]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
ccb4cabe SH |
2 | |
3 | /* | |
4 | * cgfs-ng.c: this is a new, simplified implementation of a filesystem | |
5 | * cgroup backend. The original cgfs.c was designed to be as flexible | |
6 | * as possible. It would try to find cgroup filesystems no matter where | |
7 | * or how you had them mounted, and deduce the most usable mount for | |
0e7ff52c | 8 | * each controller. |
ccb4cabe SH |
9 | * |
10 | * This new implementation assumes that cgroup filesystems are mounted | |
11 | * under /sys/fs/cgroup/clist where clist is either the controller, or | |
18406e5a | 12 | * a comma-separated list of controllers. |
ccb4cabe | 13 | */ |
a54694f8 | 14 | |
d38dd64a CB |
15 | #ifndef _GNU_SOURCE |
16 | #define _GNU_SOURCE 1 | |
17 | #endif | |
a54694f8 CB |
18 | #include <ctype.h> |
19 | #include <dirent.h> | |
20 | #include <errno.h> | |
21 | #include <grp.h> | |
d38dd64a CB |
22 | #include <linux/kdev_t.h> |
23 | #include <linux/types.h> | |
942e193e CB |
24 | #include <poll.h> |
25 | #include <signal.h> | |
a54694f8 | 26 | #include <stdint.h> |
ccb4cabe SH |
27 | #include <stdio.h> |
28 | #include <stdlib.h> | |
a54694f8 | 29 | #include <string.h> |
438c4581 | 30 | #include <sys/types.h> |
d38dd64a | 31 | #include <unistd.h> |
c8bf519d | 32 | |
d1783ef4 | 33 | #include "af_unix.h" |
b635e92d | 34 | #include "caps.h" |
ccb4cabe | 35 | #include "cgroup.h" |
bf651989 | 36 | #include "cgroup2_devices.h" |
6328fd9c | 37 | #include "cgroup_utils.h" |
ccb4cabe | 38 | #include "commands.h" |
43654d34 | 39 | #include "conf.h" |
d38dd64a | 40 | #include "config.h" |
a54694f8 | 41 | #include "log.h" |
c19ad94b | 42 | #include "macro.h" |
018051e3 | 43 | #include "mainloop.h" |
861cb8c2 | 44 | #include "memory_utils.h" |
43654d34 | 45 | #include "storage/storage.h" |
a54694f8 | 46 | #include "utils.h" |
ccb4cabe | 47 | |
64e82f8b DJ |
48 | #ifndef HAVE_STRLCPY |
49 | #include "include/strlcpy.h" | |
50 | #endif | |
51 | ||
3ebe2fbd DJ |
52 | #ifndef HAVE_STRLCAT |
53 | #include "include/strlcat.h" | |
54 | #endif | |
55 | ||
ac2cecc4 | 56 | lxc_log_define(cgfsng, cgroup); |
ccb4cabe | 57 | |
8b8db2f6 CB |
58 | /* Given a pointer to a null-terminated array of pointers, realloc to add one |
59 | * entry, and point the new entry to NULL. Do not fail. Return the index to the | |
60 | * second-to-last entry - that is, the one which is now available for use | |
61 | * (keeping the list null-terminated). | |
ccb4cabe SH |
62 | */ |
63 | static int append_null_to_list(void ***list) | |
64 | { | |
65 | int newentry = 0; | |
66 | ||
67 | if (*list) | |
8b8db2f6 CB |
68 | for (; (*list)[newentry]; newentry++) |
69 | ; | |
ccb4cabe SH |
70 | |
71 | *list = must_realloc(*list, (newentry + 2) * sizeof(void **)); | |
72 | (*list)[newentry + 1] = NULL; | |
73 | return newentry; | |
74 | } | |
75 | ||
8073018d CB |
76 | /* Given a null-terminated array of strings, check whether @entry is one of the |
77 | * strings. | |
ccb4cabe SH |
78 | */ |
79 | static bool string_in_list(char **list, const char *entry) | |
80 | { | |
ccb4cabe SH |
81 | if (!list) |
82 | return false; | |
d6337a5f | 83 | |
77c3e9a2 | 84 | for (int i = 0; list[i]; i++) |
ccb4cabe SH |
