]>
Commit | Line | Data |
---|---|---|
576f946d | 1 | /* |
2 | * lxc: linux Container library | |
3 | * | |
4 | * (C) Copyright IBM Corp. 2007, 2008 | |
5 | * | |
6 | * Authors: | |
9afe19d6 | 7 | * Daniel Lezcano <daniel.lezcano at free.fr> |
576f946d | 8 | * |
9 | * This library is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU Lesser General Public | |
11 | * License as published by the Free Software Foundation; either | |
12 | * version 2.1 of the License, or (at your option) any later version. | |
13 | * | |
14 | * This library is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | * Lesser General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU Lesser General Public | |
20 | * License along with this library; if not, write to the Free Software | |
250b1eec | 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
576f946d | 22 | */ |
d06245b8 NC |
23 | #include "config.h" |
24 | ||
576f946d | 25 | #include <stdio.h> |
576f946d | 26 | #include <stdlib.h> |
27 | #include <errno.h> | |
576f946d | 28 | #include <unistd.h> |
29 | #include <string.h> | |
341a9bd8 | 30 | #include <dirent.h> |
576f946d | 31 | #include <fcntl.h> |
8b276860 | 32 | #include <grp.h> |
b98f7d6e | 33 | #include <ctype.h> |
576f946d | 34 | #include <sys/types.h> |
35 | #include <sys/stat.h> | |
36 | #include <sys/param.h> | |
37 | #include <sys/inotify.h> | |
aae1f3c4 | 38 | #include <sys/mount.h> |
576f946d | 39 | #include <netinet/in.h> |
40 | #include <net/if.h> | |
41 | ||
e2bcd7db | 42 | #include "error.h" |
ae5c8b8e | 43 | #include "commands.h" |
b98f7d6e SH |
44 | #include "list.h" |
45 | #include "conf.h" | |
33ad9f1a | 46 | #include "utils.h" |
f2363e38 ÇO |
47 | #include "log.h" |
48 | #include "cgroup.h" | |
49 | #include "start.h" | |
484ed030 | 50 | #include "state.h" |
28d832c4 | 51 | #include "storage.h" |
36eb9bde | 52 | |
edaf8b1b SG |
53 | #if IS_BIONIC |
54 | #include <../include/lxcmntent.h> | |
55 | #else | |
56 | #include <mntent.h> | |
57 | #endif | |
58 | ||
4fb3cba5 DE |
59 | struct cgroup_hierarchy; |
60 | struct cgroup_meta_data; | |
61 | struct cgroup_mount_point; | |
62 | ||
63 | /* | |
64 | * cgroup_meta_data: the metadata about the cgroup infrastructure on this | |
65 | * host | |
66 | */ | |
67 | struct cgroup_meta_data { | |
68 | ptrdiff_t ref; /* simple refcount */ | |
69 | struct cgroup_hierarchy **hierarchies; | |
70 | struct cgroup_mount_point **mount_points; | |
71 | int maximum_hierarchy; | |
72 | }; | |
73 | ||
74 | /* | |
75 | * cgroup_hierarchy: describes a single cgroup hierarchy | |
76 | * (may have multiple mount points) | |
77 | */ | |
78 | struct cgroup_hierarchy { | |
79 | int index; | |
80 | bool used; /* false if the hierarchy should be ignored by lxc */ | |
81 | char **subsystems; | |
82 | struct cgroup_mount_point *rw_absolute_mount_point; | |
83 | struct cgroup_mount_point *ro_absolute_mount_point; | |
84 | struct cgroup_mount_point **all_mount_points; | |
85 | size_t all_mount_point_capacity; | |
86 | }; | |
87 | ||
88 | /* | |
89 | * cgroup_mount_point: a mount point to where a hierarchy | |
90 | * is mounted to | |
91 | */ | |
92 | struct cgroup_mount_point { | |
93 | struct cgroup_hierarchy *hierarchy; | |
94 | char *mount_point; | |
95 | char *mount_prefix; | |
96 | bool read_only; | |
97 | bool need_cpuset_init; | |
98 | }; | |
99 | ||
100 | /* | |
101 | * cgroup_process_info: describes the membership of a | |
102 | * process to the different cgroup | |
103 | * hierarchies | |
104 | * | |
105 | * Note this is the per-process info tracked by the cgfs_ops. | |
4fb3cba5 DE |
106 | */ |
107 | struct cgroup_process_info { | |
108 | struct cgroup_process_info *next; | |
109 | struct cgroup_meta_data *meta_ref; | |
110 | struct cgroup_hierarchy *hierarchy; | |
111 | char *cgroup_path; | |
112 | char *cgroup_path_sub; | |
113 | char **created_paths; | |
114 | size_t created_paths_capacity; | |
115 | size_t created_paths_count; | |
116 | struct cgroup_mount_point *designated_mount_point; | |
117 | }; | |
118 | ||
119 | struct cgfs_data { | |
120 | char *name; | |
121 | const char *cgroup_pattern; | |
122 | struct cgroup_meta_data *meta; | |
123 | struct cgroup_process_info *info; | |
124 | }; | |
125 | ||
126 | lxc_log_define(lxc_cgfs, lxc); | |
576f946d | 127 | |
33ad9f1a CS |
128 | static struct cgroup_process_info *lxc_cgroup_process_info_getx(const char *proc_pid_cgroup_str, struct cgroup_meta_data *meta); |
129 | static char **subsystems_from_mount_options(const char *mount_options, char **kernel_list); | |
130 | static void lxc_cgroup_mount_point_free(struct cgroup_mount_point *mp); | |
131 | static void lxc_cgroup_hierarchy_free(struct cgroup_hierarchy *h); | |
132 | static bool is_valid_cgroup(const char *name); | |
33ad9f1a | 133 | static int create_cgroup(struct cgroup_mount_point *mp, const char *path); |
6a9e0f26 SH |
134 | static int remove_cgroup(struct cgroup_mount_point *mp, const char *path, bool recurse, |
135 | struct lxc_conf *conf); | |
33ad9f1a CS |
136 | static char *cgroup_to_absolute_path(struct cgroup_mount_point *mp, const char *path, const char *suffix); |
137 | static struct cgroup_process_info *find_info_for_subsystem(struct cgroup_process_info *info, const char *subsystem); | |
138 | static int do_cgroup_get(const char *cgroup_path, const char *sub_filename, char *value, size_t len); | |
139 | static int do_cgroup_set(const char *cgroup_path, const char *sub_filename, const char *value); | |
4fb3cba5 DE |
140 | static bool cgroup_devices_has_allow_or_deny(struct cgfs_data *d, char *v, bool for_allow); |
141 | static int do_setup_cgroup_limits(struct cgfs_data *d, struct lxc_list *cgroup_settings, bool do_devices); | |
33ad9f1a | 142 | static int cgroup_recursive_task_count(const char *cgroup_path); |
1ea59ad2 | 143 | static int handle_cgroup_settings(struct cgroup_mount_point *mp, char *cgroup_path); |
d703c2b1 | 144 | static bool init_cpuset_if_needed(struct cgroup_mount_point *mp, const char *path); |
33ad9f1a | 145 | |
4fb3cba5 DE |
146 | static struct cgroup_meta_data *lxc_cgroup_load_meta2(const char **subsystem_whitelist); |
147 | static struct cgroup_meta_data *lxc_cgroup_get_meta(struct cgroup_meta_data *meta_data); | |
148 | static struct cgroup_meta_data *lxc_cgroup_put_meta(struct cgroup_meta_data *meta_data); | |
149 | ||
150 | /* free process membership information */ | |
151 | static void lxc_cgroup_process_info_free(struct cgroup_process_info *info); | |
6a9e0f26 SH |
152 | static void lxc_cgroup_process_info_free_and_remove(struct cgroup_process_info *info, |
153 | struct lxc_conf *conf); | |
4fb3cba5 | 154 | |
d4ef7c50 | 155 | static struct cgroup_ops cgfs_ops; |
d4ef7c50 | 156 | |
603c64c2 SH |
157 | static int cgroup_rmdir(char *dirname) |
158 | { | |
74f96976 | 159 | struct dirent *direntp; |
603c64c2 SH |
160 | int saved_errno = 0; |
161 | DIR *dir; | |
162 | int ret, failed=0; | |
163 | char pathname[MAXPATHLEN]; | |
164 | ||
165 | dir = opendir(dirname); | |
166 | if (!dir) { | |
b103ceac | 167 | ERROR("Failed to open %s", dirname); |
603c64c2 SH |
168 | return -1; |
169 | } | |
170 | ||
74f96976 | 171 | while ((direntp = readdir(dir))) { |
603c64c2 SH |
172 | struct stat mystat; |
173 | int rc; | |
174 | ||
175 | if (!direntp) | |
176 | break; | |
177 | ||
178 | if (!strcmp(direntp->d_name, ".") || | |
179 | !strcmp(direntp->d_name, "..")) | |
180 | continue; | |
181 | ||
182 | rc = snprintf(pathname, MAXPATHLEN, "%s/%s", dirname, direntp->d_name); | |
183 | if (rc < 0 || rc >= MAXPATHLEN) { | |
184 | ERROR("pathname too long"); | |
185 | failed=1; | |
186 | if (!saved_errno) | |
187 | saved_errno = -ENOMEM; | |
188 | continue; | |
189 | } | |
190 | ret = lstat(pathname, &mystat); | |
191 | if (ret) { | |
b103ceac | 192 | SYSERROR("Failed to stat %s", pathname); |
603c64c2 SH |
193 | failed=1; |
194 | if (!saved_errno) | |
195 | saved_errno = errno; | |
196 | continue; | |
197 | } | |
198 | if (S_ISDIR(mystat.st_mode)) { | |
199 | if (cgroup_rmdir(pathname) < 0) { | |
200 | if (!saved_errno) | |
201 | saved_errno = errno; | |
202 | failed=1; | |
203 | } | |
204 | } | |
205 | } | |
206 | ||
207 | if (rmdir(dirname) < 0) { | |
b103ceac | 208 | SYSERROR("Failed to delete %s", dirname); |
603c64c2 SH |
209 | if (!saved_errno) |
210 | saved_errno = errno; | |
211 | failed=1; | |
212 | } | |
213 | ||
214 | ret = closedir(dir); | |
215 | if (ret) { | |
b103ceac | 216 | SYSERROR("Failed to close directory %s", dirname); |
603c64c2 SH |
217 | if (!saved_errno) |
218 | saved_errno = errno; | |
219 | failed=1; | |
220 | } | |
221 | ||
222 | errno = saved_errno; | |
223 | return failed ? -1 : 0; | |
224 | } | |
225 | ||
6a9e0f26 SH |
226 | static int rmdir_wrapper(void *data) |
227 | { | |
228 | char *path = data; | |
229 | ||
230 | if (setresgid(0,0,0) < 0) | |
231 | SYSERROR("Failed to setgid to 0"); | |
232 | if (setresuid(0,0,0) < 0) | |
233 | SYSERROR("Failed to setuid to 0"); | |
234 | if (setgroups(0, NULL) < 0) | |
235 | SYSERROR("Failed to clear groups"); | |
236 | ||
237 | return cgroup_rmdir(path); | |
238 | } | |
239 | ||
4fb3cba5 | 240 | static struct cgroup_meta_data *lxc_cgroup_load_meta() |
33ad9f1a CS |
241 | { |
242 | const char *cgroup_use = NULL; | |
243 | char **cgroup_use_list = NULL; | |
244 | struct cgroup_meta_data *md = NULL; | |
245 | int saved_errno; | |
246 | ||
247 | errno = 0; | |
593e8478 | 248 | cgroup_use = lxc_global_config_value("lxc.cgroup.use"); |
33ad9f1a CS |
249 | if (!cgroup_use && errno != 0) |
250 | return NULL; | |
251 | if (cgroup_use) { | |
252 | cgroup_use_list = lxc_string_split_and_trim(cgroup_use, ','); | |
253 | if (!cgroup_use_list) | |
254 | return NULL; | |
255 | } | |
576f946d | 256 | |
33ad9f1a CS |
257 | md = lxc_cgroup_load_meta2((const char **)cgroup_use_list); |
258 | saved_errno = errno; | |
259 | lxc_free_array((void **)cgroup_use_list, free); | |
260 | errno = saved_errno; | |
261 | return md; | |
262 | } | |
fd37327f | 263 | |
b653309a | 264 | /* Step 1: determine all kernel subsystems */ |
4fb3cba5 | 265 | static bool find_cgroup_subsystems(char ***kernel_subsystems) |
1d39a065 | 266 | { |
b653309a SH |
267 | FILE *proc_cgroups; |
268 | bool bret = false; | |
33ad9f1a CS |
269 | char *line = NULL; |
270 | size_t sz = 0; | |
b653309a SH |
271 | size_t kernel_subsystems_count = 0; |
272 | size_t kernel_subsystems_capacity = 0; | |
273 | int r; | |
1d39a065 | 274 | |
33ad9f1a CS |
275 | proc_cgroups = fopen_cloexec("/proc/cgroups", "r"); |
276 | if (!proc_cgroups) | |
b653309a | 277 | return false; |
1d39a065 | 278 | |
33ad9f1a CS |
279 | while (getline(&line, &sz, proc_cgroups) != -1) { |
280 | char *tab1; | |
281 | char *tab2; | |
282 | int hierarchy_number; | |
1d39a065 | 283 | |
33ad9f1a CS |
284 | if (line[0] == '#') |
285 | continue; | |
286 | if (!line[0]) | |
287 | continue; | |
1d39a065 | 288 | |
33ad9f1a CS |
289 | tab1 = strchr(line, '\t'); |
290 | if (!tab1) | |
8900b9eb | 291 | continue; |
33ad9f1a CS |
292 | *tab1++ = '\0'; |
293 | tab2 = strchr(tab1, '\t'); | |
294 | if (!tab2) | |
295 | continue; | |
296 | *tab2 = '\0'; | |
fd37327f | 297 | |
33ad9f1a CS |
298 | tab2 = NULL; |
299 | hierarchy_number = strtoul(tab1, &tab2, 10); | |
300 | if (!tab2 || *tab2) | |
301 | continue; | |
302 | (void)hierarchy_number; | |
303 | ||
b653309a | 304 | r = lxc_grow_array((void ***)kernel_subsystems, &kernel_subsystems_capacity, kernel_subsystems_count + 1, 12); |
33ad9f1a | 305 | if (r < 0) |
b653309a SH |
306 | goto out; |
307 | (*kernel_subsystems)[kernel_subsystems_count] = strdup(line); | |
308 | if (!(*kernel_subsystems)[kernel_subsystems_count]) | |
309 | goto out; | |
33ad9f1a | 310 | kernel_subsystems_count++; |
bcbd102c | 311 | } |
b653309a | 312 | bret = true; |
0d9f8e18 | 313 | |
b653309a | 314 | out: |
33ad9f1a | 315 | fclose(proc_cgroups); |
0ccf7c2a | 316 | free(line); |
b653309a SH |
317 | return bret; |
318 | } | |
319 | ||
320 | /* Step 2: determine all hierarchies (by reading /proc/self/cgroup), | |
321 | * since mount points don't specify hierarchy number and | |
322 | * /proc/cgroups does not contain named hierarchies | |
323 | */ | |
324 | static bool find_cgroup_hierarchies(struct cgroup_meta_data *meta_data, | |
325 | bool all_kernel_subsystems, bool all_named_subsystems, | |
326 | const char **subsystem_whitelist) | |
327 | { | |
328 | FILE *proc_self_cgroup; | |
329 | char *line = NULL; | |
330 | size_t sz = 0; | |
331 | int r; | |
332 | bool bret = false; | |
333 | size_t hierarchy_capacity = 0; | |
ef6e34ee | 334 | |
33ad9f1a CS |
335 | proc_self_cgroup = fopen_cloexec("/proc/self/cgroup", "r"); |
336 | /* if for some reason (because of setns() and pid namespace for example), | |
337 | * /proc/self is not valid, we try /proc/1/cgroup... */ | |
338 | if (!proc_self_cgroup) | |
339 | proc_self_cgroup = fopen_cloexec("/proc/1/cgroup", "r"); | |
340 | if (!proc_self_cgroup) | |
b653309a | 341 | return false; |
33ad9f1a CS |
342 | |
343 | while (getline(&line, &sz, proc_self_cgroup) != -1) { | |
344 | /* file format: hierarchy:subsystems:group, | |
345 | * we only extract hierarchy and subsystems | |
346 | * here */ | |
347 | char *colon1; | |
348 | char *colon2; | |
349 | int hierarchy_number; | |
