cgroup.use. | |
423 | */ | |
424 | static bool all_controllers_found(struct cgfsng_handler_data *d) | |
425 | { | |
426 | char *p, *saveptr = NULL; | |
427 | struct hierarchy ** hlist = d->hierarchies; | |
428 | ||
429 | if (!controller_found(hlist, "name=systemd")) { | |
430 | ERROR("no systemd controller mountpoint found"); | |
431 | return false; | |
432 | } | |
433 | if (!controller_found(hlist, "freezer")) { | |
434 | ERROR("no freezer controller mountpoint found"); | |
435 | return false; | |
436 | } | |
437 | ||
438 | if (!d->cgroup_use) | |
439 | return true; | |
440 | for (p = strtok_r(d->cgroup_use, ",", &saveptr); p; | |
441 | p = strtok_r(NULL, ",", &saveptr)) { | |
442 | if (!controller_found(hlist, p)) { | |
443 | ERROR("no %s controller mountpoint found", p); | |
444 | return false; | |
445 | } | |
446 | } | |
447 | return true; | |
448 | } | |
449 | ||
450 | /* Return true if the fs type is fuse.lxcfs */ | |
451 | static bool is_lxcfs(const char *line) | |
452 | { | |
453 | char *p = strstr(line, " - "); | |
454 | if (!p) | |
455 | return false; | |
456 | return strncmp(p, " - fuse.lxcfs ", 14); | |
457 | } | |
458 | ||
459 | /* | |
460 | * Get the controllers from a mountinfo line | |
461 | * There are other ways we could get this info. For lxcfs, field 3 | |
462 | * is /cgroup/controller-list. For cgroupfs, we could parse the mount | |
463 | * options. But we simply assume that the mountpoint must be | |
464 | * /sys/fs/cgroup/controller-list | |
465 | */ | |
466 | static char **get_controllers(char **klist, char **nlist, char *line) | |
467 | { | |
468 | // the fourth field is /sys/fs/cgroup/comma-delimited-controller-list | |
469 | int i; | |
470 | char *p = line, *p2, *tok, *saveptr = NULL; | |
471 | char **aret = NULL; | |
472 | ||
473 | for (i = 0; i < 4; i++) { | |
235f1815 | 474 | p = strchr(p, ' '); |
ccb4cabe SH |
475 | if (!p) |
476 | return NULL; | |
477 | p++; | |
478 | } | |
479 | if (!p) | |
480 | return NULL; | |
481 | /* note - if we change how mountinfo works, then our caller | |
482 | * will need to verify /sys/fs/cgroup/ in this field */ | |
483 | if (strncmp(p, "/sys/fs/cgroup/", 15) != 0) | |
484 | return NULL; | |
485 | p += 15; | |
235f1815 | 486 | p2 = strchr(p, ' '); |
ccb4cabe SH |
487 | if (!p2) { |
488 | ERROR("corrupt mountinfo"); | |
489 | return NULL; | |
490 | } | |
491 | *p2 = '\0'; | |
492 | for (tok = strtok_r(p, ",", &saveptr); tok; | |
493 | tok = strtok_r(NULL, ",", &saveptr)) { | |
494 | must_append_controller(klist, nlist, &aret, tok); | |
495 | } | |
496 | ||
497 | return aret; | |
498 | } | |
499 | ||
500 | /* return true if the fstype is cgroup */ | |
501 | static bool is_cgroupfs(char *line) | |
502 | { | |
503 | char *p = strstr(line, " - "); | |
504 | if (!p) | |
505 | return false; | |
506 | return strncmp(p, " - cgroup ", 10); | |
507 | } | |
508 | ||
509 | /* Add a controller to our list of hierarchies */ | |
510 | static void add_controller(struct cgfsng_handler_data *d, char **clist, | |
511 | char *mountpoint, char *base_cgroup) | |
512 | { | |
513 | struct hierarchy *new; | |
514 | int newentry; | |
515 | ||
516 | new = must_alloc(sizeof(*new)); | |
517 | new->controllers = clist; | |
518 | new->mountpoint = mountpoint; | |
519 | new->base_cgroup = base_cgroup; | |
520 | new->fullcgpath = NULL; | |
521 | ||
522 | newentry = append_null_to_list((void ***)&d->hierarchies); | |
523 | d->hierarchies[newentry] = new; | |
524 | } | |
525 | ||
526 | /* | |
527 | * Get a copy of the mountpoint from @line, which is a line from | |
528 | * /proc/self/mountinfo | |
529 | */ | |
530 | static char *get_mountpoint(char *line) | |
531 | { | |
532 | int i; | |
533 | char *p = line, *sret; | |
534 | size_t len; | |
535 | ||
536 | for (i = 0; i < 4; i++) { | |
235f1815 | 537 | p = strchr(p, ' '); |
ccb4cabe SH |
538 | if (!p) |
539 | return NULL; | |
540 | p++; | |
541 | } | |
542 | /* we've already stuck a \0 after the mountpoint */ | |
543 | len = strlen(p); | |
544 | sret = must_alloc(len + 1); | |
545 | memcpy(sret, p, len); | |
546 | sret[len] = '\0'; | |
547 | return sret; | |
548 | } | |
549 | ||
550 | /* | |
551 | * Given a multi-line string, return a null-terminated copy of the | |
552 | * current line. | |
553 | */ | |
554 | static char *copy_to_eol(char *p) | |
555 | { | |
235f1815 | 556 | char *p2 = strchr(p, '\n'), *sret; |
ccb4cabe SH |
557 | size_t len; |
558 | ||
559 | if (!p2) | |
560 | return NULL; | |
561 | ||
562 | len = p2 - p; | |
563 | sret = must_alloc(len + 1); | |
564 | memcpy(sret, p, len); | |
565 | sret[len] = '\0'; | |
566 | return sret; | |
567 | } | |
568 | ||
569 | /* | |
570 | * cgline: pointer to character after the first ':' in a line in a | |
571 | * \n-terminated /proc/self/cgroup file. Check whether * controller c is | |