85 | if (strcmp(list[i], entry) == 0) |
86 | return true; | |
87 | ||
88 | return false; | |
89 | } | |
90 | ||
ac010944 CB |
91 | /* Return a copy of @entry prepending "name=", i.e. turn "systemd" into |
92 | * "name=systemd". Do not fail. | |
93 | */ | |
94 | static char *cg_legacy_must_prefix_named(char *entry) | |
95 | { | |
96 | size_t len; | |
97 | char *prefixed; | |
98 | ||
99 | len = strlen(entry); | |
f25a2044 | 100 | prefixed = must_realloc(NULL, len + 6); |
ac010944 | 101 | |
6333c915 CB |
102 | memcpy(prefixed, "name=", STRLITERALLEN("name=")); |
103 | memcpy(prefixed + STRLITERALLEN("name="), entry, len); | |
ac010944 | 104 | prefixed[len + 5] = '\0'; |
99bb3fa8 | 105 | |
ac010944 CB |
106 | return prefixed; |
107 | } | |
108 | ||
42a993b4 CB |
109 | /* Append an entry to the clist. Do not fail. @clist must be NULL the first time |
110 | * we are called. | |
ccb4cabe | 111 | * |
42a993b4 CB |
112 | * We also handle named subsystems here. Any controller which is not a kernel |
113 | * subsystem, we prefix "name=". Any which is both a kernel and named subsystem, | |
114 | * we refuse to use because we're not sure which we have here. | |
115 | * (TODO: We could work around this in some cases by just remounting to be | |
116 | * unambiguous, or by comparing mountpoint contents with current cgroup.) | |
ccb4cabe SH |
117 | * |
118 | * The last entry will always be NULL. | |
119 | */ | |
42a993b4 CB |
120 | static void must_append_controller(char **klist, char **nlist, char ***clist, |
121 | char *entry) | |
ccb4cabe SH |
122 | { |
123 | int newentry; | |
124 | char *copy; | |
125 | ||
126 | if (string_in_list(klist, entry) && string_in_list(nlist, entry)) { | |
c2712f64 | 127 | ERROR("Refusing to use ambiguous controller \"%s\"", entry); |
ccb4cabe SH |
128 | ERROR("It is both a named and kernel subsystem"); |
129 | return; | |
130 | } | |
131 | ||
132 | newentry = append_null_to_list((void ***)clist); | |
133 | ||
134 | if (strncmp(entry, "name=", 5) == 0) | |
135 | copy = must_copy_string(entry); | |
136 | else if (string_in_list(klist, entry)) | |
137 | copy = must_copy_string(entry); | |
138 | else | |
7745483d | 139 | copy = cg_legacy_must_prefix_named(entry); |
ccb4cabe SH |
140 | |
141 | (*clist)[newentry] = copy; | |
142 | } | |
143 | ||
5ae0207c CB |
144 | /* Given a handler's cgroup data, return the struct hierarchy for the controller |
145 | * @c, or NULL if there is none. | |
ccb4cabe | 146 | */ |
27a5132c | 147 | struct hierarchy *get_hierarchy(struct cgroup_ops *ops, const char *controller) |
ccb4cabe | 148 | { |
77c3e9a2 CB |
149 | if (!ops->hierarchies) |
150 | return log_trace_errno(NULL, errno, "There are no useable cgroup controllers"); | |
d6337a5f | 151 | |
77c3e9a2 | 152 | for (int i = 0; ops->hierarchies[i]; i++) { |
27a5132c | 153 | if (!controller) { |
d6337a5f | 154 | /* This is the empty unified hierarchy. */ |
2202afc9 CB |
155 | if (ops->hierarchies[i]->controllers && |
156 | !ops->hierarchies[i]->controllers[0]) | |
157 | return ops->hierarchies[i]; | |
106f1f38 | 158 | continue; |
2a63b5cb CB |
159 | } else if (pure_unified_layout(ops) && |
160 | strcmp(controller, "devices") == 0) { | |
161 | if (ops->unified->bpf_device_controller) | |