350 | struct cgroup_hierarchy *h = NULL; | |
351 | char **p; | |
352 | ||
353 | if (!line[0]) | |
354 | continue; | |
ad08bbb7 | 355 | |
33ad9f1a CS |
356 | colon1 = strchr(line, ':'); |
357 | if (!colon1) | |
8900b9eb | 358 | continue; |
33ad9f1a CS |
359 | *colon1++ = '\0'; |
360 | colon2 = strchr(colon1, ':'); | |
361 | if (!colon2) | |
362 | continue; | |
363 | *colon2 = '\0'; | |
ad08bbb7 | 364 | |
33ad9f1a | 365 | colon2 = NULL; |
82a2fe03 CB |
366 | |
367 | /* With cgroupv2 /proc/self/cgroup can contain entries of the | |
368 | * form: 0::/ | |
369 | * These entries need to be skipped. | |
370 | */ | |
371 | if (!strcmp(colon1, "")) | |
372 | continue; | |
373 | ||
33ad9f1a CS |
374 | hierarchy_number = strtoul(line, &colon2, 10); |
375 | if (!colon2 || *colon2) | |
376 | continue; | |
576f946d | 377 | |
33ad9f1a CS |
378 | if (hierarchy_number > meta_data->maximum_hierarchy) { |
379 | /* lxc_grow_array will never shrink, so even if we find a lower | |
380 | * hierarchy number here, the array will never be smaller | |
381 | */ | |
382 | r = lxc_grow_array((void ***)&meta_data->hierarchies, &hierarchy_capacity, hierarchy_number + 1, 12); | |
383 | if (r < 0) | |
b653309a | 384 | goto out; |
5193cc3d | 385 | |
33ad9f1a CS |
386 | meta_data->maximum_hierarchy = hierarchy_number; |
387 | } | |
fd37327f | 388 | |
33ad9f1a CS |
389 | /* this shouldn't happen, we had this already */ |
390 | if (meta_data->hierarchies[hierarchy_number]) | |
b653309a | 391 | goto out; |
33ad9f1a CS |
392 | |
393 | h = calloc(1, sizeof(struct cgroup_hierarchy)); | |
394 | if (!h) | |
b653309a | 395 | goto out; |
33ad9f1a CS |
396 | |
397 | meta_data->hierarchies[hierarchy_number] = h; | |
398 | ||
399 | h->index = hierarchy_number; | |
400 | h->subsystems = lxc_string_split_and_trim(colon1, ','); | |
401 | if (!h->subsystems) | |
b653309a | 402 | goto out; |
33ad9f1a CS |
403 | /* see if this hierarchy should be considered */ |
404 | if (!all_kernel_subsystems || !all_named_subsystems) { | |
405 | for (p = h->subsystems; *p; p++) { | |
406 | if (!strncmp(*p, "name=", 5)) { | |
407 | if (all_named_subsystems || (subsystem_whitelist && lxc_string_in_array(*p, subsystem_whitelist))) { | |
408 | h->used = true; | |
409 | break; | |
410 | } | |
411 | } else { | |
412 | if (all_kernel_subsystems || (subsystem_whitelist && lxc_string_in_array(*p, subsystem_whitelist))) { | |
413 | h->used = true; | |
414 | break; | |
415 | } | |
416 | } | |
417 | } | |
418 | } else { | |
419 | /* we want all hierarchy anyway */ | |
420 | h->used = true; | |
ae5c8b8e | 421 | } |
ae5c8b8e | 422 | } |
b653309a | 423 | bret = true; |
0b9c21ab | 424 | |
b653309a | 425 | out: |
33ad9f1a | 426 | fclose(proc_self_cgroup); |
0ccf7c2a | 427 | free(line); |
b653309a SH |
428 | return bret; |
429 | } | |
430 | ||
431 | /* Step 3: determine all mount points of each hierarchy */ | |
432 | static bool find_hierarchy_mountpts( struct cgroup_meta_data *meta_data, char **kernel_subsystems) | |
433 | { | |
434 | bool bret = false; | |
435 | FILE *proc_self_mountinfo; | |
436 | char *line = NULL; | |
437 | size_t sz = 0; | |
438 | char **tokens = NULL; | |
439 | size_t mount_point_count = 0; | |
440 | size_t mount_point_capacity = 0; | |
441 | size_t token_capacity = 0; | |
442 | int r; | |
fcca16bc | 443 | bool is_cgns = cgns_supported(); |
b653309a | 444 | |
33ad9f1a CS |
445 | proc_self_mountinfo = fopen_cloexec("/proc/self/mountinfo", "r"); |
446 | /* if for some reason (because of setns() and pid namespace for example), | |
447 | * /proc/self is not valid, we try /proc/1/cgroup... */ | |
448 | if (!proc_self_mountinfo) | |
449 | proc_self_mountinfo = fopen_cloexec("/proc/1/mountinfo", "r"); | |
450 | if (!proc_self_mountinfo) | |
b653309a | 451 | return false; |
33ad9f1a CS |
452 | |
453 | while (getline(&line, &sz, proc_self_mountinfo) != -1) { | |
178938fe | 454 | char *token, *line_tok, *saveptr = NULL; |
33ad9f1a CS |
455 | size_t i, j, k; |
456 | struct cgroup_mount_point *mount_point; | |
457 | struct cgroup_hierarchy *h; | |
458 | char **subsystems; | |
836514a8 | 459 | bool is_lxcfs = false; |
33ad9f1a CS |
460 | |
461 | if (line[0] && line[strlen(line) - 1] == '\n') | |
462 | line[strlen(line) - 1] = '\0'; | |
463 | ||
178938fe | 464 | for (i = 0, line_tok = line; (token = strtok_r(line_tok, " ", &saveptr)); line_tok = NULL) { |
33ad9f1a CS |
465 | r = lxc_grow_array((void ***)&tokens, &token_capacity, i + 1, 64); |
466 | if (r < 0) | |
b653309a | 467 | goto out; |
33ad9f1a CS |
468 | tokens[i++] = token; |
469 | } | |
b98f7d6e | 470 | |
33ad9f1a CS |
471 | /* layout of /proc/self/mountinfo: |
472 | * 0: id | |
473 | * 1: parent id | |
474 | * 2: device major:minor | |
475 | * 3: mount prefix | |
8900b9eb | 476 | * 4: mount point |
33ad9f1a CS |
477 | * 5: per-mount options |
478 | * [optional X]: additional data | |
479 | * X+7: "-" | |
480 | * X+8: type | |
481 | * X+9: source | |
482 | * X+10: per-superblock options | |
483 | */ | |
484 | for (j = 6; j < i && tokens[j]; j++) | |
485 | if (!strcmp(tokens[j], "-")) | |
486 | break; | |
fd4f5a56 | 487 | |
33ad9f1a CS |
488 | /* could not find separator */ |
489 | if (j >= i || !tokens[j]) | |
490 | continue; | |
491 | /* there should be exactly three fields after | |
492 | * the separator | |
493 | */ | |
494 | if (i != j + 4) | |
495 | continue; | |
fd4f5a56 | 496 | |
33ad9f1a | 497 | /* not a cgroup filesystem */ |
836514a8 U |
498 | if (strcmp(tokens[j + 1], "cgroup") != 0) { |
499 | if (strcmp(tokens[j + 1], "fuse.lxcfs") != 0) | |
500 | continue; | |
501 | if (strncmp(tokens[4], "/sys/fs/cgroup/", 15) != 0) | |
502 | continue; | |
503 | is_lxcfs = true; | |
504 | char *curtok = tokens[4] + 15; | |
505 | subsystems = subsystems_from_mount_options(curtok, | |
506 | kernel_subsystems); | |
507 | } else | |
508 | subsystems = subsystems_from_mount_options(tokens[j + 3], | |
509 | kernel_subsystems); | |
33ad9f1a | 510 | if (!subsystems) |
b653309a | 511 | goto out; |
33ad9f1a CS |
512 | |
513 | h = NULL; | |
517587ef | 514 | for (k = 0; k <= meta_data->maximum_hierarchy; k++) { |
33ad9f1a CS |
515 | if (meta_data->hierarchies[k] && |
516 | meta_data->hierarchies[k]->subsystems[0] && | |
517 | lxc_string_in_array(meta_data->hierarchies[k]->subsystems[0], (const char **)subsystems)) { | |
518 | /* TODO: we could also check if the lists really match completely, | |
519 | * just to have an additional sanity check */ | |
520 | h = meta_data->hierarchies[k]; | |
b98f7d6e | 521 | break; |
33ad9f1a | 522 | } |
b98f7d6e | 523 | } |
33ad9f1a | 524 | lxc_free_array((void **)subsystems, free); |
287df277 CB |
525 | if (!h) |
526 | goto out; | |
33ad9f1a CS |
527 | |
528 | r = lxc_grow_array((void ***)&meta_data->mount_points, &mount_point_capacity, mount_point_count + 1, 12); | |
529 | if (r < 0) | |
b653309a | 530 | goto out; |
33ad9f1a CS |
531 | |
532 | /* create mount point object */ | |
533 | mount_point = calloc(1, sizeof(*mount_point)); | |
534 | if (!mount_point) | |
b653309a | 535 | goto out; |
33ad9f1a CS |
536 | |
537 | meta_data->mount_points[mount_point_count++] = mount_point; | |
538 | ||
539 | mount_point->hierarchy = h; | |
fcca16bc | 540 | if (is_lxcfs || is_cgns) |
836514a8 U |
541 | mount_point->mount_prefix = strdup("/"); |
542 | else | |
543 | mount_point->mount_prefix = strdup(tokens[3]); | |
33ad9f1a | 544 | mount_point->mount_point = strdup(tokens[4]); |
33ad9f1a | 545 | if (!mount_point->mount_point || !mount_point->mount_prefix) |
b653309a | 546 | goto out; |
33ad9f1a CS |
547 | mount_point->read_only = !lxc_string_in_list("rw", tokens[5], ','); |
548 | ||
549 | if (!strcmp(mount_point->mount_prefix, "/")) { | |
550 | if (mount_point->read_only) { | |
551 | if (!h->ro_absolute_mount_point) | |
552 | h->ro_absolute_mount_point = mount_point; | |
553 | } else { | |
554 | if (!h->rw_absolute_mount_point) | |
555 | h->rw_absolute_mount_point = mount_point; | |
556 | } | |
b98f7d6e | 557 | } |
ae5c8b8e | 558 | |
9d6514f2 CB |
559 | if (h) |
560 | k = lxc_array_len((void **)h->all_mount_points); | |
561 | else | |
562 | k = 0; | |
33ad9f1a CS |
563 | r = lxc_grow_array((void ***)&h->all_mount_points, &h->all_mount_point_capacity, k + 1, 4); |
564 | if (r < 0) | |
b653309a | 565 | goto out; |
33ad9f1a | 566 | h->all_mount_points[k] = mount_point; |
fd4f5a56 | 567 | } |
b653309a SH |
568 | bret = true; |
569 | ||
570 | out: | |
b653309a | 571 | fclose(proc_self_mountinfo); |
b653309a | 572 | free(tokens); |
2cdafc54 | 573 | free(line); |
b653309a SH |
574 | return bret; |
575 | } | |
576 | ||
4fb3cba5 | 577 | static struct cgroup_meta_data *lxc_cgroup_load_meta2(const char **subsystem_whitelist) |
b653309a SH |
578 | { |
579 | bool all_kernel_subsystems = true; | |
580 | bool all_named_subsystems = false; | |
581 | struct cgroup_meta_data *meta_data = NULL; | |
582 | char **kernel_subsystems = NULL; | |
583 | int saved_errno = 0; | |
584 | ||
585 | /* if the subsystem whitelist is not specified, include all | |
586 | * hierarchies that contain kernel subsystems by default but | |
587 | * no hierarchies that only contain named subsystems | |
588 | * | |
589 | * if it is specified, the specifier @all will select all | |
590 | * hierarchies, @kernel will select all hierarchies with | |
591 | * kernel subsystems and @named will select all named | |
592 | * hierarchies | |
593 | */ | |
594 | all_kernel_subsystems = subsystem_whitelist ? | |
595 | (lxc_string_in_array("@kernel", subsystem_whitelist) || lxc_string_in_array("@all", subsystem_whitelist)) : | |
596 | true; | |
597 | all_named_subsystems = subsystem_whitelist ? | |
598 | (lxc_string_in_array("@named", subsystem_whitelist) || lxc_string_in_array("@all", subsystem_whitelist)) : | |
79c59e6b | 599 | true; |
b653309a SH |
600 | |
601 | meta_data = calloc(1, sizeof(struct cgroup_meta_data)); | |
602 | if (!meta_data) | |
603 | return NULL; | |
604 | meta_data->ref = 1; | |
605 | ||
606 | if (!find_cgroup_subsystems(&kernel_subsystems)) | |
607 | goto out_error; | |
608 | ||
609 | if (!find_cgroup_hierarchies(meta_data, all_kernel_subsystems, | |
610 | all_named_subsystems, subsystem_whitelist)) | |
611 | goto out_error; | |
612 | ||
613 | if (!find_hierarchy_mountpts(meta_data, kernel_subsystems)) | |
614 | goto out_error; | |
fd4f5a56 | 615 | |
33ad9f1a CS |
616 | /* oops, we couldn't find anything */ |
617 | if (!meta_data->hierarchies || !meta_data->mount_points) { | |
618 | errno = EINVAL; | |
619 | goto out_error; | |
ae5c8b8e | 620 | } |
fd4f5a56 | 621 | |
3a0abb3a | 622 | lxc_free_array((void **)kernel_subsystems, free); |
33ad9f1a CS |
623 | return meta_data; |
624 | ||
625 | out_error: | |
626 | saved_errno = errno; | |
33ad9f1a CS |
627 | lxc_free_array((void **)kernel_subsystems, free); |
628 | lxc_cgroup_put_meta(meta_data); | |
629 | errno = saved_errno; | |
630 | return NULL; | |
fd4f5a56 DL |
631 | } |
632 | ||
4fb3cba5 | 633 | static struct cgroup_meta_data *lxc_cgroup_get_meta(struct cgroup_meta_data *meta_data) |
e14f67a7 | 634 | { |
33ad9f1a CS |
635 | meta_data->ref++; |
636 | return meta_data; | |
637 | } | |
e14f67a7 | 638 | |
4fb3cba5 | 639 | static struct cgroup_meta_data *lxc_cgroup_put_meta(struct cgroup_meta_data *meta_data) |
33ad9f1a CS |
640 | { |
641 | size_t i; | |
642 | if (!meta_data) | |
643 | return NULL; | |
644 | if (--meta_data->ref > 0) | |
645 | return meta_data; | |
646 | lxc_free_array((void **)meta_data->mount_points, (lxc_free_fn)lxc_cgroup_mount_point_free); | |
2446c321 | 647 | if (meta_data->hierarchies) |
33ad9f1a | 648 | for (i = 0; i <= meta_data->maximum_hierarchy; i++) |
2446c321 CB |
649 | if (meta_data->hierarchies[i]) |
650 | lxc_cgroup_hierarchy_free(meta_data->hierarchies[i]); | |
33ad9f1a | 651 | free(meta_data->hierarchies); |
178938fe | 652 | free(meta_data); |
33ad9f1a | 653 | return NULL; |
e14f67a7 U |
654 | } |
655 | ||
4fb3cba5 | 656 | static struct cgroup_hierarchy *lxc_cgroup_find_hierarchy(struct cgroup_meta_data *meta_data, const char *subsystem) |
e14f67a7 | 657 | { |
33ad9f1a CS |
658 | size_t i; |
659 | for (i = 0; i <= meta_data->maximum_hierarchy; i++) { | |
660 | struct cgroup_hierarchy *h = meta_data->hierarchies[i]; | |
517587ef CB |
661 | if (!h) |
662 | continue; | |
33ad9f1a CS |
663 | if (h && lxc_string_in_array(subsystem, (const char **)h->subsystems)) |
664 | return h; | |
e14f67a7 | 665 | } |
e14f67a7 U |
666 | return NULL; |
667 | } | |
668 | ||
d3f99e96 SH |
669 | static bool mountpoint_is_accessible(struct cgroup_mount_point *mp) |
670 | { | |
671 | return mp && access(mp->mount_point, F_OK) == 0; | |
672 | } | |
673 | ||
4fb3cba5 | 674 | static struct cgroup_mount_point *lxc_cgroup_find_mount_point(struct cgroup_hierarchy *hierarchy, const char *group, bool should_be_writable) |
b98f7d6e | 675 | { |
33ad9f1a CS |
676 | struct cgroup_mount_point **mps; |
677 | struct cgroup_mount_point *current_result = NULL; | |
678 | ssize_t quality = -1; | |
b98f7d6e | 679 | |
33ad9f1a | 680 | /* trivial case */ |
d3f99e96 | 681 | if (mountpoint_is_accessible(hierarchy->rw_absolute_mount_point)) |
33ad9f1a | 682 | return hierarchy->rw_absolute_mount_point; |
d3f99e96 | 683 | if (!should_be_writable && mountpoint_is_accessible(hierarchy->ro_absolute_mount_point)) |