572 | * present. | |
573 | */ | |
574 | static bool controller_in_clist(char *cgline, char *c) | |
575 | { | |
576 | char *tok, *saveptr = NULL, *eol, *tmp; | |
577 | size_t len; | |
578 | ||
235f1815 | 579 | eol = strchr(cgline, ':'); |
ccb4cabe SH |
580 | if (!eol) |
581 | return false; | |
582 | ||
583 | len = eol - cgline; | |
584 | tmp = alloca(len + 1); | |
585 | memcpy(tmp, cgline, len); | |
586 | tmp[len] = '\0'; | |
587 | ||
588 | for (tok = strtok_r(tmp, ",", &saveptr); tok; | |
589 | tok = strtok_r(NULL, ",", &saveptr)) { | |
590 | if (strcmp(tok, c) == 0) | |
591 | return true; | |
592 | } | |
593 | return false; | |
594 | } | |
595 | ||
596 | /* | |
597 | * @basecginfo is a copy of /proc/$$/cgroup. Return the current | |
598 | * cgroup for @controller | |
599 | */ | |
600 | static char *get_current_cgroup(char *basecginfo, char *controller) | |
601 | { | |
602 | char *p = basecginfo; | |
603 | ||
604 | while (1) { | |
235f1815 | 605 | p = strchr(p, ':'); |
ccb4cabe SH |
606 | if (!p) |
607 | return NULL; | |
608 | p++; | |
609 | if (controller_in_clist(p, controller)) { | |
235f1815 | 610 | p = strchr(p, ':'); |
ccb4cabe SH |
611 | if (!p) |
612 | return NULL; | |
613 | p++; | |
614 | return copy_to_eol(p); | |
615 | } | |
616 | ||
235f1815 | 617 | p = strchr(p, '\n'); |
ccb4cabe SH |
618 | if (!p) |
619 | return NULL; | |
620 | p++; | |
621 | } | |
622 | } | |
623 | ||
b4ffcca8 SH |
624 | #define BATCH_SIZE 50 |
625 | static void batch_realloc(char **mem, size_t oldlen, size_t newlen) | |
626 | { | |
627 | int newbatches = (newlen / BATCH_SIZE) + 1; | |
628 | int oldbatches = (oldlen / BATCH_SIZE) + 1; | |
629 | ||
630 | if (!*mem || newbatches > oldbatches) { | |
631 | *mem = must_realloc(*mem, newbatches * BATCH_SIZE); | |
632 | } | |
633 | } | |
634 | ||
ccb4cabe SH |
635 | static void append_line(char **dest, size_t oldlen, char *new, size_t newlen) |
636 | { | |
637 | size_t full = oldlen + newlen; | |
638 | ||
b4ffcca8 | 639 | batch_realloc(dest, oldlen, full + 1); |
ccb4cabe | 640 | |
b4ffcca8 | 641 | memcpy(*dest + oldlen, new, newlen + 1); |
ccb4cabe SH |
642 | } |
643 | ||
644 | /* Slurp in a whole file */ | |
645 | static char *read_file(char *fnam) | |
646 | { | |
647 | FILE *f; | |
648 | char *line = NULL, *buf = NULL; | |
649 | size_t len = 0, fulllen = 0; | |
b4ffcca8 | 650 | int linelen; |
ccb4cabe SH |
651 | |
652 | f = fopen(fnam, "r"); | |
653 | if (!f) | |
654 | return NULL; | |
b4ffcca8 SH |
655 | while ((linelen = getline(&line, &len, f)) != -1) { |
656 | append_line(&buf, fulllen, line, linelen); | |
657 | fulllen += linelen; | |
ccb4cabe SH |
658 | } |
659 | fclose(f); | |
660 | free(line); | |
661 | return buf; | |
662 | } | |
663 | ||
ccb4cabe SH |
664 | /* |
665 | * Given a hierarchy @mountpoint and base @path, verify that we can create | |
666 | * directories underneath it. | |
667 | */ | |
668 | static bool test_writeable(char *mountpoint, char *path) | |
669 | { | |
670 | char *fullpath = must_make_path(mountpoint, path, NULL); | |
671 | int ret; | |
672 | ||
673 | ret = access(fullpath, W_OK); | |
674 | free(fullpath); | |
675 | return ret == 0; | |
676 | } | |
677 | ||
678 | static void must_append_string(char ***list, char *entry) | |
679 | { | |
680 | int newentry = append_null_to_list((void ***)list); | |
681 | char *copy; | |
682 | ||
683 | copy = must_copy_string(entry); | |
684 | (*list)[newentry] = copy; | |
685 | } | |
686 | ||
687 | static void get_existing_subsystems(char ***klist, char ***nlist) | |
688 | { | |
689 | FILE *f; | |
690 | char *line = NULL; | |
691 | size_t len = 0; | |
692 | ||
693 | if ((f = fopen("/proc/self/cgroup", "r")) == NULL) | |
694 | return; | |
695 | while (getline(&line, &len, f) != -1) { | |
696 | char *p, *p2, *tok, *saveptr = NULL; | |
235f1815 | 697 | p = strchr(line, ':'); |
ccb4cabe SH |
698 | if (!p) |
699 | continue; | |
700 | p++; | |
235f1815 | 701 | p2 = strchr(p, ':'); |
ccb4cabe SH |
702 | if (!p2) |
703 | continue; | |
704 | *p2 = '\0'; | |
705 | for (tok = strtok_r(p, ",", &saveptr); tok; | |
706 | tok = strtok_r(NULL, ",", &saveptr)) { | |
707 | if (strncmp(tok, "name=", 5) == 0) | |
708 | must_append_string(nlist, tok); | |
709 | else | |
710 | must_append_string(klist, tok); | |
711 | } | |
712 | } | |
713 | ||
714 | free(line); | |
715 | fclose(f); | |
716 | } | |
717 | ||
718 | static void trim(char *s) | |
719 | { | |
720 | size_t len = strlen(s); | |
721 | while (s[len-1] == '\n') | |
722 | s[--len] = '\0'; | |
723 | } | |
724 | ||
ccb4cabe SH |
725 | static void print_init_debuginfo(struct cgfsng_handler_data *d) |
726 | { | |
727 | int i; | |
41c33dbe SH |
728 | |
729 | if (!getenv("LXC_DEBUG_CGFSNG")) | |
730 | return; | |
731 | ||
ccb4cabe SH |
732 | printf("Cgroup information:\n"); |