162 | return ops->unified; | |
163 | break; | |
d6337a5f CB |
164 | } |
165 | ||
27a5132c | 166 | if (string_in_list(ops->hierarchies[i]->controllers, controller)) |
2202afc9 | 167 | return ops->hierarchies[i]; |
ccb4cabe | 168 | } |
d6337a5f | 169 | |
27a5132c CB |
170 | if (controller) |
171 | WARN("There is no useable %s controller", controller); | |
172 | else | |
173 | WARN("There is no empty unified cgroup hierarchy"); | |
174 | ||
77c3e9a2 | 175 | return ret_set_errno(NULL, ENOENT); |
ccb4cabe SH |
176 | } |
177 | ||
a54694f8 CB |
178 | #define BATCH_SIZE 50 |
179 | static void batch_realloc(char **mem, size_t oldlen, size_t newlen) | |
180 | { | |
181 | int newbatches = (newlen / BATCH_SIZE) + 1; | |
182 | int oldbatches = (oldlen / BATCH_SIZE) + 1; | |
183 | ||
77c3e9a2 | 184 | if (!*mem || newbatches > oldbatches) |
a54694f8 | 185 | *mem = must_realloc(*mem, newbatches * BATCH_SIZE); |
a54694f8 CB |
186 | } |
187 | ||
188 | static void append_line(char **dest, size_t oldlen, char *new, size_t newlen) | |
189 | { | |
190 | size_t full = oldlen + newlen; | |
191 | ||
192 | batch_realloc(dest, oldlen, full + 1); | |
193 | ||
194 | memcpy(*dest + oldlen, new, newlen + 1); | |
195 | } | |
196 | ||
197 | /* Slurp in a whole file */ | |
d6337a5f | 198 | static char *read_file(const char *fnam) |
a54694f8 | 199 | { |
77c3e9a2 | 200 | __do_free char *buf = NULL, *line = NULL; |
d97919ab | 201 | __do_fclose FILE *f = NULL; |
d97919ab | 202 | size_t len = 0, fulllen = 0; |
77c3e9a2 | 203 | int linelen; |
a54694f8 | 204 | |
4110345b | 205 | f = fopen(fnam, "re"); |
a54694f8 CB |
206 | if (!f) |
207 | return NULL; | |
77c3e9a2 | 208 | |
a54694f8 CB |
209 | while ((linelen = getline(&line, &len, f)) != -1) { |
210 | append_line(&buf, fulllen, line, linelen); | |
211 | fulllen += linelen; | |
212 | } | |
77c3e9a2 CB |
213 | |
214 | return move_ptr(buf); | |
a54694f8 CB |
215 | } |
216 | ||
217 | /* Taken over modified from the kernel sources. */ | |
218 | #define NBITS 32 /* bits in uint32_t */ | |
219 | #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d)) | |
220 | #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS) | |
221 | ||
222 | static void set_bit(unsigned bit, uint32_t *bitarr) | |
223 | { | |
224 | bitarr[bit / NBITS] |= (1 << (bit % NBITS)); | |
225 | } | |
226 | ||
227 | static void clear_bit(unsigned bit, uint32_t *bitarr) | |
228 | { | |
229 | bitarr[bit / NBITS] &= ~(1 << (bit % NBITS)); | |
230 | } | |
231 | ||
232 | static bool is_set(unsigned bit, uint32_t *bitarr) | |
233 | { | |
234 | return (bitarr[bit / NBITS] & (1 << (bit % NBITS))) != 0; | |
235 | } | |
236 | ||
237 | /* Create cpumask from cpulist aka turn: | |
238 | * | |
239 | * 0,2-3 | |
240 | * | |
d5d468f6 | 241 | * into bit array |
a54694f8 CB |
242 | * |
243 | * 1 0 1 1 | |
244 | */ | |
245 | static uint32_t *lxc_cpumask(char *buf, size_t nbits) | |
246 | { | |
77c3e9a2 | 247 | __do_free uint32_t *bitarr = NULL; |
a54694f8 | 248 | char *token; |
d5d468f6 | 249 | size_t arrlen; |
d5d468f6 CB |
250 | |
251 | arrlen = BITS_TO_LONGS(nbits); | |
252 | bitarr = calloc(arrlen, sizeof(uint32_t)); | |
a54694f8 | 253 | if (!bitarr) |
c5b8049e | 254 | return ret_set_errno(NULL, ENOMEM); |