33ad9f1a | 684 | return hierarchy->ro_absolute_mount_point; |
b98f7d6e | 685 | |
33ad9f1a CS |
686 | for (mps = hierarchy->all_mount_points; mps && *mps; mps++) { |
687 | struct cgroup_mount_point *mp = *mps; | |
688 | size_t prefix_len = mp->mount_prefix ? strlen(mp->mount_prefix) : 0; | |
b98f7d6e | 689 | |
33ad9f1a CS |
690 | if (prefix_len == 1 && mp->mount_prefix[0] == '/') |
691 | prefix_len = 0; | |
b98f7d6e | 692 | |
d3f99e96 SH |
693 | if (!mountpoint_is_accessible(mp)) |
694 | continue; | |
695 | ||
33ad9f1a CS |
696 | if (should_be_writable && mp->read_only) |
697 | continue; | |
698 | ||
699 | if (!prefix_len || | |
700 | (strncmp(group, mp->mount_prefix, prefix_len) == 0 && | |
701 | (group[prefix_len] == '\0' || group[prefix_len] == '/'))) { | |
702 | /* search for the best quality match, i.e. the match with the | |
703 | * shortest prefix where this group is still contained | |
704 | */ | |
705 | if (quality == -1 || prefix_len < quality) { | |
706 | current_result = mp; | |
707 | quality = prefix_len; | |
708 | } | |
b98f7d6e SH |
709 | } |
710 | } | |
711 | ||
33ad9f1a CS |
712 | if (!current_result) |
713 | errno = ENOENT; | |
714 | return current_result; | |
b98f7d6e SH |
715 | } |
716 | ||
4fb3cba5 | 717 | static char *lxc_cgroup_find_abs_path(const char *subsystem, const char *group, bool should_be_writable, const char *suffix) |
b98f7d6e | 718 | { |
33ad9f1a CS |
719 | struct cgroup_meta_data *meta_data; |
720 | struct cgroup_hierarchy *h; | |
721 | struct cgroup_mount_point *mp; | |
722 | char *result; | |
723 | int saved_errno; | |
724 | ||
725 | meta_data = lxc_cgroup_load_meta(); | |
726 | if (!meta_data) | |
727 | return NULL; | |
b98f7d6e | 728 | |
33ad9f1a CS |
729 | h = lxc_cgroup_find_hierarchy(meta_data, subsystem); |
730 | if (!h) | |
731 | goto out_error; | |
b98f7d6e | 732 | |
33ad9f1a CS |
733 | mp = lxc_cgroup_find_mount_point(h, group, should_be_writable); |
734 | if (!mp) | |
735 | goto out_error; | |
b98f7d6e | 736 | |
33ad9f1a CS |
737 | result = cgroup_to_absolute_path(mp, group, suffix); |
738 | if (!result) | |
739 | goto out_error; | |
b98f7d6e | 740 | |
33ad9f1a CS |
741 | lxc_cgroup_put_meta(meta_data); |
742 | return result; | |
b98f7d6e | 743 | |
33ad9f1a CS |
744 | out_error: |
745 | saved_errno = errno; | |
746 | lxc_cgroup_put_meta(meta_data); | |
747 | errno = saved_errno; | |
748 | return NULL; | |
b98f7d6e SH |
749 | } |
750 | ||
4fb3cba5 | 751 | static struct cgroup_process_info *lxc_cgroup_process_info_get(pid_t pid, struct cgroup_meta_data *meta) |
fd4f5a56 | 752 | { |
33ad9f1a CS |
753 | char pid_buf[32]; |
754 | snprintf(pid_buf, 32, "/proc/%lu/cgroup", (unsigned long)pid); | |
755 | return lxc_cgroup_process_info_getx(pid_buf, meta); | |
c8f7c563 CS |
756 | } |
757 | ||
4fb3cba5 | 758 | static struct cgroup_process_info *lxc_cgroup_process_info_get_init(struct cgroup_meta_data *meta) |
c8f7c563 | 759 | { |
33ad9f1a CS |
760 | return lxc_cgroup_process_info_get(1, meta); |
761 | } | |
b98f7d6e | 762 | |
4fb3cba5 | 763 | static struct cgroup_process_info *lxc_cgroup_process_info_get_self(struct cgroup_meta_data *meta) |
33ad9f1a CS |
764 | { |
765 | struct cgroup_process_info *i; | |
766 | i = lxc_cgroup_process_info_getx("/proc/self/cgroup", meta); | |
767 | if (!i) | |
0059379f | 768 | i = lxc_cgroup_process_info_get(lxc_raw_getpid(), meta); |
33ad9f1a CS |
769 | return i; |
770 | } | |
ae5c8b8e | 771 | |
692ba18f SH |
772 | /* |
773 | * If a controller has ns cgroup mounted, then in that cgroup the handler->pid | |
774 | * is already in a new cgroup named after the pid. 'mnt' is passed in as | |
775 | * the full current cgroup. Say that is /sys/fs/cgroup/lxc/2975 and the container | |
776 | * name is c1. . We want to rename the cgroup directory to /sys/fs/cgroup/lxc/c1, | |
777 | * and return the string /sys/fs/cgroup/lxc/c1. | |
778 | */ | |
cea0552e | 779 | static char *cgroup_rename_nsgroup(const char *mountpath, const char *oldname, pid_t pid, const char *name) |
692ba18f SH |
780 | { |
781 | char *dir, *fulloldpath; | |
782 | char *newname, *fullnewpath; | |
cea0552e | 783 | int len, newlen, ret; |
692ba18f SH |
784 | |
785 | /* | |
786 | * if cgroup is mounted at /cgroup and task is in cgroup /ab/, pid 2375 and | |
787 | * name is c1, | |
788 | * dir: /ab | |
789 | * fulloldpath = /cgroup/ab/2375 | |
790 | * fullnewpath = /cgroup/ab/c1 | |
791 | * newname = /ab/c1 | |
792 | */ | |
793 | dir = alloca(strlen(oldname) + 1); | |
794 | strcpy(dir, oldname); | |
795 | ||
cea0552e SH |
796 | len = strlen(oldname) + strlen(mountpath) + 22; |
797 | fulloldpath = alloca(len); | |
6fc7d8b6 | 798 | ret = snprintf(fulloldpath, len, "%s/%s/%lu", mountpath, oldname, (unsigned long)pid); |
cea0552e SH |
799 | if (ret < 0 || ret >= len) |
800 | return NULL; | |
692ba18f SH |
801 | |
802 | len = strlen(dir) + strlen(name) + 2; | |
803 | newname = malloc(len); | |
804 | if (!newname) { | |
805 | SYSERROR("Out of memory"); | |
806 | return NULL; | |
807 | } | |
cea0552e SH |
808 | ret = snprintf(newname, len, "%s/%s", dir, name); |
809 | if (ret < 0 || ret >= len) { | |
810 | free(newname); | |
811 | return NULL; | |
812 | } | |
692ba18f | 813 | |
cea0552e SH |
814 | newlen = strlen(mountpath) + len + 2; |
815 | fullnewpath = alloca(newlen); | |
816 | ret = snprintf(fullnewpath, newlen, "%s/%s", mountpath, newname); | |
817 | if (ret < 0 || ret >= newlen) { | |
818 | free(newname); | |
819 | return NULL; | |
820 | } | |
692ba18f SH |
821 | |
822 | if (access(fullnewpath, F_OK) == 0) { | |
823 | if (rmdir(fullnewpath) != 0) { | |
824 | SYSERROR("container cgroup %s already exists.", fullnewpath); | |
825 | free(newname); | |
826 | return NULL; | |
827 | } | |
828 | } | |
829 | if (rename(fulloldpath, fullnewpath)) { | |
830 | SYSERROR("failed to rename cgroup %s->%s", fulloldpath, fullnewpath); | |
831 | free(newname); | |
832 | return NULL; | |
833 | } | |
834 | ||
835 | DEBUG("'%s' renamed to '%s'", oldname, newname); | |
836 | ||
837 | return newname; | |
838 | } | |
839 | ||
ea439aac SH |
840 | static bool is_crucial_hierarchy(struct cgroup_hierarchy *h) |
841 | { | |
842 | char **p; | |
843 | ||
844 | for (p = h->subsystems; *p; p++) { | |
845 | if (is_crucial_cgroup_subsystem(*p)) | |
846 | return true; | |
847 | } | |
848 | return false; | |
849 | } | |
850 | ||
33ad9f1a | 851 | /* create a new cgroup */ |
4fb3cba5 | 852 | static struct cgroup_process_info *lxc_cgroupfs_create(const char *name, const char *path_pattern, struct cgroup_meta_data *meta_data, const char *sub_pattern) |
33ad9f1a | 853 | { |
001b026e | 854 | char **cgroup_path_components = NULL; |
33ad9f1a CS |
855 | char **p = NULL; |
856 | char *path_so_far = NULL; | |
857 | char **new_cgroup_paths = NULL; | |
858 | char **new_cgroup_paths_sub = NULL; | |
859 | struct cgroup_mount_point *mp; | |
860 | struct cgroup_hierarchy *h; | |
861 | struct cgroup_process_info *base_info = NULL; | |
862 | struct cgroup_process_info *info_ptr; | |
863 | int saved_errno; | |
864 | int r; | |
865 | unsigned suffix = 0; | |
866 | bool had_sub_pattern = false; | |
867 | size_t i; | |
ae5c8b8e | 868 | |
33ad9f1a CS |
869 | if (!is_valid_cgroup(name)) { |
870 | ERROR("Invalid cgroup name: '%s'", name); | |
871 | errno = EINVAL; | |
872 | return NULL; | |
ae5c8b8e SH |
873 | } |
874 | ||
33ad9f1a CS |
875 | if (!strstr(path_pattern, "%n")) { |
876 | ERROR("Invalid cgroup path pattern: '%s'; contains no %%n for specifying container name", path_pattern); | |
877 | errno = EINVAL; | |
878 | return NULL; | |
879 | } | |
fd37327f | 880 | |
33ad9f1a CS |
881 | /* we will modify the result of this operation directly, |
882 | * so we don't have to copy the data structure | |
883 | */ | |
884 | base_info = (path_pattern[0] == '/') ? | |
885 | lxc_cgroup_process_info_get_init(meta_data) : | |
886 | lxc_cgroup_process_info_get_self(meta_data); | |
887 | if (!base_info) | |
888 | return NULL; | |
c8f7c563 | 889 | |
33ad9f1a CS |
890 | new_cgroup_paths = calloc(meta_data->maximum_hierarchy + 1, sizeof(char *)); |
891 | if (!new_cgroup_paths) | |
892 | goto out_initial_error; | |
893 | ||
894 | new_cgroup_paths_sub = calloc(meta_data->maximum_hierarchy + 1, sizeof(char *)); | |
895 | if (!new_cgroup_paths_sub) | |
896 | goto out_initial_error; | |
897 | ||
898 | /* find mount points we can use */ | |
899 | for (info_ptr = base_info; info_ptr; info_ptr = info_ptr->next) { | |
900 | h = info_ptr->hierarchy; | |
517587ef CB |
901 | if (!h) |
902 | continue; | |
33ad9f1a CS |
903 | mp = lxc_cgroup_find_mount_point(h, info_ptr->cgroup_path, true); |
904 | if (!mp) { | |
905 | ERROR("Could not find writable mount point for cgroup hierarchy %d while trying to create cgroup.", h->index); | |
906 | goto out_initial_error; | |
907 | } | |
908 | info_ptr->designated_mount_point = mp; | |
460a1cf0 | 909 | |
692ba18f SH |
910 | if (lxc_string_in_array("ns", (const char **)h->subsystems)) |
911 | continue; | |
2edb53c7 SH |
912 | if (handle_cgroup_settings(mp, info_ptr->cgroup_path) < 0) { |
913 | ERROR("Could not set clone_children to 1 for cpuset hierarchy in parent cgroup."); | |
33ad9f1a | 914 | goto out_initial_error; |
2edb53c7 | 915 | } |
33ad9f1a | 916 | } |
b98f7d6e | 917 | |
33ad9f1a CS |
918 | /* normalize the path */ |
919 | cgroup_path_components = lxc_normalize_path(path_pattern); | |
920 | if (!cgroup_path_components) | |
921 | goto out_initial_error; | |
922 | ||
923 | /* go through the path components to see if we can create them */ | |
924 | for (p = cgroup_path_components; *p || (sub_pattern && !had_sub_pattern); p++) { | |
925 | /* we only want to create the same component with -1, -2, etc. | |
926 | * if the component contains the container name itself, otherwise | |
927 | * it's not an error if it already exists | |
928 | */ | |
929 | char *p_eff = *p ? *p : (char *)sub_pattern; | |
930 | bool contains_name = strstr(p_eff, "%n"); | |
931 | char *current_component = NULL; | |
932 | char *current_subpath = NULL; | |
933 | char *current_entire_path = NULL; | |
934 | char *parts[3]; | |
935 | size_t j = 0; | |
936 | i = 0; | |
937 | ||
938 | /* if we are processing the subpattern, we want to make sure | |
939 | * loop is ended the next time around | |
940 | */ | |
941 | if (!*p) { | |
942 | had_sub_pattern = true; | |
943 | p--; | |
944 | } | |
b98f7d6e | 945 | |
33ad9f1a | 946 | goto find_name_on_this_level; |
4fb3cba5 | 947 | |
33ad9f1a CS |
948 | cleanup_name_on_this_level: |
949 | /* This is reached if we found a name clash. | |
950 | * In that case, remove the cgroup from all previous hierarchies | |
951 | */ | |
952 | for (j = 0, info_ptr = base_info; j < i && info_ptr; info_ptr = info_ptr->next, j++) { | |
77afbedf SH |
953 | if (info_ptr->created_paths_count < 1) |
954 | continue; | |
6a9e0f26 | 955 | r = remove_cgroup(info_ptr->designated_mount_point, info_ptr->created_paths[info_ptr->created_paths_count - 1], false, NULL); |
33ad9f1a CS |
956 | if (r < 0) |
957 | WARN("could not clean up cgroup we created when trying to create container"); | |
958 | free(info_ptr->created_paths[info_ptr->created_paths_count - 1]); | |
959 | info_ptr->created_paths[--info_ptr->created_paths_count] = NULL; | |
960 | } | |
961 | if (current_component != current_subpath) | |
962 | free(current_subpath); | |
963 | if (current_component != p_eff) | |
964 | free(current_component); | |
965 | current_component = current_subpath = NULL; | |
966 | /* try again with another suffix */ | |
967 | ++suffix; | |
4fb3cba5 | 968 | |
33ad9f1a CS |
969 | find_name_on_this_level: |
970 | /* determine name of the path component we should create */ | |
971 | if (contains_name && suffix > 0) { | |
972 | char *buf = calloc(strlen(name) + 32, 1); | |
973 | if (!buf) | |
974 | goto out_initial_error; | |
975 | snprintf(buf, strlen(name) + 32, "%s-%u", name, suffix); | |
976 | current_component = lxc_string_replace("%n", buf, p_eff); | |
977 | free(buf); | |
978 | } else { | |
979 | current_component = contains_name ? lxc_string_replace("%n", name, p_eff) : p_eff; | |
980 | } | |
981 | parts[0] = path_so_far; | |
982 | parts[1] = current_component; | |
983 | parts[2] = NULL; | |
984 | current_subpath = path_so_far ? lxc_string_join("/", (const char **)parts, false) : current_component; | |
985 | ||
986 | /* Now go through each hierarchy and try to create the | |
987 | * corresponding cgroup | |
988 | */ | |
989 | for (i = 0, info_ptr = base_info; info_ptr; info_ptr = info_ptr->next, i++) { | |
990 | char *parts2[3]; | |
692ba18f | 991 | |
517587ef CB |
992 | if (!info_ptr->hierarchy) |
993 | continue; | |
994 | ||
692ba18f SH |
995 | if (lxc_string_in_array("ns", (const char **)info_ptr->hierarchy->subsystems)) |
996 | continue; | |
33ad9f1a CS |
997 | current_entire_path = NULL; |
998 | ||
999 | parts2[0] = !strcmp(info_ptr->cgroup_path, "/") ? "" : info_ptr->cgroup_path; | |
1000 | parts2[1] = current_subpath; | |
1001 | parts2[2] = NULL; | |
1002 | current_entire_path = lxc_string_join("/", (const char **)parts2, false); | |
1003 | ||
1004 | if (!*p) { | |
1005 | /* we are processing the subpath, so only update that one */ | |
1006 | free(new_cgroup_paths_sub[i]); | |
1007 | new_cgroup_paths_sub[i] = strdup(current_entire_path); | |