733 | printf(" container name: %s\n", d->name); | |
734 | printf(" lxc.cgroup.use: %s\n", d->cgroup_use ? d->cgroup_use : "(none)"); | |
735 | printf(" lxc.cgroup.pattern: %s\n", d->cgroup_pattern); | |
736 | printf(" cgroup: %s\n", d->container_cgroup ? d->container_cgroup : "(none)"); | |
737 | if (!d->hierarchies) { | |
738 | printf(" No hierarchies found.\n"); | |
739 | return; | |
740 | } | |
741 | printf(" Hierarchies:\n"); | |
742 | for (i = 0; d->hierarchies[i]; i++) { | |
743 | struct hierarchy *h = d->hierarchies[i]; | |
744 | int j; | |
745 | printf(" %d: base_cgroup %s\n", i, h->base_cgroup); | |
746 | printf(" mountpoint %s\n", h->mountpoint); | |
747 | printf(" controllers:\n"); | |
748 | for (j = 0; h->controllers[j]; j++) | |
749 | printf(" %d: %s\n", j, h->controllers[j]); | |
750 | } | |
751 | } | |
41c33dbe SH |
752 | |
753 | static void print_basecg_debuginfo(char *basecginfo, char **klist, char **nlist) | |
754 | { | |
755 | int k; | |
756 | if (!getenv("LXC_DEBUG_CGFSNG")) | |
757 | return; | |
758 | ||
759 | printf("basecginfo is %s\n", basecginfo); | |
760 | ||
761 | for (k = 0; klist[k]; k++) | |
762 | printf("kernel subsystem %d: %s\n", k, klist[k]); | |
763 | for (k = 0; nlist[k]; k++) | |
764 | printf("named subsystem %d: %s\n", k, nlist[k]); | |
765 | } | |
ccb4cabe SH |
766 | |
767 | /* | |
768 | * At startup, parse_hierarchies finds all the info we need about | |
769 | * cgroup mountpoints and current cgroups, and stores it in @d. | |
770 | */ | |
771 | static bool parse_hierarchies(struct cgfsng_handler_data *d) | |
772 | { | |
773 | FILE *f; | |
774 | char * line = NULL, *basecginfo; | |
775 | char **klist = NULL, **nlist = NULL; | |
776 | size_t len = 0; | |
777 | ||
d30ec4cb SH |
778 | /* |
779 | * Root spawned containers escape the current cgroup, so use init's | |
780 | * cgroups as our base in that case. | |
781 | */ | |
ccb4cabe SH |
782 | if (geteuid()) |
783 | basecginfo = read_file("/proc/self/cgroup"); | |
784 | else | |
785 | basecginfo = read_file("/proc/1/cgroup"); | |
786 | if (!basecginfo) | |
787 | return false; | |
788 | ||
789 | if ((f = fopen("/proc/self/mountinfo", "r")) == NULL) { | |
d3b00a8f | 790 | SYSERROR("Failed opening /proc/self/mountinfo"); |
ccb4cabe SH |
791 | return false; |
792 | } | |
793 | ||
794 | get_existing_subsystems(&klist, &nlist); | |
41c33dbe SH |
795 | |
796 | print_basecg_debuginfo(basecginfo, klist, nlist); | |
ccb4cabe SH |
797 | |
798 | /* we support simple cgroup mounts and lxcfs mounts */ | |
799 | while (getline(&line, &len, f) != -1) { | |
800 | char **controller_list = NULL; | |
801 | char *mountpoint, *base_cgroup; | |
802 | ||
803 | if (!is_lxcfs(line) && !is_cgroupfs(line)) | |
804 | continue; | |
805 | ||
806 | controller_list = get_controllers(klist, nlist, line); | |
807 | if (!controller_list) | |
808 | continue; | |
809 | ||
810 | if (controller_list_is_dup(d->hierarchies, controller_list)) { | |
811 | free(controller_list); | |
812 | continue; | |
813 | } | |
814 | ||
815 | mountpoint = get_mountpoint(line); | |
816 | if (!mountpoint) { | |
817 | ERROR("Error reading mountinfo: bad line '%s'", line); | |
818 | free_string_list(controller_list); | |
819 | continue; | |
820 | } | |
821 | ||
822 | base_cgroup = get_current_cgroup(basecginfo, controller_list[0]); | |
823 | if (!base_cgroup) { | |
824 | ERROR("Failed to find current cgroup for controller '%s'", controller_list[0]); | |
825 | free_string_list(controller_list); | |
826 | free(mountpoint); | |
827 | continue; | |
828 | } | |
829 | trim(base_cgroup); | |
830 | prune_init_scope(base_cgroup); | |
831 | if (!test_writeable(mountpoint, base_cgroup)) { | |
832 | free_string_list(controller_list); | |
833 | free(mountpoint); | |
834 | free(base_cgroup); | |
835 | continue; | |
836 | } | |
837 | add_controller(d, controller_list, mountpoint, base_cgroup); | |
838 | } | |
839 | ||
840 | free_string_list(klist); | |
841 | free_string_list(nlist); | |
842 | ||
843 | free(basecginfo); | |
844 | ||
845 | fclose(f); | |
846 | free(line); | |
847 | ||
848 | print_init_debuginfo(d); | |
849 | ||
850 | /* verify that all controllers in cgroup.use and all crucial | |
851 | * controllers are accounted for | |
852 | */ | |
853 | if (!all_controllers_found(d)) | |
854 | return false; | |
855 | ||
856 | return true; | |
857 | } | |
858 | ||
859 | static void *cgfsng_init(const char *name) | |
860 | { | |
861 | struct cgfsng_handler_data *d; | |
862 | const char *cgroup_use, *cgroup_pattern; | |
863 | ||
864 | d = must_alloc(sizeof(*d)); | |
865 | memset(d, 0, sizeof(*d)); | |
866 | ||
867 | d->name = must_copy_string(name); | |
868 | ||
869 | errno = 0; | |
870 | cgroup_use = lxc_global_config_value("lxc.cgroup.use"); | |
871 | if (!cgroup_use && errno != 0) { // lxc.cgroup.use can be NULL | |