a54694f8 | 255 | |
0be0d78f | 256 | lxc_iterate_parts(token, buf, ",") { |
a54694f8 | 257 | errno = 0; |
d5d468f6 CB |
258 | unsigned end, start; |
259 | char *range; | |
a54694f8 | 260 | |
d5d468f6 CB |
261 | start = strtoul(token, NULL, 0); |
262 | end = start; | |
263 | range = strchr(token, '-'); | |
a54694f8 CB |
264 | if (range) |
265 | end = strtoul(range + 1, NULL, 0); | |
d5d468f6 | 266 | |
c5b8049e CB |
267 | if (!(start <= end)) |
268 | return ret_set_errno(NULL, EINVAL); | |
a54694f8 | 269 | |
c5b8049e CB |
270 | if (end >= nbits) |
271 | return ret_set_errno(NULL, EINVAL); | |
a54694f8 CB |
272 | |
273 | while (start <= end) | |
274 | set_bit(start++, bitarr); | |
275 | } | |
276 | ||
c5b8049e | 277 | return move_ptr(bitarr); |
a54694f8 CB |
278 | } |
279 | ||
a54694f8 CB |
280 | /* Turn cpumask into simple, comma-separated cpulist. */ |
281 | static char *lxc_cpumask_to_cpulist(uint32_t *bitarr, size_t nbits) | |
282 | { | |
f761d24d | 283 | __do_free_string_list char **cpulist = NULL; |
c19ad94b | 284 | char numstr[INTTYPE_TO_STRLEN(size_t)] = {0}; |
77c3e9a2 | 285 | int ret; |
a54694f8 | 286 | |
77c3e9a2 | 287 | for (size_t i = 0; i <= nbits; i++) { |
414c6719 CB |
288 | if (!is_set(i, bitarr)) |
289 | continue; | |
290 | ||
979a0d93 | 291 | ret = snprintf(numstr, sizeof(numstr), "%zu", i); |
f761d24d | 292 | if (ret < 0 || (size_t)ret >= sizeof(numstr)) |
414c6719 | 293 | return NULL; |
414c6719 CB |
294 | |
295 | ret = lxc_append_string(&cpulist, numstr); | |
f761d24d | 296 | if (ret < 0) |
c5b8049e | 297 | return ret_set_errno(NULL, ENOMEM); |
a54694f8 | 298 | } |
414c6719 CB |
299 | |
300 | if (!cpulist) | |
c5b8049e | 301 | return ret_set_errno(NULL, ENOMEM); |
414c6719 | 302 | |
f761d24d | 303 | return lxc_string_join(",", (const char **)cpulist, false); |
a54694f8 CB |
304 | } |
305 | ||
306 | static ssize_t get_max_cpus(char *cpulist) | |
307 | { | |
308 | char *c1, *c2; | |
309 | char *maxcpus = cpulist; | |
310 | size_t cpus = 0; | |
311 | ||
312 | c1 = strrchr(maxcpus, ','); | |
313 | if (c1) | |
314 | c1++; | |
315 | ||
316 | c2 = strrchr(maxcpus, '-'); | |
317 | if (c2) | |
318 | c2++; | |
319 | ||
320 | if (!c1 && !c2) | |
321 | c1 = maxcpus; | |
322 | else if (c1 > c2) | |
323 | c2 = c1; | |
324 | else if (c1 < c2) | |
325 | c1 = c2; | |
333987b9 | 326 | else if (!c1 && c2) |
a54694f8 CB |
327 | c1 = c2; |
328 | ||
a54694f8 CB |
329 | errno = 0; |
330 | cpus = strtoul(c1, NULL, 0); | |
331 | if (errno != 0) | |
332 | return -1; | |
333 | ||
334 | return cpus; | |
335 | } | |
336 | ||
6f9584d8 | 337 | #define __ISOL_CPUS "/sys/devices/system/cpu/isolated" |
36f70181 | 338 | #define __OFFLINE_CPUS "/sys/devices/system/cpu/offline" |
c5b8049e CB |
339 | static bool cg_legacy_filter_and_set_cpus(const char *parent_cgroup, |
340 | char *child_cgroup, bool am_initialized) | |
a54694f8 | 341 | { |
d97919ab | 342 | __do_free char *cpulist = NULL, *fpath = NULL, *isolcpus = NULL, |
36f70181 CB |
343 | *offlinecpus = NULL, *posscpus = NULL; |
344 | __do_free uint32_t *isolmask = NULL, *offlinemask = NULL, | |
345 | *possmask = NULL; | |
a54694f8 CB |
346 | int ret; |
347 | ssize_t i; | |
36f70181 | 348 | ssize_t maxisol = 0, maxoffline = 0, maxposs = 0; |