1008 | if (!new_cgroup_paths_sub[i]) | |
1009 | goto cleanup_from_error; | |
1010 | } else { | |
1011 | /* remember which path was used on this controller */ | |
1012 | free(new_cgroup_paths[i]); | |
1013 | new_cgroup_paths[i] = strdup(current_entire_path); | |
1014 | if (!new_cgroup_paths[i]) | |
1015 | goto cleanup_from_error; | |
1016 | } | |
fd4f5a56 | 1017 | |
33ad9f1a CS |
1018 | r = create_cgroup(info_ptr->designated_mount_point, current_entire_path); |
1019 | if (r < 0 && errno == EEXIST && contains_name) { | |
1020 | /* name clash => try new name with new suffix */ | |
1021 | free(current_entire_path); | |
1022 | current_entire_path = NULL; | |
1023 | goto cleanup_name_on_this_level; | |
1024 | } else if (r < 0 && errno != EEXIST) { | |
ea439aac SH |
1025 | if (is_crucial_hierarchy(info_ptr->hierarchy)) { |
1026 | SYSERROR("Could not create cgroup '%s' in '%s'.", current_entire_path, info_ptr->designated_mount_point->mount_point); | |
1027 | goto cleanup_from_error; | |
1028 | } | |
1029 | goto skip; | |
33ad9f1a CS |
1030 | } else if (r == 0) { |
1031 | /* successfully created */ | |
1032 | r = lxc_grow_array((void ***)&info_ptr->created_paths, &info_ptr->created_paths_capacity, info_ptr->created_paths_count + 1, 8); | |
1033 | if (r < 0) | |
1034 | goto cleanup_from_error; | |
d703c2b1 | 1035 | if (!init_cpuset_if_needed(info_ptr->designated_mount_point, current_entire_path)) { |
b38b62a6 | 1036 | ERROR("Failed to initialize cpuset for '%s' in '%s'.", current_entire_path, info_ptr->designated_mount_point->mount_point); |
d703c2b1 RV |
1037 | goto cleanup_from_error; |
1038 | } | |
33ad9f1a CS |
1039 | info_ptr->created_paths[info_ptr->created_paths_count++] = current_entire_path; |
1040 | } else { | |
1041 | /* if we didn't create the cgroup, then we have to make sure that | |
1042 | * further cgroups will be created properly | |
1043 | */ | |
d703c2b1 | 1044 | if (handle_cgroup_settings(info_ptr->designated_mount_point, info_ptr->cgroup_path) < 0) { |
f6ac3b9e | 1045 | ERROR("Could not set clone_children to 1 for cpuset hierarchy in pre-existing cgroup."); |
33ad9f1a | 1046 | goto cleanup_from_error; |
f6ac3b9e | 1047 | } |
d703c2b1 RV |
1048 | if (!init_cpuset_if_needed(info_ptr->designated_mount_point, info_ptr->cgroup_path)) { |
1049 | ERROR("Failed to initialize cpuset in pre-existing '%s'.", info_ptr->cgroup_path); | |
1050 | goto cleanup_from_error; | |
1051 | } | |
33ad9f1a | 1052 | |
ea439aac | 1053 | skip: |
33ad9f1a CS |
1054 | /* already existed but path component of pattern didn't contain '%n', |
1055 | * so this is not an error; but then we don't need current_entire_path | |
1056 | * anymore... | |
1057 | */ | |
1058 | free(current_entire_path); | |
1059 | current_entire_path = NULL; | |
1060 | } | |
1061 | } | |
fd4f5a56 | 1062 | |
33ad9f1a CS |
1063 | /* save path so far */ |
1064 | free(path_so_far); | |
1065 | path_so_far = strdup(current_subpath); | |
1066 | if (!path_so_far) | |
1067 | goto cleanup_from_error; | |
1068 | ||
1069 | /* cleanup */ | |
1070 | if (current_component != current_subpath) | |
1071 | free(current_subpath); | |
1072 | if (current_component != p_eff) | |
1073 | free(current_component); | |
1074 | current_component = current_subpath = NULL; | |
1075 | continue; | |
4fb3cba5 | 1076 | |
33ad9f1a | 1077 | cleanup_from_error: |
ec64264d | 1078 | /* called if an error occurred in the loop, so we |
33ad9f1a CS |
1079 | * do some additional cleanup here |
1080 | */ | |
1081 | saved_errno = errno; | |
1082 | if (current_component != current_subpath) | |
1083 | free(current_subpath); | |
1084 | if (current_component != p_eff) | |
1085 | free(current_component); | |
1086 | free(current_entire_path); | |
1087 | errno = saved_errno; | |
1088 | goto out_initial_error; | |
fd4f5a56 DL |
1089 | } |
1090 | ||
33ad9f1a CS |
1091 | /* we're done, now update the paths */ |
1092 | for (i = 0, info_ptr = base_info; info_ptr; info_ptr = info_ptr->next, i++) { | |
517587ef CB |
1093 | if (!info_ptr->hierarchy) |
1094 | continue; | |
47d8fb3b CS |
1095 | /* ignore legacy 'ns' subsystem here, lxc_cgroup_create_legacy |
1096 | * will take care of it | |
1097 | * Since we do a continue in above loop, new_cgroup_paths[i] is | |
1098 | * unset anyway, as is new_cgroup_paths_sub[i] | |
692ba18f | 1099 | */ |
47d8fb3b CS |
1100 | if (lxc_string_in_array("ns", (const char **)info_ptr->hierarchy->subsystems)) |
1101 | continue; | |
1102 | free(info_ptr->cgroup_path); | |
1103 | info_ptr->cgroup_path = new_cgroup_paths[i]; | |
1104 | info_ptr->cgroup_path_sub = new_cgroup_paths_sub[i]; | |
fd4f5a56 | 1105 | } |
33ad9f1a CS |
1106 | /* don't use lxc_free_array since we used the array members |
1107 | * to store them in our result... | |
1108 | */ | |
1109 | free(new_cgroup_paths); | |
1110 | free(new_cgroup_paths_sub); | |
1111 | free(path_so_far); | |
1112 | lxc_free_array((void **)cgroup_path_components, free); | |
1113 | return base_info; | |
1114 | ||
1115 | out_initial_error: | |
1116 | saved_errno = errno; | |
1117 | free(path_so_far); | |
6a9e0f26 | 1118 | lxc_cgroup_process_info_free_and_remove(base_info, NULL); |
33ad9f1a CS |
1119 | lxc_free_array((void **)new_cgroup_paths, free); |
1120 | lxc_free_array((void **)new_cgroup_paths_sub, free); | |
1121 | lxc_free_array((void **)cgroup_path_components, free); | |
1122 | errno = saved_errno; | |
1123 | return NULL; | |
c8f7c563 CS |
1124 | } |
1125 | ||
4fb3cba5 | 1126 | static int lxc_cgroup_create_legacy(struct cgroup_process_info *base_info, const char *name, pid_t pid) |
47d8fb3b CS |
1127 | { |
1128 | struct cgroup_process_info *info_ptr; | |
1129 | int r; | |
1130 | ||
1131 | for (info_ptr = base_info; info_ptr; info_ptr = info_ptr->next) { | |
517587ef CB |
1132 | if (!info_ptr->hierarchy) |
1133 | continue; | |
1134 | ||
47d8fb3b CS |
1135 | if (!lxc_string_in_array("ns", (const char **)info_ptr->hierarchy->subsystems)) |
1136 | continue; | |
1137 | /* | |
1138 | * For any path which has ns cgroup mounted, handler->pid is already | |
1139 | * moved into a container called '%d % (handler->pid)'. Rename it to | |
1140 | * the cgroup name and record that. | |
1141 | */ | |
1142 | char *tmp = cgroup_rename_nsgroup((const char *)info_ptr->designated_mount_point->mount_point, | |
1143 | info_ptr->cgroup_path, pid, name); | |
1144 | if (!tmp) | |
1145 | return -1; | |
1146 | free(info_ptr->cgroup_path); | |
1147 | info_ptr->cgroup_path = tmp; | |
1148 | r = lxc_grow_array((void ***)&info_ptr->created_paths, &info_ptr->created_paths_capacity, info_ptr->created_paths_count + 1, 8); | |
1149 | if (r < 0) | |
1150 | return -1; | |
1151 | tmp = strdup(tmp); | |
1152 | if (!tmp) | |
1153 | return -1; | |
1154 | info_ptr->created_paths[info_ptr->created_paths_count++] = tmp; | |
1155 | } | |
1156 | return 0; | |
1157 | } | |
1158 | ||
33ad9f1a | 1159 | /* get the cgroup membership of a given container */ |
4fb3cba5 | 1160 | static struct cgroup_process_info *lxc_cgroup_get_container_info(const char *name, const char *lxcpath, struct cgroup_meta_data *meta_data) |
c8f7c563 | 1161 | { |
33ad9f1a CS |
1162 | struct cgroup_process_info *result = NULL; |
1163 | int saved_errno = 0; | |
1164 | size_t i; | |
1165 | struct cgroup_process_info **cptr = &result; | |
1166 | struct cgroup_process_info *entry = NULL; | |
1167 | char *path = NULL; | |
1168 | ||
1169 | for (i = 0; i <= meta_data->maximum_hierarchy; i++) { | |
1170 | struct cgroup_hierarchy *h = meta_data->hierarchies[i]; | |
1171 | if (!h || !h->used) | |
1172 | continue; | |
c8f7c563 | 1173 | |
33ad9f1a CS |
1174 | /* use the command interface to look for the cgroup */ |
1175 | path = lxc_cmd_get_cgroup_path(name, lxcpath, h->subsystems[0]); | |
c661b0a8 DE |
1176 | if (!path) { |
1177 | h->used = false; | |
c661b0a8 DE |
1178 | continue; |
1179 | } | |
33ad9f1a CS |
1180 | |
1181 | entry = calloc(1, sizeof(struct cgroup_process_info)); | |
1182 | if (!entry) | |
1183 | goto out_error; | |
1184 | entry->meta_ref = lxc_cgroup_get_meta(meta_data); | |
1185 | entry->hierarchy = h; | |
1186 | entry->cgroup_path = path; | |
1187 | path = NULL; | |
1188 | ||
1189 | /* it is not an error if we don't find anything here, | |
1190 | * it is up to the caller to decide what to do in that | |
1191 | * case */ | |
1192 | entry->designated_mount_point = lxc_cgroup_find_mount_point(h, entry->cgroup_path, true); | |
1193 | ||
1194 | *cptr = entry; | |
1195 | cptr = &entry->next; | |
1196 | entry = NULL; | |
c8f7c563 CS |
1197 | } |
1198 | ||
33ad9f1a CS |
1199 | return result; |
1200 | out_error: | |
1201 | saved_errno = errno; | |
1202 | free(path); | |
1203 | lxc_cgroup_process_info_free(result); | |
1204 | lxc_cgroup_process_info_free(entry); | |
1205 | errno = saved_errno; | |
1206 | return NULL; | |
fd4f5a56 DL |
1207 | } |
1208 | ||
33ad9f1a | 1209 | /* move a processs to the cgroups specified by the membership */ |
4fb3cba5 | 1210 | static int lxc_cgroupfs_enter(struct cgroup_process_info *info, pid_t pid, bool enter_sub) |
4f17323e | 1211 | { |
33ad9f1a CS |
1212 | char pid_buf[32]; |
1213 | char *cgroup_tasks_fn; | |
1214 | int r; | |
1215 | struct cgroup_process_info *info_ptr; | |
1216 | ||
1217 | snprintf(pid_buf, 32, "%lu", (unsigned long)pid); | |
1218 | for (info_ptr = info; info_ptr; info_ptr = info_ptr->next) { | |
517587ef CB |
1219 | if (!info_ptr->hierarchy) |
1220 | continue; | |
1221 | ||
33ad9f1a CS |
1222 | char *cgroup_path = (enter_sub && info_ptr->cgroup_path_sub) ? |
1223 | info_ptr->cgroup_path_sub : | |
1224 | info_ptr->cgroup_path; | |
1225 | ||
1226 | if (!info_ptr->designated_mount_point) { | |
1227 | info_ptr->designated_mount_point = lxc_cgroup_find_mount_point(info_ptr->hierarchy, cgroup_path, true); | |
1228 | if (!info_ptr->designated_mount_point) { | |
1229 | SYSERROR("Could not add pid %lu to cgroup %s: internal error (couldn't find any writable mountpoint to cgroup filesystem)", (unsigned long)pid, cgroup_path); | |
1230 | return -1; | |
1231 | } | |
1232 | } | |
4f17323e | 1233 | |
33ad9f1a CS |
1234 | cgroup_tasks_fn = cgroup_to_absolute_path(info_ptr->designated_mount_point, cgroup_path, "/tasks"); |
1235 | if (!cgroup_tasks_fn) { | |
1236 | SYSERROR("Could not add pid %lu to cgroup %s: internal error", (unsigned long)pid, cgroup_path); | |
1237 | return -1; | |
1238 | } | |
4f17323e | 1239 | |
33ad9f1a | 1240 | r = lxc_write_to_file(cgroup_tasks_fn, pid_buf, strlen(pid_buf), false); |
5903da82 | 1241 | free(cgroup_tasks_fn); |
ea439aac | 1242 | if (r < 0 && is_crucial_hierarchy(info_ptr->hierarchy)) { |
33ad9f1a CS |
1243 | SYSERROR("Could not add pid %lu to cgroup %s: internal error", (unsigned long)pid, cgroup_path); |
1244 | return -1; | |
1245 | } | |
4f17323e CS |
1246 | } |
1247 | ||
33ad9f1a | 1248 | return 0; |
4f17323e CS |
1249 | } |
1250 | ||
33ad9f1a CS |
1251 | /* free process membership information */ |
1252 | void lxc_cgroup_process_info_free(struct cgroup_process_info *info) | |
fc7de561 | 1253 | { |
33ad9f1a CS |
1254 | struct cgroup_process_info *next; |
1255 | if (!info) | |
b98f7d6e | 1256 | return; |
33ad9f1a CS |
1257 | next = info->next; |
1258 | lxc_cgroup_put_meta(info->meta_ref); | |
1259 | free(info->cgroup_path); | |
1260 | free(info->cgroup_path_sub); | |
1261 | lxc_free_array((void **)info->created_paths, free); | |
1262 | free(info); | |
1263 | lxc_cgroup_process_info_free(next); | |
fc7de561 SH |
1264 | } |
1265 | ||
33ad9f1a | 1266 | /* free process membership information and remove cgroups that were created */ |
6a9e0f26 | 1267 | void lxc_cgroup_process_info_free_and_remove(struct cgroup_process_info *info, struct lxc_conf *conf) |
b98f7d6e | 1268 | { |
33ad9f1a CS |
1269 | struct cgroup_process_info *next; |
1270 | char **pp; | |
1271 | if (!info) | |
1272 | return; | |
1273 | next = info->next; | |
603c64c2 | 1274 | { |
33ad9f1a CS |
1275 | struct cgroup_mount_point *mp = info->designated_mount_point; |
1276 | if (!mp) | |
1277 | mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, true); | |
1278 | if (mp) | |
1279 | /* ignore return value here, perhaps we created the | |
1280 | * '/lxc' cgroup in this container but another container | |
1281 | * is still running (for example) | |
1282 | */ | |
6a9e0f26 | 1283 | (void)remove_cgroup(mp, info->cgroup_path, true, conf); |
603c64c2 SH |
1284 | } |
1285 | for (pp = info->created_paths; pp && *pp; pp++); | |
1286 | for ((void)(pp && --pp); info->created_paths && pp >= info->created_paths; --pp) { | |
33ad9f1a | 1287 | free(*pp); |
b98f7d6e | 1288 | } |
33ad9f1a CS |
1289 | free(info->created_paths); |
1290 | lxc_cgroup_put_meta(info->meta_ref); | |
1291 | free(info->cgroup_path); | |
1292 | free(info->cgroup_path_sub); | |
1293 | free(info); | |
6a9e0f26 | 1294 | lxc_cgroup_process_info_free_and_remove(next, conf); |
33ad9f1a | 1295 | } |
b98f7d6e | 1296 | |
4fb3cba5 | 1297 | static char *lxc_cgroup_get_hierarchy_path_data(const char *subsystem, struct cgfs_data *d) |
33ad9f1a | 1298 | { |
d4ef7c50 SH |
1299 | struct cgroup_process_info *info = d->info; |
1300 | info = find_info_for_subsystem(info, subsystem); | |
33ad9f1a CS |
1301 | if (!info) |
1302 | return NULL; | |
f348e47c | 1303 | prune_init_scope(info->cgroup_path); |