872 | SYSERROR("Error reading list of cgroups to use"); | |
873 | goto out_free; | |
874 | } | |
875 | d->cgroup_use = must_copy_string(cgroup_use); | |
876 | ||
877 | cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); | |
878 | if (!cgroup_pattern) { // lxc.cgroup.pattern is only NULL on error | |
879 | ERROR("Error getting cgroup pattern"); | |
880 | goto out_free; | |
881 | } | |
882 | d->cgroup_pattern = must_copy_string(cgroup_pattern); | |
883 | ||
884 | if (!parse_hierarchies(d)) | |
885 | goto out_free; | |
886 | ||
887 | print_init_debuginfo(d); | |
888 | ||
889 | return d; | |
890 | ||
891 | out_free: | |
892 | free_handler_data(d); | |
893 | return NULL; | |
894 | } | |
895 | ||
896 | /* | |
897 | * Concatenate all passed-in strings into one path. Do not fail. If any piece is | |
898 | * not prefixed with '/', add a '/'. | |
899 | */ | |
900 | static char *must_make_path(const char *first, ...) | |
901 | { | |
902 | va_list args; | |
903 | char *cur, *dest; | |
904 | size_t full_len = strlen(first); | |
905 | ||
906 | dest = must_copy_string(first); | |
907 | ||
908 | va_start(args, first); | |
909 | while ((cur = va_arg(args, char *)) != NULL) { | |
910 | full_len += strlen(cur); | |
911 | if (cur[0] != '/') | |
912 | full_len++; | |
913 | dest = must_realloc(dest, full_len + 1); | |
914 | if (cur[0] != '/') | |
915 | strcat(dest, "/"); | |
916 | strcat(dest, cur); | |
917 | } | |
918 | va_end(args); | |
919 | ||
920 | return dest; | |
921 | } | |
922 | ||
923 | static int cgroup_rmdir(char *dirname) | |
924 | { | |
925 | struct dirent dirent, *direntp; | |
926 | DIR *dir; | |
927 | int r = 0; | |
928 | ||
929 | dir = opendir(dirname); | |
930 | if (!dir) | |
931 | return -1; | |
932 | ||
933 | while (!readdir_r(dir, &dirent, &direntp)) { | |
934 | struct stat mystat; | |
935 | char *pathname; | |
936 | ||
937 | if (!direntp) | |
938 | break; | |
939 | ||
940 | if (!strcmp(direntp->d_name, ".") || | |
941 | !strcmp(direntp->d_name, "..")) | |
942 | continue; | |
943 | ||
944 | pathname = must_make_path(dirname, direntp->d_name, NULL); | |
945 | ||
946 | if (lstat(pathname, &mystat)) { | |
947 | if (!r) | |
1c9da8da | 948 | WARN("failed to stat %s", pathname); |
ccb4cabe SH |
949 | r = -1; |
950 | goto next; | |
951 | } | |
952 | ||
953 | if (!S_ISDIR(mystat.st_mode)) | |
954 | goto next; | |
955 | if (cgroup_rmdir(pathname) < 0) | |
956 | r = -1; | |
957 | next: | |
958 | free(pathname); | |
959 | } | |
960 | ||
961 | if (rmdir(dirname) < 0) { | |
962 | if (!r) | |
963 | WARN("%s: failed to delete %s: %m", __func__, dirname); | |
964 | r = -1; | |
965 | } | |
966 | ||
967 | if (closedir(dir) < 0) { | |
968 | if (!r) | |
969 | WARN("%s: failed to delete %s: %m", __func__, dirname); | |
970 | r = -1; | |
971 | } | |
972 | return r; | |
973 | } | |
974 | ||
975 | static int rmdir_wrapper(void *data) | |
976 | { | |
977 | char *path = data; | |
978 | ||
979 | if (setresgid(0,0,0) < 0) | |
980 | SYSERROR("Failed to setgid to 0"); | |
981 | if (setresuid(0,0,0) < 0) | |
982 | SYSERROR("Failed to setuid to 0"); | |
983 | if (setgroups(0, NULL) < 0) | |
984 | SYSERROR("Failed to clear groups"); | |
985 | ||
986 | return cgroup_rmdir(path); | |
987 | } | |
988 | ||
989 | void recursive_destroy(char *path, struct lxc_conf *conf) | |
990 | { | |
991 | int r; | |
992 | if (conf && !lxc_list_empty(&conf->id_map)) | |
993 | r = userns_exec_1(conf, rmdir_wrapper, path); | |
994 | else | |
995 | r = cgroup_rmdir(path); | |
996 | ||
997 | if (r < 0) | |
1c9da8da | 998 | ERROR("Error destroying %s", path); |
ccb4cabe SH |
999 | } |
1000 | ||
1001 | static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) | |
1002 | { | |
1003 | struct cgfsng_handler_data *d = hdata; | |
1004 | ||
1005 | if (!d) | |
1006 | return; | |
1007 | ||
1008 | if (d->container_cgroup && d->hierarchies) { | |
1009 | int i; | |
1010 | for (i = 0; d->hierarchies[i]; i++) { | |
1011 | struct hierarchy *h = d->hierarchies[i]; | |
e2db2a89 | 1012 | if (h->fullcgpath) { |
ccb4cabe SH |
1013 | recursive_destroy(h->fullcgpath, conf); |
1014 | free(h->fullcgpath); | |
1015 | h->fullcgpath = NULL; | |
1016 | } | |
1017 | } | |
1018 | } | |
1019 | ||
1020 | free_handler_data(d); | |
1021 | } | |
1022 | ||
1023 | struct cgroup_ops *cgfsng_ops_init(void) | |
1024 | { | |
1025 | /* TODO - when cgroup_mount is implemented, drop this check */ | |
1026 | if (!file_exists("/proc/self/ns/cgroup")) | |
1027 | return NULL; | |
1028 | return &cgfsng_ops; | |
1029 | } | |
1030 | ||
1031 | static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) | |
1032 | { | |
e3a3fecf | 1033 | h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL); |
d8da679e SH |
1034 | if (dir_exists(h->fullcgpath)) // it must not already exist |