c5b8049e | 349 | bool flipped_bit = false; |
a54694f8 | 350 | |
c5b8049e | 351 | fpath = must_make_path(parent_cgroup, "cpuset.cpus", NULL); |
a54694f8 | 352 | posscpus = read_file(fpath); |
c5b8049e CB |
353 | if (!posscpus) |
354 | return log_error_errno(false, errno, "Failed to read file \"%s\"", fpath); | |
a54694f8 CB |
355 | |
356 | /* Get maximum number of cpus found in possible cpuset. */ | |
357 | maxposs = get_max_cpus(posscpus); | |
92d5ea57 | 358 | if (maxposs < 0 || maxposs >= INT_MAX - 1) |
d97919ab | 359 | return false; |
a54694f8 | 360 | |
36f70181 CB |
361 | if (file_exists(__ISOL_CPUS)) { |
362 | isolcpus = read_file(__ISOL_CPUS); | |
c5b8049e CB |
363 | if (!isolcpus) |
364 | return log_error_errno(false, errno, "Failed to read file \"%s\"", __ISOL_CPUS); | |
6f9584d8 | 365 | |
36f70181 CB |
366 | if (isdigit(isolcpus[0])) { |
367 | /* Get maximum number of cpus found in isolated cpuset. */ | |
368 | maxisol = get_max_cpus(isolcpus); | |
369 | if (maxisol < 0 || maxisol >= INT_MAX - 1) | |
370 | return false; | |
6f9584d8 | 371 | } |
36f70181 CB |
372 | |
373 | if (maxposs < maxisol) | |
374 | maxposs = maxisol; | |
375 | maxposs++; | |
376 | } else { | |
377 | TRACE("The path \""__ISOL_CPUS"\" to read isolated cpus from does not exist"); | |
a54694f8 CB |
378 | } |
379 | ||
36f70181 CB |
380 | if (file_exists(__OFFLINE_CPUS)) { |
381 | offlinecpus = read_file(__OFFLINE_CPUS); | |
c5b8049e CB |
382 | if (!offlinecpus) |
383 | return log_error_errno(false, errno, "Failed to read file \"%s\"", __OFFLINE_CPUS); | |
36f70181 CB |
384 | |
385 | if (isdigit(offlinecpus[0])) { | |
386 | /* Get maximum number of cpus found in offline cpuset. */ | |
387 | maxoffline = get_max_cpus(offlinecpus); | |
388 | if (maxoffline < 0 || maxoffline >= INT_MAX - 1) | |
389 | return false; | |
390 | } | |
391 | ||
392 | if (maxposs < maxoffline) | |
393 | maxposs = maxoffline; | |
394 | maxposs++; | |
395 | } else { | |
396 | TRACE("The path \""__OFFLINE_CPUS"\" to read offline cpus from does not exist"); | |
397 | } | |
a54694f8 | 398 | |
dcd14a3d CB |
399 | if ((maxisol == 0) && (maxoffline == 0)) { |
400 | cpulist = move_ptr(posscpus); | |
36f70181 | 401 | goto copy_parent; |
dcd14a3d | 402 | } |
a54694f8 CB |
403 | |
404 | possmask = lxc_cpumask(posscpus, maxposs); | |
c5b8049e CB |
405 | if (!possmask) |
406 | return log_error_errno(false, errno, "Failed to create cpumask for possible cpus"); | |
a54694f8 | 407 | |
36f70181 CB |
408 | if (maxisol > 0) { |
409 | isolmask = lxc_cpumask(isolcpus, maxposs); | |
c5b8049e CB |
410 | if (!isolmask) |
411 | return log_error_errno(false, errno, "Failed to create cpumask for isolated cpus"); | |
36f70181 CB |
412 | } |
413 | ||
414 | if (maxoffline > 0) { | |
415 | offlinemask = lxc_cpumask(offlinecpus, maxposs); | |
c5b8049e CB |
416 | if (!offlinemask) |
417 | return log_error_errno(false, errno, "Failed to create cpumask for offline cpus"); | |
6f9584d8 | 418 | } |
a54694f8 CB |
419 | |
420 | for (i = 0; i <= maxposs; i++) { | |
36f70181 CB |
421 | if ((isolmask && !is_set(i, isolmask)) || |
422 | (offlinemask && !is_set(i, offlinemask)) || | |
423 | !is_set(i, possmask)) | |
59ac3b88 CB |