33ad9f1a | 1304 | return info->cgroup_path; |
b98f7d6e SH |
1305 | } |
1306 | ||
4fb3cba5 | 1307 | static char *lxc_cgroup_get_hierarchy_abs_path_data(const char *subsystem, struct cgfs_data *d) |
b98f7d6e | 1308 | { |
d4ef7c50 | 1309 | struct cgroup_process_info *info = d->info; |
33ad9f1a | 1310 | struct cgroup_mount_point *mp = NULL; |
d4ef7c50 SH |
1311 | |
1312 | info = find_info_for_subsystem(info, subsystem); | |
33ad9f1a CS |
1313 | if (!info) |
1314 | return NULL; | |
1315 | if (info->designated_mount_point) { | |
8900b9eb | 1316 | mp = info->designated_mount_point; |
33ad9f1a CS |
1317 | } else { |
1318 | mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, true); | |
1319 | if (!mp) | |
1320 | return NULL; | |
b98f7d6e | 1321 | } |
33ad9f1a | 1322 | return cgroup_to_absolute_path(mp, info->cgroup_path, NULL); |
b98f7d6e | 1323 | } |
55c76589 | 1324 | |
4fb3cba5 | 1325 | static char *lxc_cgroup_get_hierarchy_abs_path(const char *subsystem, const char *name, const char *lxcpath) |
9a93d992 | 1326 | { |
33ad9f1a CS |
1327 | struct cgroup_meta_data *meta; |
1328 | struct cgroup_process_info *base_info, *info; | |
1329 | struct cgroup_mount_point *mp; | |
1330 | char *result = NULL; | |
33ad9f1a CS |
1331 | |
1332 | meta = lxc_cgroup_load_meta(); | |
1333 | if (!meta) | |
9a93d992 | 1334 | return NULL; |
33ad9f1a CS |
1335 | base_info = lxc_cgroup_get_container_info(name, lxcpath, meta); |
1336 | if (!base_info) | |
178938fe | 1337 | goto out1; |
33ad9f1a CS |
1338 | info = find_info_for_subsystem(base_info, subsystem); |
1339 | if (!info) | |
178938fe | 1340 | goto out2; |
33ad9f1a | 1341 | if (info->designated_mount_point) { |
8900b9eb | 1342 | mp = info->designated_mount_point; |
33ad9f1a CS |
1343 | } else { |
1344 | mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, true); | |
1345 | if (!mp) | |
178938fe | 1346 | goto out3; |
33ad9f1a CS |
1347 | } |
1348 | result = cgroup_to_absolute_path(mp, info->cgroup_path, NULL); | |
178938fe | 1349 | out3: |
178938fe | 1350 | out2: |
33ad9f1a | 1351 | lxc_cgroup_process_info_free(base_info); |
178938fe | 1352 | out1: |
33ad9f1a | 1353 | lxc_cgroup_put_meta(meta); |
33ad9f1a CS |
1354 | return result; |
1355 | } | |
9a93d992 | 1356 | |
4fb3cba5 | 1357 | static int lxc_cgroup_set_data(const char *filename, const char *value, struct cgfs_data *d) |
33ad9f1a CS |
1358 | { |
1359 | char *subsystem = NULL, *p, *path; | |
1360 | int ret = -1; | |
9a93d992 | 1361 | |
33ad9f1a CS |
1362 | subsystem = alloca(strlen(filename) + 1); |
1363 | strcpy(subsystem, filename); | |
46cd2845 | 1364 | if ((p = strchr(subsystem, '.')) != NULL) |
33ad9f1a | 1365 | *p = '\0'; |
9a93d992 | 1366 | |
4f875f70 | 1367 | errno = ENOENT; |
4fb3cba5 | 1368 | path = lxc_cgroup_get_hierarchy_abs_path_data(subsystem, d); |
33ad9f1a CS |
1369 | if (path) { |
1370 | ret = do_cgroup_set(path, filename, value); | |
4f875f70 | 1371 | int saved_errno = errno; |
33ad9f1a | 1372 | free(path); |
4f875f70 | 1373 | errno = saved_errno; |
9a93d992 | 1374 | } |
33ad9f1a CS |
1375 | return ret; |
1376 | } | |
9a93d992 | 1377 | |
4fb3cba5 | 1378 | static int lxc_cgroupfs_set(const char *filename, const char *value, const char *name, const char *lxcpath) |
9a93d992 | 1379 | { |
33ad9f1a CS |
1380 | char *subsystem = NULL, *p, *path; |
1381 | int ret = -1; | |
9a93d992 | 1382 | |
33ad9f1a CS |
1383 | subsystem = alloca(strlen(filename) + 1); |
1384 | strcpy(subsystem, filename); | |
46cd2845 | 1385 | if ((p = strchr(subsystem, '.')) != NULL) |
33ad9f1a | 1386 | *p = '\0'; |
9a93d992 | 1387 | |
33ad9f1a CS |
1388 | path = lxc_cgroup_get_hierarchy_abs_path(subsystem, name, lxcpath); |
1389 | if (path) { | |
1390 | ret = do_cgroup_set(path, filename, value); | |
1391 | free(path); | |
1392 | } | |
b98f7d6e | 1393 | return ret; |
9a93d992 SH |
1394 | } |
1395 | ||
4fb3cba5 | 1396 | static int lxc_cgroupfs_get(const char *filename, char *value, size_t len, const char *name, const char *lxcpath) |
9a93d992 | 1397 | { |
33ad9f1a CS |
1398 | char *subsystem = NULL, *p, *path; |
1399 | int ret = -1; | |
1400 | ||
1401 | subsystem = alloca(strlen(filename) + 1); | |
1402 | strcpy(subsystem, filename); | |
46cd2845 | 1403 | if ((p = strchr(subsystem, '.')) != NULL) |
33ad9f1a CS |
1404 | *p = '\0'; |
1405 | ||
1406 | path = lxc_cgroup_get_hierarchy_abs_path(subsystem, name, lxcpath); | |
1407 | if (path) { | |
1408 | ret = do_cgroup_get(path, filename, value, len); | |
1409 | free(path); | |
9a93d992 | 1410 | } |
33ad9f1a | 1411 | return ret; |
9a93d992 SH |
1412 | } |
1413 | ||
4fb3cba5 | 1414 | static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) |
aae1f3c4 CS |
1415 | { |
1416 | size_t bufsz = strlen(root) + sizeof("/sys/fs/cgroup"); | |
1417 | char *path = NULL; | |
1418 | char **parts = NULL; | |
1419 | char *dirname = NULL; | |
1420 | char *abs_path = NULL; | |
1421 | char *abs_path2 = NULL; | |
d4ef7c50 SH |
1422 | struct cgfs_data *cgfs_d; |
1423 | struct cgroup_process_info *info, *base_info; | |
aae1f3c4 | 1424 | int r, saved_errno = 0; |
b635e92d | 1425 | struct lxc_handler *handler = hdata; |
aae1f3c4 | 1426 | |
4608594e SH |
1427 | if (cgns_supported()) |
1428 | return true; | |
1429 | ||
b635e92d | 1430 | cgfs_d = handler->cgroup_data; |
4fb3cba5 DE |
1431 | if (!cgfs_d) |
1432 | return false; | |
d4ef7c50 SH |
1433 | base_info = cgfs_d->info; |
1434 | ||
0769b82a CS |
1435 | /* If we get passed the _NOSPEC types, we default to _MIXED, since we don't |
1436 | * have access to the lxc_conf object at this point. It really should be up | |
1437 | * to the caller to fix this, but this doesn't really hurt. | |
1438 | */ | |
1439 | if (type == LXC_AUTO_CGROUP_FULL_NOSPEC) | |
1440 | type = LXC_AUTO_CGROUP_FULL_MIXED; | |
1441 | else if (type == LXC_AUTO_CGROUP_NOSPEC) | |
1442 | type = LXC_AUTO_CGROUP_MIXED; | |
1443 | ||
7997d7da CS |
1444 | if (type < LXC_AUTO_CGROUP_RO || type > LXC_AUTO_CGROUP_FULL_MIXED) { |
1445 | ERROR("could not mount cgroups into container: invalid type specified internally"); | |
1446 | errno = EINVAL; | |
c476bdce | 1447 | return false; |
7997d7da CS |
1448 | } |
1449 | ||
aae1f3c4 CS |
1450 | path = calloc(1, bufsz); |
1451 | if (!path) | |
c476bdce | 1452 | return false; |
aae1f3c4 | 1453 | snprintf(path, bufsz, "%s/sys/fs/cgroup", root); |
592fd47a SH |
1454 | r = safe_mount("cgroup_root", path, "tmpfs", |
1455 | MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, | |
1456 | "size=10240k,mode=755", | |
1457 | root); | |
aae1f3c4 CS |
1458 | if (r < 0) { |
1459 | SYSERROR("could not mount tmpfs to /sys/fs/cgroup in the container"); | |
c476bdce | 1460 | return false; |
aae1f3c4 CS |
1461 | } |
1462 | ||
1463 | /* now mount all the hierarchies we care about */ | |
1464 | for (info = base_info; info; info = info->next) { | |
1465 | size_t subsystem_count, i; | |
1466 | struct cgroup_mount_point *mp = info->designated_mount_point; | |
517587ef CB |
1467 | |
1468 | if (!info->hierarchy) | |
1469 | continue; | |
1470 | ||
d3f99e96 | 1471 | if (!mountpoint_is_accessible(mp)) |
aae1f3c4 | 1472 | mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, true); |
d3f99e96 | 1473 | |
aae1f3c4 CS |
1474 | if (!mp) { |
1475 | SYSERROR("could not find original mount point for cgroup hierarchy while trying to mount cgroup filesystem"); | |
1476 | goto out_error; | |
1477 | } | |
1478 | ||
1479 | subsystem_count = lxc_array_len((void **)info->hierarchy->subsystems); | |
1480 | parts = calloc(subsystem_count + 1, sizeof(char *)); | |
1481 | if (!parts) | |
1482 | goto out_error; | |
1483 | ||
1484 | for (i = 0; i < subsystem_count; i++) { | |
1485 | if (!strncmp(info->hierarchy->subsystems[i], "name=", 5)) | |
1486 | parts[i] = info->hierarchy->subsystems[i] + 5; | |
1487 | else | |
1488 | parts[i] = info->hierarchy->subsystems[i]; | |
1489 | } | |
1490 | dirname = lxc_string_join(",", (const char **)parts, false); | |
1491 | if (!dirname) | |
1492 | goto out_error; | |
1493 | ||
1494 | /* create subsystem directory */ | |
1495 | abs_path = lxc_append_paths(path, dirname); | |
1496 | if (!abs_path) | |
1497 | goto out_error; | |
1498 | r = mkdir_p(abs_path, 0755); | |
1499 | if (r < 0 && errno != EEXIST) { | |
1500 | SYSERROR("could not create cgroup subsystem directory /sys/fs/cgroup/%s", dirname); | |
1501 | goto out_error; | |
1502 | } | |
1503 | ||
aae1f3c4 CS |
1504 | abs_path2 = lxc_append_paths(abs_path, info->cgroup_path); |
1505 | if (!abs_path2) | |
1506 | goto out_error; | |
aae1f3c4 | 1507 | |
7997d7da CS |
1508 | if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_FULL_RW || type == LXC_AUTO_CGROUP_FULL_MIXED) { |
1509 | /* bind-mount the cgroup entire filesystem there */ | |
1510 | if (strcmp(mp->mount_prefix, "/") != 0) { | |
1511 | /* FIXME: maybe we should just try to remount the entire hierarchy | |
1512 | * with a regular mount command? may that works? */ | |
1513 | ERROR("could not automatically mount cgroup-full to /sys/fs/cgroup/%s: host has no mount point for this cgroup filesystem that has access to the root cgroup", dirname); | |
1514 | goto out_error; | |
1515 | } | |
1516 | r = mount(mp->mount_point, abs_path, "none", MS_BIND, 0); | |
1517 | if (r < 0) { | |
1518 | SYSERROR("error bind-mounting %s to %s", mp->mount_point, abs_path); | |
1519 | goto out_error; | |
1520 | } | |
f8f3c3c0 SG |
1521 | /* main cgroup path should be read-only */ |
1522 | if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_FULL_MIXED) { | |
1523 | r = mount(NULL, abs_path, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL); | |
1524 | if (r < 0) { | |
1525 | SYSERROR("error re-mounting %s readonly", abs_path); | |
1526 | goto out_error; | |
1527 | } | |
1528 | } | |
7997d7da CS |
1529 | /* own cgroup should be read-write */ |
1530 | if (type == LXC_AUTO_CGROUP_FULL_MIXED) { | |
1531 | r = mount(abs_path2, abs_path2, NULL, MS_BIND, NULL); | |
1532 | if (r < 0) { | |
1533 | SYSERROR("error bind-mounting %s onto itself", abs_path2); | |
1534 | goto out_error; | |
1535 | } | |
1536 | r = mount(NULL, abs_path2, NULL, MS_REMOUNT|MS_BIND, NULL); | |
1537 | if (r < 0) { | |
1538 | SYSERROR("error re-mounting %s readwrite", abs_path2); | |
1539 | goto out_error; | |
1540 | } | |
1541 | } | |
1542 | } else { | |
1543 | /* create path for container's cgroup */ | |
1544 | r = mkdir_p(abs_path2, 0755); | |
1545 | if (r < 0 && errno != EEXIST) { | |
1546 | SYSERROR("could not create cgroup directory /sys/fs/cgroup/%s%s", dirname, info->cgroup_path); | |
1547 | goto out_error; | |
1548 | } | |
aae1f3c4 | 1549 | |
b46f0553 CS |
1550 | /* for read-only and mixed cases, we have to bind-mount the tmpfs directory |
1551 | * that points to the hierarchy itself (i.e. /sys/fs/cgroup/cpu etc.) onto | |
1552 | * itself and then bind-mount it read-only, since we keep the tmpfs itself | |
1553 | * read-write (see comment below) | |
1554 | */ | |
1555 | if (type == LXC_AUTO_CGROUP_MIXED || type == LXC_AUTO_CGROUP_RO) { | |
1556 | r = mount(abs_path, abs_path, NULL, MS_BIND, NULL); | |
1557 | if (r < 0) { | |
1558 | SYSERROR("error bind-mounting %s onto itself", abs_path); | |
1559 | goto out_error; | |
1560 | } | |
1561 | r = mount(NULL, abs_path, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL); | |
1562 | if (r < 0) { | |
1563 | SYSERROR("error re-mounting %s readonly", abs_path); | |
1564 | goto out_error; | |
1565 | } | |
1566 | } | |
1567 | ||
7997d7da CS |
1568 | free(abs_path); |
1569 | abs_path = NULL; | |
1570 | ||
1571 | /* bind-mount container's cgroup to that directory */ | |
1572 | abs_path = cgroup_to_absolute_path(mp, info->cgroup_path, NULL); | |
1573 | if (!abs_path) | |
1574 | goto out_error; | |
1575 | r = mount(abs_path, abs_path2, "none", MS_BIND, 0); | |
ea439aac | 1576 | if (r < 0 && is_crucial_hierarchy(info->hierarchy)) { |
7997d7da CS |
1577 | SYSERROR("error bind-mounting %s to %s", abs_path, abs_path2); |
1578 | goto out_error; | |
1579 | } | |
1580 | if (type == LXC_AUTO_CGROUP_RO) { | |
1581 | r = mount(NULL, abs_path2, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL); | |
1582 | if (r < 0) { | |
1583 | SYSERROR("error re-mounting %s readonly", abs_path2); | |
1584 | goto out_error; | |
1585 | } | |
1586 | } | |
aae1f3c4 CS |
1587 | } |
1588 | ||
1589 | free(abs_path); | |
1590 | free(abs_path2); | |
1591 | abs_path = NULL; | |
1592 | abs_path2 = NULL; | |
1593 | ||
1594 | /* add symlinks for every single subsystem */ | |
1595 | if (subsystem_count > 1) { | |
1596 | for (i = 0; i < subsystem_count; i++) { | |
1597 | abs_path = lxc_append_paths(path, parts[i]); | |
1598 | if (!abs_path) | |
1599 | goto out_error; | |
1600 | r = symlink(dirname, abs_path); | |
1601 | if (r < 0) | |
1602 | WARN("could not create symlink %s -> %s in /sys/fs/cgroup of container", parts[i], dirname); | |
1603 | free(abs_path); | |
1604 | abs_path = NULL; | |
1605 | } | |
1606 | } | |
1607 | free(dirname); | |
1608 | free(parts); | |
1609 | dirname = NULL; | |
1610 | parts = NULL; | |
1611 | } | |
1612 | ||
b46f0553 CS |
1613 | /* We used to remount the entire tmpfs readonly if any :ro or |
1614 | * :mixed mode was specified. However, Ubuntu's mountall has the | |
1615 | * unfortunate behavior to block bootup if /sys/fs/cgroup is | |