1035 | return false; | |
e3a3fecf SH |
1036 | if (!handle_cpuset_hierarchy(h, cgname)) |
1037 | return false; | |
1038 | return mkdir_p(h->fullcgpath, 0755) == 0; | |
ccb4cabe SH |
1039 | } |
1040 | ||
1041 | static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) | |
1042 | { | |
1043 | if (rmdir(h->fullcgpath) < 0) | |
1044 | SYSERROR("Failed to clean up cgroup %s from failed creation attempt", h->fullcgpath); | |
1045 | free(h->fullcgpath); | |
1046 | h->fullcgpath = NULL; | |
1047 | } | |
1048 | ||
1049 | /* | |
d30ec4cb | 1050 | * Try to create the same cgroup in all hierarchies. |
ccb4cabe SH |
1051 | * Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999 |
1052 | */ | |
1053 | static inline bool cgfsng_create(void *hdata) | |
1054 | { | |
1055 | struct cgfsng_handler_data *d = hdata; | |
1056 | char *tmp, *cgname, *offset; | |
1057 | int i, idx = 0; | |
1058 | size_t len; | |
1059 | ||
1060 | if (!d) | |
1061 | return false; | |
1062 | if (d->container_cgroup) { | |
1063 | WARN("cgfsng_create called a second time"); | |
1064 | return false; | |
1065 | } | |
1066 | ||
1067 | tmp = lxc_string_replace("%n", d->name, d->cgroup_pattern); | |
1068 | if (!tmp) { | |
1069 | ERROR("Failed expanding cgroup name pattern"); | |
1070 | return false; | |
1071 | } | |
1072 | len = strlen(tmp) + 5; // leave room for -NNN\0 | |
1073 | cgname = must_alloc(len); | |
1074 | strcpy(cgname, tmp); | |
1075 | free(tmp); | |
1076 | offset = cgname + len - 5; | |
1077 | ||
1078 | again: | |
95adfe93 SH |
1079 | if (idx == 1000) { |
1080 | ERROR("Too many conflicting cgroup names"); | |
ccb4cabe | 1081 | goto out_free; |
95adfe93 | 1082 | } |
ccb4cabe SH |
1083 | if (idx) |
1084 | snprintf(offset, 5, "-%d", idx); | |
1085 | for (i = 0; d->hierarchies[i]; i++) { | |
1086 | if (!create_path_for_hierarchy(d->hierarchies[i], cgname)) { | |
1087 | int j; | |
1088 | SYSERROR("Failed to create %s: %s", d->hierarchies[i]->fullcgpath, strerror(errno)); | |
1089 | free(d->hierarchies[i]->fullcgpath); | |
1090 | d->hierarchies[i]->fullcgpath = NULL; | |
1091 | for (j = 0; j < i; j++) | |
1092 | remove_path_for_hierarchy(d->hierarchies[j], cgname); | |
1093 | idx++; | |
1094 | goto again; | |
1095 | } | |
1096 | } | |
1097 | /* Done */ | |
1098 | d->container_cgroup = cgname; | |
1099 | return true; | |
1100 | ||
1101 | out_free: | |
1102 | free(cgname); | |
1103 | return false; | |
1104 | } | |
1105 | ||
1106 | static const char *cgfsng_canonical_path(void *hdata) | |
1107 | { | |
1108 | struct cgfsng_handler_data *d = hdata; | |
1109 | ||
1110 | return d->container_cgroup; | |
1111 | } | |
1112 | ||
1113 | static bool cgfsng_enter(void *hdata, pid_t pid) | |
1114 | { | |
1115 | struct cgfsng_handler_data *d = hdata; | |
1116 | char pidstr[25]; | |
1117 | int i, len; | |
1118 | ||
1119 | len = snprintf(pidstr, 25, "%d", pid); | |
1120 | if (len < 0 || len > 25) | |
1121 | return false; | |
1122 | ||
1123 | for (i = 0; d->hierarchies[i]; i++) { | |
1124 | char *fullpath = must_make_path(d->hierarchies[i]->fullcgpath, | |
1125 | "cgroup.procs", NULL); | |
1126 | if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { | |
d3b00a8f | 1127 | SYSERROR("Failed to enter %s", fullpath); |
ccb4cabe SH |
1128 | free(fullpath); |
1129 | return false; | |
1130 | } | |
1131 | free(fullpath); | |
1132 | } | |
1133 | ||
1134 | return true; | |
1135 | } | |
1136 | ||
1137 | struct chown_data { | |
1138 | struct cgfsng_handler_data *d; | |
1139 | uid_t origuid; // target uid in parent namespace | |
1140 | }; | |
1141 | ||
c0888dfe SH |
1142 | /* |
1143 | * chgrp the container cgroups to container group. We leave | |
1144 | * the container owner as cgroup owner. So we must make the | |
1145 | * directories 775 so that the container can create sub-cgroups. | |
43647298 SH |
1146 | * |
1147 | * Also chown the tasks and cgroup.procs files. Those may not | |
1148 | * exist depending on kernel version. | |
c0888dfe | 1149 | */ |
ccb4cabe SH |
1150 | static int chown_cgroup_wrapper(void *data) |
1151 | { | |
1152 | struct chown_data *arg = data; | |
1153 | struct cgfsng_handler_data *d = arg->d; | |
1154 | uid_t destuid; | |
1155 | int i; | |
1156 | ||
1157 | if (setresgid(0,0,0) < 0) | |
1158 | SYSERROR("Failed to setgid to 0"); | |
1159 | if (setresuid(0,0,0) < 0) | |
1160 | SYSERROR("Failed to setuid to 0"); | |
1161 | if (setgroups(0, NULL) < 0) | |
1162 | SYSERROR("Failed to clear groups"); | |
1163 | ||
1164 | destuid = get_ns_uid(arg->origuid); | |
1165 | ||
1166 | for (i = 0; d->hierarchies[i]; i++) { | |
43647298 SH |
1167 | char *fullpath, *path = d->hierarchies[i]->fullcgpath; |
1168 | ||
1169 | if (chown(path, destuid, 0) < 0) { | |
ab8f5424 | 1170 | SYSERROR("Error chowning %s to %d", path, (int) destuid); |
ccb4cabe SH |
1171 | return -1; |