1616 | * mounted read-only and cannot be remounted read-write. | |
1617 | * (mountall reads /lib/init/fstab and tries to (re-)mount all of | |
1618 | * these if they are not already mounted with the right options; | |
1619 | * it contains an entry for /sys/fs/cgroup. In case it can't do | |
1620 | * that, it prompts for the user to either manually fix it or | |
1621 | * boot anyway. But without user input, booting of the container | |
1622 | * hangs.) | |
1623 | * | |
1624 | * Instead of remounting the entire tmpfs readonly, we only | |
1625 | * remount the paths readonly that are part of the cgroup | |
1626 | * hierarchy. | |
f8f3c3c0 | 1627 | */ |
f8f3c3c0 | 1628 | |
aae1f3c4 CS |
1629 | free(path); |
1630 | ||
c476bdce | 1631 | return true; |
aae1f3c4 CS |
1632 | |
1633 | out_error: | |
1634 | saved_errno = errno; | |
1635 | free(path); | |
1636 | free(dirname); | |
1637 | free(parts); | |
1638 | free(abs_path); | |
1639 | free(abs_path2); | |
1640 | errno = saved_errno; | |
c476bdce | 1641 | return false; |
aae1f3c4 CS |
1642 | } |
1643 | ||
4fb3cba5 | 1644 | static int cgfs_nrtasks(void *hdata) |
33ad9f1a | 1645 | { |
4fb3cba5 DE |
1646 | struct cgfs_data *d = hdata; |
1647 | struct cgroup_process_info *info; | |
33ad9f1a CS |
1648 | struct cgroup_mount_point *mp = NULL; |
1649 | char *abs_path = NULL; | |
1650 | int ret; | |
460a1cf0 | 1651 | |
4fb3cba5 DE |
1652 | if (!d) { |
1653 | errno = ENOENT; | |
1654 | return -1; | |
1655 | } | |
1656 | ||
1657 | info = d->info; | |
33ad9f1a CS |
1658 | if (!info) { |
1659 | errno = ENOENT; | |
1660 | return -1; | |
b98f7d6e | 1661 | } |
c8f7c563 | 1662 | |
33ad9f1a | 1663 | if (info->designated_mount_point) { |
8900b9eb | 1664 | mp = info->designated_mount_point; |
33ad9f1a CS |
1665 | } else { |
1666 | mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, false); | |
1667 | if (!mp) | |
1668 | return -1; | |
c8f7c563 CS |
1669 | } |
1670 | ||
33ad9f1a CS |
1671 | abs_path = cgroup_to_absolute_path(mp, info->cgroup_path, NULL); |
1672 | if (!abs_path) | |
1673 | return -1; | |
1674 | ||
1675 | ret = cgroup_recursive_task_count(abs_path); | |
1676 | free(abs_path); | |
1677 | return ret; | |
c8f7c563 CS |
1678 | } |
1679 | ||
574c4428 QH |
1680 | static struct cgroup_process_info * |
1681 | lxc_cgroup_process_info_getx(const char *proc_pid_cgroup_str, | |
1682 | struct cgroup_meta_data *meta) | |
d08ba6ec | 1683 | { |
33ad9f1a CS |
1684 | struct cgroup_process_info *result = NULL; |
1685 | FILE *proc_pid_cgroup = NULL; | |
1686 | char *line = NULL; | |
1687 | size_t sz = 0; | |
1688 | int saved_errno = 0; | |
1689 | struct cgroup_process_info **cptr = &result; | |
1690 | struct cgroup_process_info *entry = NULL; | |
1691 | ||
1692 | proc_pid_cgroup = fopen_cloexec(proc_pid_cgroup_str, "r"); | |
1693 | if (!proc_pid_cgroup) | |
b98f7d6e | 1694 | return NULL; |
1ac470c0 | 1695 | |
33ad9f1a CS |
1696 | while (getline(&line, &sz, proc_pid_cgroup) != -1) { |
1697 | /* file format: hierarchy:subsystems:group */ | |
1698 | char *colon1; | |
1699 | char *colon2; | |
1700 | char *endptr; | |
1701 | int hierarchy_number; | |
1702 | struct cgroup_hierarchy *h = NULL; | |
fd4f5a56 | 1703 | |
33ad9f1a | 1704 | if (!line[0]) |
ae5c8b8e | 1705 | continue; |
b98f7d6e | 1706 | |
33ad9f1a CS |
1707 | if (line[strlen(line) - 1] == '\n') |
1708 | line[strlen(line) - 1] = '\0'; | |
1709 | ||
1710 | colon1 = strchr(line, ':'); | |
1711 | if (!colon1) | |
8900b9eb | 1712 | continue; |
33ad9f1a CS |
1713 | *colon1++ = '\0'; |
1714 | colon2 = strchr(colon1, ':'); | |
1715 | if (!colon2) | |
ae5c8b8e | 1716 | continue; |
33ad9f1a | 1717 | *colon2++ = '\0'; |
e4659536 | 1718 | |
33ad9f1a | 1719 | endptr = NULL; |
82a2fe03 CB |
1720 | |
1721 | /* With cgroupv2 /proc/self/cgroup can contain entries of the | |
1722 | * form: 0::/ | |
1723 | * These entries need to be skipped. | |
1724 | */ | |
1725 | if (!strcmp(colon1, "")) | |
1726 | continue; | |
1727 | ||
33ad9f1a CS |
1728 | hierarchy_number = strtoul(line, &endptr, 10); |
1729 | if (!endptr || *endptr) | |
9a93d992 | 1730 | continue; |
9a93d992 | 1731 | |
33ad9f1a CS |
1732 | if (hierarchy_number > meta->maximum_hierarchy) { |
1733 | /* we encountered a hierarchy we didn't have before, | |
1734 | * so probably somebody remounted some stuff in the | |
1735 | * mean time... | |
1736 | */ | |
1737 | errno = EAGAIN; | |
1738 | goto out_error; | |
b98f7d6e | 1739 | } |
33ad9f1a CS |
1740 | |
1741 | h = meta->hierarchies[hierarchy_number]; | |
1742 | if (!h) { | |
1743 | /* we encountered a hierarchy that was thought to be | |
1744 | * dead before, so probably somebody remounted some | |
1745 | * stuff in the mean time... | |
1746 | */ | |
1747 | errno = EAGAIN; | |
1748 | goto out_error; | |
b98f7d6e | 1749 | } |
33ad9f1a CS |
1750 | |
1751 | /* we are told that we should ignore this hierarchy */ | |
1752 | if (!h->used) | |
b98f7d6e | 1753 | continue; |
5193cc3d | 1754 | |
33ad9f1a CS |
1755 | entry = calloc(1, sizeof(struct cgroup_process_info)); |
1756 | if (!entry) | |
1757 | goto out_error; | |
fd4f5a56 | 1758 | |
33ad9f1a CS |
1759 | entry->meta_ref = lxc_cgroup_get_meta(meta); |
1760 | entry->hierarchy = h; | |
1761 | entry->cgroup_path = strdup(colon2); | |
1762 | if (!entry->cgroup_path) | |
1763 | goto out_error; | |
3939a22a | 1764 | prune_init_scope(entry->cgroup_path); |
d08ba6ec | 1765 | |
33ad9f1a CS |
1766 | *cptr = entry; |
1767 | cptr = &entry->next; | |
1768 | entry = NULL; | |
b98f7d6e | 1769 | } |
b98f7d6e | 1770 | |
33ad9f1a CS |
1771 | fclose(proc_pid_cgroup); |
1772 | free(line); | |
1773 | return result; | |
1774 | ||
1775 | out_error: | |
1776 | saved_errno = errno; | |
1777 | if (proc_pid_cgroup) | |
1778 | fclose(proc_pid_cgroup); | |
1779 | lxc_cgroup_process_info_free(result); | |
1780 | lxc_cgroup_process_info_free(entry); | |
1781 | free(line); | |
1782 | errno = saved_errno; | |
ae5c8b8e | 1783 | return NULL; |
36b86299 DL |
1784 | } |
1785 | ||
574c4428 QH |
1786 | static char **subsystems_from_mount_options(const char *mount_options, |
1787 | char **kernel_list) | |
36b86299 | 1788 | { |
33ad9f1a CS |
1789 | char *token, *str, *saveptr = NULL; |
1790 | char **result = NULL; | |
1791 | size_t result_capacity = 0; | |
8900b9eb | 1792 | size_t result_count = 0; |
33ad9f1a CS |
1793 | int saved_errno; |
1794 | int r; | |
ef342abb | 1795 | |
33ad9f1a CS |
1796 | str = alloca(strlen(mount_options)+1); |
1797 | strcpy(str, mount_options); | |
1798 | for (; (token = strtok_r(str, ",", &saveptr)); str = NULL) { | |
1799 | /* we have a subsystem if it's either in the list of | |
1800 | * subsystems provided by the kernel OR if it starts | |
1801 | * with name= for named hierarchies | |
1802 | */ | |
836514a8 U |
1803 | r = lxc_grow_array((void ***)&result, &result_capacity, result_count + 1, 12); |
1804 | if (r < 0) | |
1805 | goto out_free; | |
1806 | result[result_count + 1] = NULL; | |
1807 | if (strncmp(token, "name=", 5) && !lxc_string_in_array(token, (const char **)kernel_list)) { | |
1a0e70ac CB |
1808 | /* this is eg 'systemd' but the mount will be |
1809 | * 'name=systemd' | |
1810 | */ | |
836514a8 U |
1811 | result[result_count] = malloc(strlen(token) + 6); |
1812 | if (result[result_count]) | |
1813 | sprintf(result[result_count], "name=%s", token); | |
1814 | } else | |
33ad9f1a | 1815 | result[result_count] = strdup(token); |
836514a8 U |
1816 | if (!result[result_count]) |
1817 | goto out_free; | |
1818 | result_count++; | |
ae5c8b8e | 1819 | } |
f0e64b8b | 1820 | |
33ad9f1a CS |
1821 | return result; |
1822 | ||
1823 | out_free: | |
1824 | saved_errno = errno; | |
1825 | lxc_free_array((void**)result, free); | |
1826 | errno = saved_errno; | |
1827 | return NULL; | |
b98f7d6e SH |
1828 | } |
1829 | ||
574c4428 | 1830 | static void lxc_cgroup_mount_point_free(struct cgroup_mount_point *mp) |
b98f7d6e | 1831 | { |
33ad9f1a CS |
1832 | if (!mp) |
1833 | return; | |
1834 | free(mp->mount_point); | |
1835 | free(mp->mount_prefix); | |
1836 | free(mp); | |
bcbd102c SH |
1837 | } |
1838 | ||
574c4428 | 1839 | static void lxc_cgroup_hierarchy_free(struct cgroup_hierarchy *h) |
341a9bd8 | 1840 | { |
33ad9f1a CS |
1841 | if (!h) |
1842 | return; | |
2446c321 CB |
1843 | if (h->subsystems) { |
1844 | lxc_free_array((void **)h->subsystems, free); | |
1845 | h->subsystems = NULL; | |
1846 | } | |
1847 | if (h->all_mount_points) { | |
1848 | free(h->all_mount_points); | |
1849 | h->all_mount_points = NULL; | |
1850 | } | |
33ad9f1a | 1851 | free(h); |
2446c321 | 1852 | h = NULL; |
33ad9f1a | 1853 | } |
341a9bd8 | 1854 | |
574c4428 | 1855 | static bool is_valid_cgroup(const char *name) |
33ad9f1a CS |
1856 | { |
1857 | const char *p; | |
1858 | for (p = name; *p; p++) { | |
28bb9321 QH |
1859 | /* Use the ASCII printable characters range(32 - 127) |
1860 | * is reasonable, we kick out 32(SPACE) because it'll | |
1861 | * break legacy lxc-ls | |
1862 | */ | |
1863 | if (*p <= 32 || *p >= 127 || *p == '/') | |
33ad9f1a | 1864 | return false; |
341a9bd8 | 1865 | } |
33ad9f1a CS |
1866 | return strcmp(name, ".") != 0 && strcmp(name, "..") != 0; |
1867 | } | |
341a9bd8 | 1868 | |
574c4428 | 1869 | static int create_or_remove_cgroup(bool do_remove, |
6a9e0f26 SH |
1870 | struct cgroup_mount_point *mp, const char *path, int recurse, |
1871 | struct lxc_conf *conf) | |
33ad9f1a CS |
1872 | { |
1873 | int r, saved_errno = 0; | |
1874 | char *buf = cgroup_to_absolute_path(mp, path, NULL); | |
1875 | if (!buf) | |
1876 | return -1; | |
341a9bd8 | 1877 | |
33ad9f1a | 1878 | /* create or remove directory */ |
603c64c2 | 1879 | if (do_remove) { |
01d59fe5 CB |
1880 | if (!dir_exists(buf)) |
1881 | return 0; | |
6a9e0f26 SH |
1882 | if (recurse) { |
1883 | if (conf && !lxc_list_empty(&conf->id_map)) | |
c9b7c33e CB |
1884 | r = userns_exec_1(conf, rmdir_wrapper, buf, |
1885 | "rmdir_wrapper"); | |
6a9e0f26 SH |
1886 | else |
1887 | r = cgroup_rmdir(buf); | |
1888 | } else | |
603c64c2 SH |
1889 | r = rmdir(buf); |
1890 | } else | |
2f604eb5 | 1891 | r = mkdir_p(buf, 0777); |
33ad9f1a CS |
1892 | saved_errno = errno; |
1893 | free(buf); | |
1894 | errno = saved_errno; | |
1895 | return r; | |
341a9bd8 | 1896 | } |
bcbd102c | 1897 | |
574c4428 | 1898 | static int create_cgroup(struct cgroup_mount_point *mp, const char *path) |
a6ddef61 | 1899 | { |
6a9e0f26 | 1900 | return create_or_remove_cgroup(false, mp, path, false, NULL); |
a6ddef61 MN |
1901 | } |
1902 | ||
574c4428 | 1903 | static int remove_cgroup(struct cgroup_mount_point *mp, |
6a9e0f26 | 1904 | const char *path, bool recurse, struct lxc_conf *conf) |
576f946d | 1905 | { |
6a9e0f26 | 1906 | return create_or_remove_cgroup(true, mp, path, recurse, conf); |
33ad9f1a | 1907 | } |
576f946d | 1908 | |
574c4428 QH |
1909 | static char *cgroup_to_absolute_path(struct cgroup_mount_point *mp, |
1910 | const char *path, const char *suffix) | |
33ad9f1a CS |
1911 | { |
1912 | /* first we have to make sure we subtract the mount point's prefix */ | |
1913 | char *prefix = mp->mount_prefix; | |
1914 | char *buf; | |
1915 | ssize_t len, rv; | |
1916 | ||
1917 | /* we want to make sure only absolute paths to cgroups are passed to us */ | |
1918 | if (path[0] != '/') { | |
1919 | errno = EINVAL; | |
1920 | return NULL; | |
1921 | } | |
b98f7d6e | 1922 | |
33ad9f1a CS |
1923 | if (prefix && !strcmp(prefix, "/")) |
1924 | prefix = NULL; | |
b98f7d6e | 1925 | |
33ad9f1a CS |
1926 | /* prefix doesn't match */ |
1927 | if (prefix && strncmp(prefix, path, strlen(prefix)) != 0) { | |
1928 | errno = EINVAL; | |
1929 | return NULL; | |
1930 | } | |
1931 | /* if prefix is /foo and path is /foobar */ | |
1932 | if (prefix && path[strlen(prefix)] != '/' && path[strlen(prefix)] != '\0') { | |
1933 | errno = EINVAL; | |
1934 | return NULL; | |
1935 | } | |
b98f7d6e | 1936 | |
33ad9f1a CS |
1937 | /* remove prefix from path */ |
1938 | path += prefix ? strlen(prefix) : 0; | |
b98f7d6e | 1939 | |
33ad9f1a CS |
1940 | len = strlen(mp->mount_point) + strlen(path) + (suffix ? strlen(suffix) : 0); |
1941 | buf = calloc(len + 1, 1); | |
50266dc6 DE |
1942 | if (!buf) |
1943 | return NULL; | |
33ad9f1a | 1944 | rv = snprintf(buf, len + 1, "%s%s%s", mp->mount_point, path, suffix ? suffix : ""); |
8900b9eb | 1945 | if (rv > len) { |
33ad9f1a CS |
1946 | free(buf); |
1947 | errno = ENOMEM; | |
8900b9eb | 1948 | return NULL; |
8b92dc3a | 1949 | } |
576f946d | 1950 | |
33ad9f1a | 1951 | return buf; |
e0f888d9 | 1952 | } |
283678ed | 1953 | |
574c4428 QH |
1954 | static struct cgroup_process_info * |
1955 | find_info_for_subsystem(struct cgroup_process_info *info, const char *subsystem) | |
283678ed | 1956 | { |
33ad9f1a CS |
1957 | struct cgroup_process_info *info_ptr; |
1958 | for (info_ptr = info; info_ptr; info_ptr = info_ptr->next) { | |
1959 | struct cgroup_hierarchy *h = info_ptr->hierarchy; | |
517587ef CB |
1960 | if (!h) |
1961 | continue; | |
33ad9f1a CS |
1962 | if (lxc_string_in_array(subsystem, (const char **)h->subsystems)) |
1963 | return info_ptr; | |
b98f7d6e | 1964 | } |
33ad9f1a CS |
1965 | errno = ENOENT; |
1966 | return NULL; | |
1967 | } | |
283678ed | 1968 | |
574c4428 QH |
1969 | static int do_cgroup_get(const char *cgroup_path, const char *sub_filename, |
1970 | char *value, size_t len) | |
33ad9f1a CS |
1971 | { |
1972 | const char *parts[3] = { | |
1973 | cgroup_path, | |
1974 | sub_filename, | |
1975 | NULL | |
1976 | }; | |
1977 | char *filename; | |
1978 | int ret, saved_errno; | |
1979 | ||
1980 | filename = lxc_string_join("/", parts, false); | |
1981 | if (!filename) | |
1982 | return -1; | |
1983 | ||
1984 | ret = lxc_read_from_file(filename, value, len); | |
1985 | saved_errno = errno; | |
1986 | free(filename); | |
1987 | errno = saved_errno; | |
1988 | return ret; | |
283678ed | 1989 | } |
b113383b | 1990 | |
574c4428 QH |
1991 | static int do_cgroup_set(const char *cgroup_path, const char *sub_filename, |
1992 | const char *value) | |
b113383b | 1993 | { |
33ad9f1a CS |
1994 | const char *parts[3] = { |
1995 | cgroup_path, | |
1996 | sub_filename, | |
1997 | NULL | |
1998 | }; | |
1999 | char *filename; | |
2000 | int ret, saved_errno; | |
b113383b | 2001 | |
33ad9f1a CS |
2002 | filename = lxc_string_join("/", parts, false); |
2003 | if (!filename) | |
2004 | return -1; | |
b113383b | 2005 | |
33ad9f1a CS |
2006 | ret = lxc_write_to_file(filename, value, strlen(value), false); |
2007 | saved_errno = errno; | |
2008 | free(filename); | |
2009 | errno = saved_errno; | |
2010 | return ret; | |
b98f7d6e SH |
2011 | } |
2012 | ||
4fb3cba5 | 2013 | static int do_setup_cgroup_limits(struct cgfs_data *d, |
574c4428 | 2014 | struct lxc_list *cgroup_settings, bool do_devices) |
b98f7d6e | 2015 | { |
365d180a | 2016 | struct lxc_list *iterator, *sorted_cgroup_settings, *next; |
b98f7d6e SH |
2017 | struct lxc_cgroup *cg; |
2018 | int ret = -1; | |
2019 | ||
33ad9f1a | 2020 | if (lxc_list_empty(cgroup_settings)) |
b98f7d6e SH |
2021 | return 0; |
2022 | ||
aaf26830 | 2023 | sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); |
fac7c663 KT |
2024 | if (!sorted_cgroup_settings) { |
2025 | return -1; | |
2026 | } | |
aaf26830 KT |
2027 | |
2028 | lxc_list_for_each(iterator, sorted_cgroup_settings) { | |
b98f7d6e SH |
2029 | cg = iterator->elem; |
2030 | ||
33ad9f1a | 2031 | if (do_devices == !strncmp("devices", cg->subsystem, 7)) { |
b98f7d6e | 2032 | if (strcmp(cg->subsystem, "devices.deny") == 0 && |
4fb3cba5 | 2033 | cgroup_devices_has_allow_or_deny(d, cg->value, false)) |
b98f7d6e SH |
2034 | continue; |
2035 | if (strcmp(cg->subsystem, "devices.allow") == 0 && | |
4fb3cba5 | 2036 | cgroup_devices_has_allow_or_deny(d, cg->value, true)) |
b98f7d6e | 2037 | continue; |
4fb3cba5 | 2038 | if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) { |
dddf7c5b | 2039 | if (do_devices && (errno == EACCES || errno == EPERM)) { |
4f875f70 SH |
2040 | WARN("Error setting %s to %s for %s", |
2041 | cg->subsystem, cg->value, d->name); | |
2042 | continue; | |
2043 | } | |
dddf7c5b | 2044 | SYSERROR("Error setting %s to %s for %s", |
4fb3cba5 | 2045 | cg->subsystem, cg->value, d->name); |
b98f7d6e SH |
2046 | goto out; |
2047 | } | |
b113383b | 2048 | } |
b98f7d6e SH |
2049 | |
2050 | DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value); | |
b113383b SH |
2051 | } |
2052 | ||
b98f7d6e SH |
2053 | ret = 0; |
2054 | INFO("cgroup has been setup"); | |
2055 | out: | |
365d180a | 2056 | lxc_list_for_each_safe(iterator, sorted_cgroup_settings, next) { |
aaf26830 KT |
2057 | lxc_list_del(iterator); |
2058 | free(iterator); | |
2059 | } | |
365d180a | 2060 | free(sorted_cgroup_settings); |
b113383b SH |
2061 | return ret; |
2062 | } | |
b98f7d6e | 2063 | |
4fb3cba5 | 2064 | static bool cgroup_devices_has_allow_or_deny(struct cgfs_data *d, |
574c4428 | 2065 | char *v, bool for_allow) |
33ad9f1a CS |
2066 | { |
2067 | char *path; | |
2068 | FILE *devices_list; | |
8900b9eb | 2069 | char *line = NULL; |
33ad9f1a CS |
2070 | size_t sz = 0; |
2071 | bool ret = !for_allow; | |
2072 | const char *parts[3] = { | |
2073 | NULL, | |
2074 | "devices.list", | |
2075 | NULL | |
2076 | }; | |
2077 | ||
1a0e70ac CB |
2078 | /* XXX FIXME if users could use something other than 'lxc.devices.deny = |
2079 | * a'. not sure they ever do, but they *could* right now, I'm assuming | |
2080 | * they do NOT | |
2081 | */ | |
33ad9f1a CS |
2082 | if (!for_allow && strcmp(v, "a") != 0 && strcmp(v, "a *:* rwm") != 0) |
2083 | return false; | |
2084 | ||
4fb3cba5 | 2085 | parts[0] = (const char *)lxc_cgroup_get_hierarchy_abs_path_data("devices", d); |
33ad9f1a CS |
2086 | if (!parts[0]) |
2087 | return false; | |
2088 | path = lxc_string_join("/", parts, false); | |
2089 | if (!path) { | |
2090 | free((void *)parts[0]); | |
2091 | return false; | |
2092 | } | |
2093 | ||
2094 | devices_list = fopen_cloexec(path, "r"); | |
2095 | if (!devices_list) { | |
2096 | free(path); | |
2097 | return false; | |
2098 | } | |
2099 | ||
2100 | while (getline(&line, &sz, devices_list) != -1) { | |
2101 | size_t len = strlen(line); | |
2102 | if (len > 0 && line[len-1] == '\n') | |
2103 | line[len-1] = '\0'; | |
2104 | if (strcmp(line, "a *:* rwm") == 0) { | |
2105 | ret = for_allow; | |
2106 | goto out; | |
2107 | } else if (for_allow && strcmp(line, v) == 0) { | |
2108 | ret = true; | |
8900b9eb | 2109 | goto out; |
33ad9f1a CS |
2110 | } |
2111 | } | |
2112 | ||
2113 | out: | |
2114 | fclose(devices_list); | |
2115 | free(line); | |
2116 | free(path); | |
2117 | return ret; | |
2118 | } | |
2119 | ||
574c4428 | 2120 | static int cgroup_recursive_task_count(const char *cgroup_path) |
b98f7d6e | 2121 | { |
33ad9f1a | 2122 | DIR *d; |
33ad9f1a | 2123 | struct dirent *dent; |
33ad9f1a CS |
2124 | int n = 0, r; |
2125 | ||
33ad9f1a | 2126 | d = opendir(cgroup_path); |
74f96976 | 2127 | if (!d) |
33ad9f1a CS |
2128 | return 0; |
2129 | ||
74f96976 | 2130 | while ((dent = readdir(d))) { |
33ad9f1a CS |
2131 | const char *parts[3] = { |
2132 | cgroup_path, | |
2133 | dent->d_name, | |
2134 | NULL | |
2135 | }; | |
2136 | char *sub_path; | |
2137 | struct stat st; | |
2138 | ||
2139 | if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, "..")) | |
2140 | continue; | |
2141 | sub_path = lxc_string_join("/", parts, false); | |
2142 | if (!sub_path) { | |
2143 | closedir(d); | |
33ad9f1a CS |
2144 | return -1; |
2145 | } | |
2146 | r = stat(sub_path, &st); | |
2147 | if (r < 0) { | |
2148 | closedir(d); | |
33ad9f1a CS |
2149 | free(sub_path); |
2150 | return -1; | |
2151 | } | |
2152 | if (S_ISDIR(st.st_mode)) { | |
2153 | r = cgroup_recursive_task_count(sub_path); | |
2154 | if (r >= 0) | |
2155 | n += r; | |
2156 | } else if (!strcmp(dent->d_name, "tasks")) { | |
ccb4cabe | 2157 | r = lxc_count_file_lines(sub_path); |
33ad9f1a CS |
2158 | if (r >= 0) |
2159 | n += r; | |
2160 | } | |
2161 | free(sub_path); | |
2162 | } | |
2163 | closedir(d); | |
33ad9f1a CS |
2164 | |
2165 | return n; | |
2166 | } | |
2167 | ||
574c4428 QH |
2168 | static int handle_cgroup_settings(struct cgroup_mount_point *mp, |
2169 | char *cgroup_path) | |
b98f7d6e | 2170 | { |
33ad9f1a | 2171 | int r, saved_errno = 0; |
7e7243e1 | 2172 | char buf[2]; |
1ea59ad2 | 2173 | |
934b1673 SH |
2174 | mp->need_cpuset_init = false; |
2175 | ||
1ea59ad2 SH |
2176 | /* If this is the memory cgroup, we want to enforce hierarchy. |
2177 | * But don't fail if for some reason we can't. | |
2178 | */ | |
2edb53c7 SH |
2179 | if (lxc_string_in_array("memory", (const char **)mp->hierarchy->subsystems)) { |
2180 | char *cc_path = cgroup_to_absolute_path(mp, cgroup_path, "/memory.use_hierarchy"); | |
2181 | if (cc_path) { | |
2182 | r = lxc_read_from_file(cc_path, buf, 1); | |
2183 | if (r < 1 || buf[0] != '1') { | |
2184 | r = lxc_write_to_file(cc_path, "1", 1, false); | |
2185 | if (r < 0) | |
a8916143 | 2186 | SYSERROR("failed to set memory.use_hierarchy to 1; continuing"); |
2edb53c7 | 2187 | } |
1ea59ad2 SH |
2188 | free(cc_path); |
2189 | } | |
2edb53c7 | 2190 | } |
1ea59ad2 | 2191 | |
33ad9f1a CS |
2192 | /* if this is a cpuset hierarchy, we have to set cgroup.clone_children in |
2193 | * the base cgroup, otherwise containers will start with an empty cpuset.mems | |
2194 | * and cpuset.cpus and then | |
2195 | */ | |
2edb53c7 SH |
2196 | if (lxc_string_in_array("cpuset", (const char **)mp->hierarchy->subsystems)) { |
2197 | char *cc_path = cgroup_to_absolute_path(mp, cgroup_path, "/cgroup.clone_children"); | |
d703c2b1 RV |
2198 | struct stat sb; |
2199 | ||
33ad9f1a | 2200 | if (!cc_path) |
2edb53c7 | 2201 | return -1; |
d703c2b1 RV |
2202 | /* cgroup.clone_children is not available when running under |
2203 | * older kernel versions; in this case, we'll initialize | |
2204 | * cpuset.cpus and cpuset.mems later, after the new cgroup | |
2205 | * was created | |
2206 | */ | |
2207 | if (stat(cc_path, &sb) != 0 && errno == ENOENT) { | |
934b1673 | 2208 | mp->need_cpuset_init = true; |
d703c2b1 RV |
2209 | free(cc_path); |
2210 | return 0; | |
2211 | } | |
7e7243e1 SH |
2212 | r = lxc_read_from_file(cc_path, buf, 1); |
2213 | if (r == 1 && buf[0] == '1') { | |
2214 | free(cc_path); | |
2edb53c7 | 2215 | return 0; |
7e7243e1 | 2216 | } |
33ad9f1a | 2217 | r = lxc_write_to_file(cc_path, "1", 1, false); |
2edb53c7 SH |
2218 | saved_errno = errno; |
2219 | free(cc_path); | |
2220 | errno = saved_errno; | |
2221 | return r < 0 ? -1 : 0; | |
33ad9f1a CS |
2222 | } |
2223 | return 0; | |
b98f7d6e | 2224 | } |
484ed030 | 2225 | |
934b1673 | 2226 | static int cgroup_read_from_file(const char *fn, char buf[], size_t bufsize) |
d703c2b1 RV |
2227 | { |
2228 | int ret = lxc_read_from_file(fn, buf, bufsize); | |
2229 | if (ret < 0) { | |
2230 | SYSERROR("failed to read %s", fn); | |
934b1673 | 2231 | return ret; |
d703c2b1 RV |
2232 | } |
2233 | if (ret == bufsize) { | |
934b1673 SH |
2234 | if (bufsize > 0) { |
2235 | /* obviously this wasn't empty */ | |
2236 | buf[bufsize-1] = '\0'; | |
2237 | return ret; | |
2238 | } | |
2239 | /* Callers don't do this, but regression/sanity check */ | |
b103ceac | 2240 | ERROR("was not expecting 0 bufsize"); |
934b1673 | 2241 | return -1; |
d703c2b1 RV |
2242 | } |
2243 | buf[ret] = '\0'; | |
934b1673 | 2244 | return ret; |
d703c2b1 RV |
2245 | } |
2246 | ||
2247 | static bool do_init_cpuset_file(struct cgroup_mount_point *mp, | |
2248 | const char *path, const char *name) | |
2249 | { | |
934b1673 SH |
2250 | char value[1024]; |
2251 | char *childfile, *parentfile = NULL, *tmp; | |
2252 | int ret; | |
2253 | bool ok = false; | |
2254 | ||
d703c2b1 RV |
2255 | childfile = cgroup_to_absolute_path(mp, path, name); |
2256 | if (!childfile) | |
2257 | return false; | |
2258 | ||
2259 | /* don't overwrite a non-empty value in the file */ | |
934b1673 SH |
2260 | ret = cgroup_read_from_file(childfile, value, sizeof(value)); |
2261 | if (ret < 0) | |
2262 | goto out; | |
d703c2b1 | 2263 | if (value[0] != '\0' && value[0] != '\n') { |
934b1673 SH |
2264 | ok = true; |
2265 | goto out; | |
d703c2b1 RV |
2266 | } |
2267 | ||
2268 | /* path to the same name in the parent cgroup */ | |
2269 | parentfile = strdup(path); | |
2270 | if (!parentfile) | |
934b1673 SH |
2271 | goto out; |
2272 | ||
d703c2b1 | 2273 | tmp = strrchr(parentfile, '/'); |
934b1673 SH |
2274 | if (!tmp) |
2275 | goto out; | |
d703c2b1 RV |
2276 | if (tmp == parentfile) |
2277 | tmp++; /* keep the '/' at the start */ | |
2278 | *tmp = '\0'; | |
2279 | tmp = parentfile; | |
2280 | parentfile = cgroup_to_absolute_path(mp, tmp, name); | |
2281 | free(tmp); | |
934b1673 SH |
2282 | if (!parentfile) |
2283 | goto out; | |
d703c2b1 RV |
2284 | |
2285 | /* copy from parent to child cgroup */ | |
934b1673 SH |
2286 | ret = cgroup_read_from_file(parentfile, value, sizeof(value)); |
2287 | if (ret < 0) | |
2288 | goto out; | |
2289 | if (ret == sizeof(value)) { | |
2290 | /* If anyone actually sees this error, we can address it */ | |
2291 | ERROR("parent cpuset value too long"); | |
2292 | goto out; | |
d703c2b1 RV |
2293 | } |
2294 | ok = (lxc_write_to_file(childfile, value, strlen(value), false) >= 0); | |
2295 | if (!ok) | |
2296 | SYSERROR("failed writing %s", childfile); | |
b1dad6f6 RV |
2297 | |
2298 | out: | |
f10fad2f | 2299 | free(parentfile); |
d703c2b1 | 2300 | free(childfile); |
d703c2b1 RV |
2301 | return ok; |
2302 | } | |
2303 | ||
2304 | static bool init_cpuset_if_needed(struct cgroup_mount_point *mp, | |
2305 | const char *path) | |
2306 | { | |
2307 | /* the files we have to handle here are only in cpuset hierarchies */ | |
2308 | if (!lxc_string_in_array("cpuset", | |
2309 | (const char **)mp->hierarchy->subsystems)) | |
2310 | return true; | |
2311 | ||
b1dad6f6 RV |
2312 | if (!mp->need_cpuset_init) |
2313 | return true; | |
2314 | ||
d703c2b1 RV |
2315 | return (do_init_cpuset_file(mp, path, "/cpuset.cpus") && |
2316 | do_init_cpuset_file(mp, path, "/cpuset.mems") ); | |
2317 | } | |
2318 | ||
1a704014 CB |
2319 | static void print_cgfs_init_debuginfo(struct cgfs_data *d) |
2320 | { | |
2321 | int i; | |
2322 | ||
2323 | if (!getenv("LXC_DEBUG_CGFS")) | |
2324 | return; | |
2325 | ||
2326 | DEBUG("Cgroup information:"); | |
2327 | DEBUG(" container name: %s", d->name); | |
2328 | if (!d->meta || !d->meta->hierarchies) { | |
2329 | DEBUG(" No hierarchies found."); | |
2330 | return; | |
2331 | } | |
2332 | DEBUG(" Controllers:"); | |
2333 | for (i = 0; i <= d->meta->maximum_hierarchy; i++) { | |
2334 | char **p; | |