1172 | } | |
c0888dfe | 1173 | |
43647298 | 1174 | if (chmod(path, 0775) < 0) { |
ab8f5424 | 1175 | SYSERROR("Error chmoding %s", path); |
c0888dfe SH |
1176 | return -1; |
1177 | } | |
ccb4cabe | 1178 | |
ab8f5424 SH |
1179 | /* |
1180 | * Failures to chown these are inconvenient but not detrimental | |
1181 | * We leave these owned by the container launcher, so that container | |
1182 | * root can write to the files to attach. We chmod them 664 so that | |
1183 | * container systemd can write to the files (which systemd in wily | |
1184 | * insists on doing) | |
1185 | */ | |
43647298 SH |
1186 | fullpath = must_make_path(path, "tasks", NULL); |
1187 | if (chown(fullpath, destuid, 0) < 0 && errno != ENOENT) | |
1188 | WARN("Failed chowning %s to %d: %m", fullpath, (int) destuid); | |
ab8f5424 SH |
1189 | if (chmod(fullpath, 0664) < 0) |
1190 | WARN("Error chmoding %s: %m", path); | |
43647298 SH |
1191 | free(fullpath); |
1192 | ||
1193 | fullpath = must_make_path(path, "cgroup.procs", NULL); | |
1194 | if (chown(fullpath, destuid, 0) < 0 && errno != ENOENT) | |
1195 | WARN("Failed chowning %s to %d: %m", fullpath, (int) destuid); | |
ab8f5424 SH |
1196 | if (chmod(fullpath, 0664) < 0) |
1197 | WARN("Error chmoding %s: %m", path); | |
ccb4cabe SH |
1198 | free(fullpath); |
1199 | } | |
1200 | ||
1201 | return 0; | |
1202 | } | |
1203 | ||
1204 | static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) | |
1205 | { | |
1206 | struct cgfsng_handler_data *d = hdata; | |
1207 | struct chown_data wrap; | |
1208 | ||
1209 | if (!d) | |
1210 | return false; | |
1211 | ||
1212 | if (lxc_list_empty(&conf->id_map)) | |
1213 | return true; | |
1214 | ||
1215 | wrap.d = d; | |
1216 | wrap.origuid = geteuid(); | |
1217 | ||
1218 | if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap) < 0) { | |
1219 | ERROR("Error requesting cgroup chown in new namespace"); | |
1220 | return false; | |
1221 | } | |
1222 | ||
1223 | return true; | |
1224 | } | |
1225 | ||
1226 | static bool cgfsng_mount(void *hdata, const char *root, int type) | |
1227 | { | |
1228 | if (cgns_supported()) | |
1229 | return true; | |
1230 | // TODO - implement this. Not needed for cgroup namespaces | |
1231 | return false; | |
1232 | } | |
1233 | ||
1234 | static int recursive_count_nrtasks(char *dirname) | |
1235 | { | |
1236 | struct dirent dirent, *direntp; | |
1237 | DIR *dir; | |
1238 | int count = 0, ret; | |
1239 | char *path; | |
1240 | ||
1241 | dir = opendir(dirname); | |
1242 | if (!dir) | |
1243 | return 0; | |
1244 | ||
1245 | while (!readdir_r(dir, &dirent, &direntp)) { | |
1246 | struct stat mystat; | |
1247 | ||
1248 | if (!direntp) | |
1249 | break; | |
1250 | ||
1251 | if (!strcmp(direntp->d_name, ".") || | |
1252 | !strcmp(direntp->d_name, "..")) | |
1253 | continue; | |
1254 | ||
1255 | path = must_make_path(dirname, direntp->d_name, NULL); | |
1256 | ||
1257 | if (lstat(path, &mystat)) | |
1258 | goto next; | |
1259 | ||
1260 | if (!S_ISDIR(mystat.st_mode)) | |
1261 | goto next; | |
1262 | ||
1263 | count += recursive_count_nrtasks(path); | |
1264 | next: | |
1265 | free(path); | |
1266 | } | |
1267 | ||
1268 | path = must_make_path(dirname, "cgroup.procs", NULL); | |
1269 | ret = lxc_count_file_lines(path); | |
1270 | if (ret != -1) | |
1271 | count += ret; | |
1272 | free(path); | |
1273 | ||
1274 | (void) closedir(dir); | |
1275 | ||
1276 | return count; | |
1277 | } | |
1278 | ||
1279 | static int cgfsng_nrtasks(void *hdata) { | |
1280 | struct cgfsng_handler_data *d = hdata; | |
1281 | char *path; | |
1282 | int count; | |
1283 | ||
1284 | if (!d || !d->container_cgroup || !d->hierarchies) | |
1285 | return -1; | |
1286 | path = must_make_path(d->hierarchies[0]->fullcgpath, NULL); | |
1287 | count = recursive_count_nrtasks(path); | |
1288 | free(path); | |
1289 | return count; | |
1290 | } | |
1291 | ||
1292 | /* Only root needs to escape to the cgroup of its init */ | |
7103fe6f | 1293 | static bool cgfsng_escape() |
ccb4cabe | 1294 | { |
7103fe6f | 1295 | struct cgfsng_handler_data *d; |
ccb4cabe | 1296 | int i; |
7103fe6f | 1297 | bool ret = false; |
ccb4cabe SH |
1298 | |
1299 | if (geteuid()) | |
1300 | return true; | |
1301 | ||
7103fe6f TA |
1302 | d = cgfsng_init("criu-temp-cgfsng"); |
1303 | if (!d) { | |
1304 | ERROR("cgfsng_init failed"); | |
1305 | return false; | |
1306 | } | |
1307 | ||
ccb4cabe SH |
1308 | for (i = 0; d->hierarchies[i]; i++) { |
1309 | char *fullpath = must_make_path(d->hierarchies[i]->mountpoint, | |
1310 | d->hierarchies[i]->base_cgroup, | |
1311 | "cgroup.procs", NULL); | |
1312 | if (lxc_write_to_file(fullpath, "0", 2, false) != 0) { | |
d3b00a8f | 1313 | SYSERROR("Failed to escape to %s", fullpath); |
ccb4cabe | 1314 | free(fullpath); |
7103fe6f | 1315 | goto out; |
ccb4cabe SH |
1316 | } |
1317 | free(fullpath); | |
1318 | } | |
1319 | ||
7103fe6f TA |
1320 | ret = true; |
1321 | out: | |
1322 | free_handler_data(d); | |
1323 | return ret; | |
ccb4cabe SH |
1324 | } |
1325 | ||
1326 | #define THAWED "THAWED" | |
1327 | #define THAWED_LEN (strlen(THAWED)) | |
1328 | ||
1329 | static bool cgfsng_unfreeze(void *hdata) | |
1330 | { | |
1331 | struct cgfsng_handler_data *d = hdata; | |
1332 | char *fullpath; | |
1333 | struct hierarchy *h = get_hierarchy(d, "freezer"); | |
1334 | ||
1335 | if (!d || !h) | |
1336 | return false; | |
1337 | fullpath = must_make_path(h->fullcgpath, "freezer.state", NULL); | |
1338 | if (lxc_write_to_file(fullpath, THAWED, THAWED_LEN, false) != 0) { | |
1339 | free(fullpath); | |
1340 | return false; | |
1341 | } | |
1342 | free(fullpath); | |
1343 | return true; | |
1344 | } | |
1345 | ||
1346 | static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem) | |
1347 | { | |
1348 | struct cgfsng_handler_data *d = hdata; | |
1349 | struct hierarchy *h; | |
1350 | if (!d) | |
1351 | return NULL; | |
1352 | ||
1353 | h = get_hierarchy(d, subsystem); | |
1354 | if (!h) | |
1355 | return NULL; | |
1356 | ||
371f834d SH |
1357 | return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL; |
1358 | } | |
1359 | ||
1360 | /* | |
1361 | * Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a | |
1362 | * full path, which must be freed by the caller. | |
1363 | */ | |
1364 | static char *build_full_cgpath_from_monitorpath(struct hierarchy *h, | |
1365 | const char *inpath, | |
1366 | const char *filename) | |
1367 | { | |
1368 | /* | |
1369 | * XXX Remove this case after 2.0 release. It's for dealing with | |
1370 | * containers spawned under the old buggy cgfsng which wasn't around | |
1371 | * for long. | |
1372 | */ | |
1373 | if (strncmp(inpath, "/sys/fs/cgroup/", 15) == 0) | |
1374 | return must_make_path(inpath, filename, NULL); | |
1375 | return must_make_path(h->mountpoint, inpath, filename, NULL); | |
ccb4cabe SH |
1376 | } |
1377 | ||
1378 | static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) | |
1379 | { | |
1380 | struct cgfsng_handler_data *d; | |
1381 | char pidstr[25]; | |
1382 | int i, len; | |
1383 | ||
1384 | len = snprintf(pidstr, 25, "%d", pid); | |
1385 | if (len < 0 || len > 25) | |
1386 | return false; | |
1387 | ||
1388 | d = cgfsng_init(name); | |
1389 | if (!d) | |
1390 | return false; | |
1391 | ||
1392 | for (i = 0; d->hierarchies[i]; i++) { | |
1393 | char *path, *fullpath; | |
1394 | struct hierarchy *h = d->hierarchies[i]; | |
1395 | ||
1396 | path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]); | |
1397 | if (!path) // not running | |
1398 | continue; | |
1399 | ||
371f834d SH |
1400 | fullpath = build_full_cgpath_from_monitorpath(h, path, "cgroup.procs"); |
1401 | free(path); | |
ccb4cabe SH |
1402 | if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { |
1403 | SYSERROR("Failed to attach %d to %s", (int)pid, fullpath); | |
1404 | free(fullpath); | |
ccb4cabe SH |
1405 | free_handler_data(d); |
1406 | return false; | |
1407 | } | |
ccb4cabe SH |
1408 | free(fullpath); |
1409 | } | |
1410 | ||
1411 | free_handler_data(d); | |
1412 | return true; | |
1413 | } | |
1414 | ||
1415 | /* | |
1416 | * Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. | |
1417 | * Here we don't have a cgroup_data set up, so we ask the running | |
1418 | * container through the commands API for the cgroup path | |
1419 | */ | |
1420 | static int cgfsng_get(const char *filename, char *value, size_t len, const char *name, const char *lxcpath) | |
1421 | { | |
1422 | char *subsystem, *p, *path; | |
1423 | struct cgfsng_handler_data *d; | |
1424 | struct hierarchy *h; | |
1425 | int ret = -1; | |
1426 | ||
1427 | subsystem = alloca(strlen(filename) + 1); | |
1428 | strcpy(subsystem, filename); | |
1429 | if ((p = strchr(subsystem, '.')) != NULL) | |
1430 | *p = '\0'; | |
1431 | ||
1432 | path = lxc_cmd_get_cgroup_path(name, lxcpath, subsystem); | |
1433 | if (!path) // not running | |
1434 | return -1; | |
1435 | ||
1436 | d = cgfsng_init(name); | |
1437 | if (!d) { | |
1438 | free(path); | |
1439 | return false; | |
1440 | } | |
1441 | ||
1442 | h = get_hierarchy(d, subsystem); | |
1443 | if (h) { | |
371f834d | 1444 | char *fullpath = build_full_cgpath_from_monitorpath(h, path, filename); |
ccb4cabe SH |
1445 | ret = lxc_read_from_file(fullpath, value, len); |
1446 | free(fullpath); | |
1447 | } | |
1448 | ||
1449 | free_handler_data(d); | |
1450 | free(path); | |
1451 | ||
1452 | return ret; | |
1453 | } | |
1454 | ||
1455 | /* | |
1456 | * Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. | |
1457 | * Here we don't have a cgroup_data set up, so we ask the running | |
1458 | * container through the commands API for the cgroup path | |