2335 | struct cgroup_hierarchy *h = d->meta->hierarchies[i]; | |
2336 | if (!h) { | |
2337 | DEBUG(" Empty hierarchy number %d.", i); | |
2338 | continue; | |
2339 | } | |
2340 | for (p = h->subsystems; p && *p; p++) { | |
2341 | DEBUG(" %2d: %s", i, *p); | |
2342 | } | |
2343 | } | |
2344 | } | |
2345 | ||
4fb3cba5 | 2346 | struct cgroup_ops *cgfs_ops_init(void) |
484ed030 | 2347 | { |
4fb3cba5 | 2348 | return &cgfs_ops; |
d4ef7c50 | 2349 | } |
484ed030 | 2350 | |
43654d34 | 2351 | static void *cgfs_init(struct lxc_handler *handler) |
d4ef7c50 | 2352 | { |
4fb3cba5 | 2353 | struct cgfs_data *d; |
484ed030 | 2354 | |
4fb3cba5 DE |
2355 | d = malloc(sizeof(*d)); |
2356 | if (!d) | |
2357 | return NULL; | |
484ed030 | 2358 | |
4fb3cba5 | 2359 | memset(d, 0, sizeof(*d)); |
43654d34 | 2360 | d->name = strdup(handler->name); |
4fb3cba5 DE |
2361 | if (!d->name) |
2362 | goto err1; | |
2363 | ||
5e1c5795 | 2364 | d->cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); |
4fb3cba5 DE |
2365 | |
2366 | d->meta = lxc_cgroup_load_meta(); | |
2367 | if (!d->meta) { | |
2368 | ERROR("cgroupfs failed to detect cgroup metadata"); | |
2369 | goto err2; | |
2370 | } | |
1a704014 CB |
2371 | |
2372 | print_cgfs_init_debuginfo(d); | |
2373 | ||
4fb3cba5 DE |
2374 | return d; |
2375 | ||
2376 | err2: | |
2377 | free(d->name); | |
2378 | err1: | |
2379 | free(d); | |
2380 | return NULL; | |
d4ef7c50 | 2381 | } |
484ed030 | 2382 | |
6a9e0f26 | 2383 | static void cgfs_destroy(void *hdata, struct lxc_conf *conf) |
d4ef7c50 | 2384 | { |
4fb3cba5 DE |
2385 | struct cgfs_data *d = hdata; |
2386 | ||
d4ef7c50 SH |
2387 | if (!d) |
2388 | return; | |
f10fad2f | 2389 | free(d->name); |
6a9e0f26 | 2390 | lxc_cgroup_process_info_free_and_remove(d->info, conf); |
c55d4505 | 2391 | lxc_cgroup_put_meta(d->meta); |
d4ef7c50 | 2392 | free(d); |
d4ef7c50 | 2393 | } |
484ed030 | 2394 | |
4fb3cba5 | 2395 | static inline bool cgfs_create(void *hdata) |
d4ef7c50 | 2396 | { |
4fb3cba5 DE |
2397 | struct cgfs_data *d = hdata; |
2398 | struct cgroup_process_info *i; | |
2399 | struct cgroup_meta_data *md; | |
484ed030 | 2400 | |
4fb3cba5 | 2401 | if (!d) |
d4ef7c50 | 2402 | return false; |
4fb3cba5 DE |
2403 | md = d->meta; |
2404 | i = lxc_cgroupfs_create(d->name, d->cgroup_pattern, md, NULL); | |
d4ef7c50 SH |
2405 | if (!i) |
2406 | return false; | |
2407 | d->info = i; | |
2408 | return true; | |
2409 | } | |
484ed030 | 2410 | |
4fb3cba5 | 2411 | static inline bool cgfs_enter(void *hdata, pid_t pid) |
d4ef7c50 | 2412 | { |
4fb3cba5 DE |
2413 | struct cgfs_data *d = hdata; |
2414 | struct cgroup_process_info *i; | |
d4ef7c50 | 2415 | int ret; |
4fb3cba5 DE |
2416 | |
2417 | if (!d) | |
2418 | return false; | |
2419 | i = d->info; | |
2420 | ret = lxc_cgroupfs_enter(i, pid, false); | |
484ed030 | 2421 | |
d4ef7c50 SH |
2422 | return ret == 0; |
2423 | } | |
2424 | ||
4fb3cba5 | 2425 | static inline bool cgfs_create_legacy(void *hdata, pid_t pid) |
d4ef7c50 | 2426 | { |
4fb3cba5 DE |
2427 | struct cgfs_data *d = hdata; |
2428 | struct cgroup_process_info *i; | |
2429 | ||
2430 | if (!d) | |
2431 | return false; | |
2432 | i = d->info; | |
2433 | if (lxc_cgroup_create_legacy(i, d->name, pid) < 0) { | |
2434 | ERROR("failed to create legacy ns cgroups for '%s'", d->name); | |
d4ef7c50 | 2435 | return false; |
484ed030 | 2436 | } |
d4ef7c50 SH |
2437 | return true; |
2438 | } | |
484ed030 | 2439 | |
4fb3cba5 | 2440 | static const char *cgfs_get_cgroup(void *hdata, const char *subsystem) |
d4ef7c50 | 2441 | { |
4fb3cba5 DE |
2442 | struct cgfs_data *d = hdata; |
2443 | ||
2444 | if (!d) | |
2445 | return NULL; | |
2446 | return lxc_cgroup_get_hierarchy_path_data(subsystem, d); | |
484ed030 SH |
2447 | } |
2448 | ||
ccb4cabe | 2449 | static bool cgfs_escape(void *hdata) |
06078509 TA |
2450 | { |
2451 | struct cgroup_meta_data *md; | |
2452 | int i; | |
2453 | bool ret = false; | |
2454 | ||
2455 | md = lxc_cgroup_load_meta(); | |
2456 | if (!md) | |
2457 | return false; | |
2458 | ||
517587ef | 2459 | for (i = 0; i <= md->maximum_hierarchy; i++) { |
06078509 TA |
2460 | struct cgroup_hierarchy *h = md->hierarchies[i]; |
2461 | struct cgroup_mount_point *mp; | |
2462 | char *tasks; | |
2463 | FILE *f; | |
2464 | int written; | |
2465 | ||
2466 | if (!h) { | |
2467 | WARN("not escaping hierarchy %d", i); | |
2468 | continue; | |
2469 | } | |
2470 | ||
2471 | mp = lxc_cgroup_find_mount_point(h, "/", true); | |
2472 | if (!mp) | |
2473 | goto out; | |
2474 | ||
2475 | tasks = cgroup_to_absolute_path(mp, "/", "tasks"); | |
2476 | if (!tasks) | |
2477 | goto out; | |
2478 | ||
2479 | f = fopen(tasks, "a"); | |
2480 | free(tasks); | |
2481 | if (!f) | |
2482 | goto out; | |
2483 | ||
0059379f | 2484 | written = fprintf(f, "%d\n", lxc_raw_getpid()); |
06078509 TA |
2485 | fclose(f); |
2486 | if (written < 0) { | |
2487 | SYSERROR("writing tasks failed\n"); | |
2488 | goto out; | |
2489 | } | |
2490 | } | |
2491 | ||
2492 | ret = true; | |
2493 | out: | |
2494 | lxc_cgroup_put_meta(md); | |
2495 | return ret; | |
2496 | } | |
2497 | ||
36662416 TA |
2498 | static int cgfs_num_hierarchies(void) |
2499 | { | |
2500 | /* not implemented */ | |
2501 | return -1; | |
2502 | } | |
2503 | ||
2504 | static bool cgfs_get_hierarchies(int i, char ***out) | |
2505 | { | |
2506 | /* not implemented */ | |
2507 | return false; | |
2508 | } | |
2509 | ||
4fb3cba5 | 2510 | static bool cgfs_unfreeze(void *hdata) |
0086f499 | 2511 | { |
4fb3cba5 | 2512 | struct cgfs_data *d = hdata; |
0086f499 SH |
2513 | char *cgabspath, *cgrelpath; |
2514 | int ret; | |
2515 | ||
4fb3cba5 DE |
2516 | if (!d) |
2517 | return false; | |
2518 | ||
2519 | cgrelpath = lxc_cgroup_get_hierarchy_path_data("freezer", d); | |
0086f499 SH |
2520 | cgabspath = lxc_cgroup_find_abs_path("freezer", cgrelpath, true, NULL); |
2521 | if (!cgabspath) | |
ecfcb3f0 | 2522 | return false; |
0086f499 SH |
2523 | |
2524 | ret = do_cgroup_set(cgabspath, "freezer.state", "THAWED"); | |
2525 | free(cgabspath); | |
ecfcb3f0 | 2526 | return ret == 0; |
0086f499 SH |
2527 | } |
2528 | ||
6b38e644 | 2529 | static bool cgroupfs_setup_limits(void *hdata, struct lxc_conf *conf, |
4fb3cba5 | 2530 | bool with_devices) |
9daf6f5d | 2531 | { |
4fb3cba5 DE |
2532 | struct cgfs_data *d = hdata; |
2533 | ||
2534 | if (!d) | |
2535 | return false; | |
6b38e644 | 2536 | return do_setup_cgroup_limits(d, &conf->cgroup, with_devices) == 0; |
9daf6f5d SH |
2537 | } |
2538 | ||
4fb3cba5 | 2539 | static bool lxc_cgroupfs_attach(const char *name, const char *lxcpath, pid_t pid) |
5d897655 SH |
2540 | { |
2541 | struct cgroup_meta_data *meta_data; | |
2542 | struct cgroup_process_info *container_info; | |
2543 | int ret; | |
2544 | ||
2545 | meta_data = lxc_cgroup_load_meta(); | |
2546 | if (!meta_data) { | |
2547 | ERROR("could not move attached process %d to cgroup of container", pid); | |
2548 | return false; | |
2549 | } | |
2550 | ||
2551 | container_info = lxc_cgroup_get_container_info(name, lxcpath, meta_data); | |
2552 | lxc_cgroup_put_meta(meta_data); | |
2553 | if (!container_info) { | |
2554 | ERROR("could not move attached process %d to cgroup of container", pid); | |
2555 | return false; | |
2556 | } | |
2557 | ||
2558 | ret = lxc_cgroupfs_enter(container_info, pid, false); | |
2559 | lxc_cgroup_process_info_free(container_info); | |
2560 | if (ret < 0) { | |
2561 | ERROR("could not move attached process %d to cgroup of container", pid); | |
2562 | return false; | |
2563 | } | |
2564 | return true; | |
2565 | } | |
2566 | ||
8b276860 SH |
2567 | struct chown_data { |
2568 | const char *cgroup_path; | |
2569 | uid_t origuid; | |
2570 | }; | |
2571 | ||
2572 | /* | |
2573 | * TODO - someone should refactor this to unshare once passing all the paths | |
2574 | * to be chowned in one go | |
2575 | */ | |
2576 | static int chown_cgroup_wrapper(void *data) | |
2577 | { | |
2578 | struct chown_data *arg = data; | |
2579 | uid_t destuid; | |
2580 | char *fpath; | |
2581 | ||
8b276860 SH |
2582 | if (setresgid(0,0,0) < 0) |
2583 | SYSERROR("Failed to setgid to 0"); | |
2584 | if (setresuid(0,0,0) < 0) | |
2585 | SYSERROR("Failed to setuid to 0"); | |
2586 | if (setgroups(0, NULL) < 0) | |
2587 | SYSERROR("Failed to clear groups"); | |
2588 | destuid = get_ns_uid(arg->origuid); | |
2589 | ||
2590 | if (chown(arg->cgroup_path, destuid, 0) < 0) | |
2591 | SYSERROR("Failed chowning %s to %d", arg->cgroup_path, (int)destuid); | |
2592 | ||
2593 | fpath = lxc_append_paths(arg->cgroup_path, "tasks"); | |
2594 | if (!fpath) | |
2595 | return -1; | |
2596 | if (chown(fpath, destuid, 0) < 0) | |
2597 | SYSERROR("Error chowning %s\n", fpath); | |
2598 | free(fpath); | |
01d59fe5 | 2599 | |
8b276860 SH |
2600 | fpath = lxc_append_paths(arg->cgroup_path, "cgroup.procs"); |
2601 | if (!fpath) | |
2602 | return -1; | |
2603 | if (chown(fpath, destuid, 0) < 0) | |
2604 | SYSERROR("Error chowning %s", fpath); | |
2605 | free(fpath); | |
2606 | ||
2607 | return 0; | |
2608 | } | |
2609 | ||
2610 | static bool do_cgfs_chown(char *cgroup_path, struct lxc_conf *conf) | |
2611 | { | |
2612 | struct chown_data data; | |
2613 | char *fpath; | |
2614 | ||
01d59fe5 CB |
2615 | if (!dir_exists(cgroup_path)) |
2616 | return true; | |
2617 | ||
8b276860 SH |
2618 | if (lxc_list_empty(&conf->id_map)) |
2619 | /* If there's no mapping then we don't need to chown */ | |
2620 | return true; | |
2621 | ||
2622 | data.cgroup_path = cgroup_path; | |
2623 | data.origuid = geteuid(); | |
2624 | ||
2625 | /* Unpriv users can't chown it themselves, so chown from | |
2626 | * a child namespace mapping both our own and the target uid | |
2627 | */ | |
c9b7c33e CB |
2628 | if (userns_exec_1(conf, chown_cgroup_wrapper, &data, |
2629 | "chown_cgroup_wrapper") < 0) { | |
8b276860 SH |
2630 | ERROR("Error requesting cgroup chown in new namespace"); |
2631 | return false; | |
2632 | } | |
2633 | ||
2634 | /* | |
2635 | * Now chmod 775 the directory else the container cannot create cgroups. | |
2636 | * This can't be done in the child namespace because it only group-owns | |
2637 | * the cgroup | |
2638 | */ | |
2639 | if (chmod(cgroup_path, 0775) < 0) { | |
2640 | SYSERROR("Error chmoding %s\n", cgroup_path); | |
2641 | return false; | |
2642 | } | |
2643 | fpath = lxc_append_paths(cgroup_path, "tasks"); | |
2644 | if (!fpath) | |
2645 | return false; | |
2646 | if (chmod(fpath, 0664) < 0) | |
2647 | SYSERROR("Error chmoding %s\n", fpath); | |
2648 | free(fpath); | |
2649 | fpath = lxc_append_paths(cgroup_path, "cgroup.procs"); | |
2650 | if (!fpath) | |
2651 | return false; | |
2652 | if (chmod(fpath, 0664) < 0) | |
2653 | SYSERROR("Error chmoding %s\n", fpath); | |
2654 | free(fpath); | |
2655 | ||
2656 | return true; | |
2657 | } | |
2658 | ||
2659 | static bool cgfs_chown(void *hdata, struct lxc_conf *conf) | |
2660 | { | |
2661 | struct cgfs_data *d = hdata; | |
2662 | struct cgroup_process_info *info_ptr; | |
2663 | char *cgpath; | |
2664 | bool r = true; | |
2665 | ||
2666 | if (!d) | |
2667 | return false; | |
2668 | ||
2669 | for (info_ptr = d->info; info_ptr; info_ptr = info_ptr->next) { | |
517587ef CB |
2670 | if (!info_ptr->hierarchy) |
2671 | continue; | |
2672 | ||
8b276860 SH |
2673 | if (!info_ptr->designated_mount_point) { |
2674 | info_ptr->designated_mount_point = lxc_cgroup_find_mount_point(info_ptr->hierarchy, info_ptr->cgroup_path, true); | |
2675 | if (!info_ptr->designated_mount_point) { | |
2676 | SYSERROR("Could not chown cgroup %s: internal error (couldn't find any writable mountpoint to cgroup filesystem)", info_ptr->cgroup_path); | |
2677 | return false; | |
2678 | } | |
2679 | } | |
2680 | ||
2681 | cgpath = cgroup_to_absolute_path(info_ptr->designated_mount_point, info_ptr->cgroup_path, NULL); | |
2682 | if (!cgpath) { | |
2683 | SYSERROR("Could not chown cgroup %s: internal error", info_ptr->cgroup_path); | |
2684 | continue; | |
2685 | } | |
2686 | r = do_cgfs_chown(cgpath, conf); | |
ea439aac | 2687 | if (!r && is_crucial_hierarchy(info_ptr->hierarchy)) { |
8b276860 SH |
2688 | ERROR("Failed chowning %s\n", cgpath); |
2689 | free(cgpath); | |
2690 | return false; | |
2691 | } | |
2692 | free(cgpath); | |
2693 | } | |
2694 | ||
2695 | return true; | |
2696 | } | |
2697 | ||
d4ef7c50 | 2698 | static struct cgroup_ops cgfs_ops = { |
d4ef7c50 | 2699 | .init = cgfs_init, |
4fb3cba5 | 2700 | .destroy = cgfs_destroy, |
d4ef7c50 SH |
2701 | .create = cgfs_create, |
2702 | .enter = cgfs_enter, | |
2703 | .create_legacy = cgfs_create_legacy, | |
2704 | .get_cgroup = cgfs_get_cgroup, | |
06078509 | 2705 | .escape = cgfs_escape, |
36662416 TA |
2706 | .num_hierarchies = cgfs_num_hierarchies, |
2707 | .get_hierarchies = cgfs_get_hierarchies, | |
d4ef7c50 SH |
2708 | .get = lxc_cgroupfs_get, |
2709 | .set = lxc_cgroupfs_set, | |
4fb3cba5 | 2710 | .unfreeze = cgfs_unfreeze, |
9daf6f5d | 2711 | .setup_limits = cgroupfs_setup_limits, |
d4ef7c50 | 2712 | .name = "cgroupfs", |
5d897655 | 2713 | .attach = lxc_cgroupfs_attach, |
8b276860 | 2714 | .chown = cgfs_chown, |
c476bdce | 2715 | .mount_cgroup = cgroupfs_mount_cgroup, |
4fb3cba5 | 2716 | .nrtasks = cgfs_nrtasks, |
23befb18 | 2717 | .driver = CGFS, |
d4ef7c50 | 2718 | }; |