1459 | */ | |
1460 | static int cgfsng_set(const char *filename, const char *value, const char *name, const char *lxcpath) | |
1461 | { | |
1462 | char *subsystem, *p, *path; | |
1463 | struct cgfsng_handler_data *d; | |
1464 | struct hierarchy *h; | |
1465 | int ret = -1; | |
1466 | ||
1467 | subsystem = alloca(strlen(filename) + 1); | |
1468 | strcpy(subsystem, filename); | |
1469 | if ((p = strchr(subsystem, '.')) != NULL) | |
1470 | *p = '\0'; | |
1471 | ||
1472 | path = lxc_cmd_get_cgroup_path(name, lxcpath, subsystem); | |
1473 | if (!path) // not running | |
1474 | return -1; | |
1475 | ||
1476 | d = cgfsng_init(name); | |
1477 | if (!d) { | |
1478 | free(path); | |
1479 | return false; | |
1480 | } | |
1481 | ||
1482 | h = get_hierarchy(d, subsystem); | |
1483 | if (h) { | |
371f834d | 1484 | char *fullpath = build_full_cgpath_from_monitorpath(h, path, filename); |
ccb4cabe SH |
1485 | ret = lxc_write_to_file(fullpath, value, strlen(value), false); |
1486 | free(fullpath); | |
1487 | } | |
1488 | ||
1489 | free_handler_data(d); | |
1490 | free(path); | |
1491 | ||
1492 | return ret; | |
1493 | } | |
1494 | ||
ccb4cabe SH |
1495 | /* |
1496 | * Called from setup_limits - here we have the container's cgroup_data because | |
1497 | * we created the cgroups | |
1498 | */ | |
1499 | static int lxc_cgroup_set_data(const char *filename, const char *value, struct cgfsng_handler_data *d) | |
1500 | { | |
1501 | char *subsystem = NULL, *p; | |
1502 | int ret = -1; | |
1503 | struct hierarchy *h; | |
1504 | ||
1505 | subsystem = alloca(strlen(filename) + 1); | |
1506 | strcpy(subsystem, filename); | |
1507 | if ((p = strchr(subsystem, '.')) != NULL) | |
1508 | *p = '\0'; | |
1509 | ||
1510 | h = get_hierarchy(d, subsystem); | |
1511 | if (h) { | |
1512 | char *fullpath = must_make_path(h->fullcgpath, filename, NULL); | |
1513 | ret = lxc_write_to_file(fullpath, value, strlen(value), false); | |
1514 | free(fullpath); | |
1515 | } | |
1516 | return ret; | |
1517 | } | |
1518 | ||
1519 | static bool cgfsng_setup_limits(void *hdata, struct lxc_list *cgroup_settings, | |
1520 | bool do_devices) | |
1521 | { | |
1522 | struct cgfsng_handler_data *d = hdata; | |
1523 | struct lxc_list *iterator, *sorted_cgroup_settings, *next; | |
1524 | struct lxc_cgroup *cg; | |
1525 | struct hierarchy *h; | |
1526 | char *listpath = NULL; | |
1527 | bool ret = false; | |
1528 | ||
1529 | if (lxc_list_empty(cgroup_settings)) | |
1530 | return true; | |
1531 | ||
1532 | sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); | |
1533 | if (!sorted_cgroup_settings) { | |
1534 | return false; | |
1535 | } | |
1536 | ||
1537 | if (do_devices) { | |
1538 | h = get_hierarchy(d, "devices"); | |
1539 | if (!h) { | |
1c9da8da | 1540 | ERROR("No devices cgroup setup for %s", d->name); |
ccb4cabe SH |
1541 | return false; |
1542 | } | |
1543 | listpath = must_make_path(h->fullcgpath, "devices.list", NULL); | |
1544 | } | |
1545 | ||
1546 | lxc_list_for_each(iterator, sorted_cgroup_settings) { | |
1547 | cg = iterator->elem; | |
1548 | ||
1549 | if (do_devices == !strncmp("devices", cg->subsystem, 7)) { | |
ccb4cabe SH |
1550 | if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) { |
1551 | if (do_devices && (errno == EACCES || errno == EPERM)) { | |
1552 | WARN("Error setting %s to %s for %s", | |
1553 | cg->subsystem, cg->value, d->name); | |
1554 | continue; | |
1555 | } | |
1556 | SYSERROR("Error setting %s to %s for %s", | |
1557 | cg->subsystem, cg->value, d->name); | |
1558 | goto out; | |
1559 | } | |
1560 | } | |
1561 | ||
1562 | DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value); | |
1563 | } | |
1564 | ||
1565 | ret = true; | |
1566 | INFO("cgroup has been setup"); | |
1567 | out: | |
1568 | free(listpath); | |
1569 | lxc_list_for_each_safe(iterator, sorted_cgroup_settings, next) { | |
1570 | lxc_list_del(iterator); | |
1571 | free(iterator); | |
1572 | } | |
1573 | free(sorted_cgroup_settings); | |
1574 | return ret; | |
1575 | } | |
1576 | ||
1577 | static struct cgroup_ops cgfsng_ops = { | |
1578 | .init = cgfsng_init, | |
1579 | .destroy = cgfsng_destroy, | |
1580 | .create = cgfsng_create, | |
1581 | .enter = cgfsng_enter, | |
1582 | .canonical_path = cgfsng_canonical_path, | |
1583 | .escape = cgfsng_escape, | |
1584 | .get_cgroup = cgfsng_get_cgroup, | |
1585 | .get = cgfsng_get, | |
1586 | .set = cgfsng_set, | |
1587 | .unfreeze = cgfsng_unfreeze, | |
1588 | .setup_limits = cgfsng_setup_limits, | |
1589 | .name = "cgroupfs-ng", | |
1590 | .attach = cgfsng_attach, | |
1591 | .chown = cgfsns_chown, | |
1592 | .mount_cgroup = cgfsng_mount, | |
1593 | .nrtasks = cgfsng_nrtasks, | |
1594 | .driver = CGFSNG, | |
1595 | ||
1596 | /* unsupported */ | |
1597 | .create_legacy = NULL, | |
1598 | }; |