424 | continue; |
425 | ||
426 | flipped_bit = true; | |
427 | clear_bit(i, possmask); | |
a54694f8 CB |
428 | } |
429 | ||
6f9584d8 | 430 | if (!flipped_bit) { |
b31d62b8 CB |
431 | cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); |
432 | TRACE("No isolated or offline cpus present in cpuset"); | |
433 | } else { | |
434 | cpulist = move_ptr(posscpus); | |
435 | TRACE("Removed isolated or offline cpus from cpuset"); | |
6f9584d8 | 436 | } |
c5b8049e CB |
437 | if (!cpulist) |
438 | return log_error_errno(false, errno, "Failed to create cpu list"); | |
a54694f8 CB |
439 | |
440 | copy_parent: | |
36f70181 | 441 | if (!am_initialized) { |
c5b8049e | 442 | ret = lxc_write_openat(child_cgroup, "cpuset.cpus", cpulist, strlen(cpulist)); |
c04a6d4e CB |
443 | if (ret < 0) |
444 | return log_error_errno(false, | |
445 | errno, "Failed to write cpu list to \"%s/cpuset.cpus\"", | |
c5b8049e | 446 | child_cgroup); |
36f70181 CB |
447 | |
448 | TRACE("Copied cpu settings of parent cgroup"); | |
6f9584d8 CB |
449 | } |
450 | ||
d97919ab | 451 | return true; |
a54694f8 CB |
452 | } |
453 | ||
e3a3fecf | 454 | /* Copy contents of parent(@path)/@file to @path/@file */ |
c5b8049e CB |
455 | static bool copy_parent_file(const char *parent_cgroup, |
456 | const char *child_cgroup, const char *file) | |
e3a3fecf | 457 | { |
c5b8049e | 458 | __do_free char *parent_file = NULL, *value = NULL; |
b095a8eb | 459 | int len = 0; |
fe70edee | 460 | int ret; |
e3a3fecf | 461 | |
c5b8049e CB |
462 | parent_file = must_make_path(parent_cgroup, file, NULL); |
463 | len = lxc_read_from_file(parent_file, NULL, 0); | |
fe70edee | 464 | if (len <= 0) |
77c3e9a2 | 465 | return log_error_errno(false, errno, "Failed to determine buffer size"); |
b095a8eb | 466 | |
f25a2044 | 467 | value = must_realloc(NULL, len + 1); |
fe70edee | 468 | value[len] = '\0'; |
c5b8049e | 469 | ret = lxc_read_from_file(parent_file, value, len); |
fe70edee | 470 | if (ret != len) |
77c3e9a2 | 471 | return log_error_errno(false, errno, "Failed to read from parent file \"%s\"", parent_file); |
b095a8eb | 472 | |
c5b8049e | 473 | ret = lxc_write_openat(child_cgroup, file, value, len); |
fe70edee | 474 | if (ret < 0 && errno != EACCES) |
77c3e9a2 | 475 | return log_error_errno(false, errno, "Failed to write \"%s\" to file \"%s/%s\"", |
c5b8049e | 476 | value, child_cgroup, file); |
fe70edee | 477 | return true; |
e3a3fecf SH |
478 | } |
479 | ||
77c3e9a2 | 480 | static inline bool is_unified_hierarchy(const struct hierarchy *h) |
c04a6d4e CB |
481 | { |
482 | return h->version == CGROUP2_SUPER_MAGIC; | |
483 | } | |
484 | ||
f990d3bf CB |
485 | /* |
486 | * Initialize the cpuset hierarchy in first directory of @cgroup_leaf and set | |
7793add3 CB |
487 | * cgroup.clone_children so that children inherit settings. Since the |
488 | * h->base_path is populated by init or ourselves, we know it is already | |
489 | * initialized. | |
fe70edee CB |
490 | * |
491 | * returns -1 on error, 0 when we didn't created a cgroup, 1 if we created a | |
492 | * cgroup. | |
e3a3fecf | 493 | */ |
f990d3bf CB |
494 | static int cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, |
495 | const char *cgroup_leaf) | |
e3a3fecf | 496 | { |
c5b8049e | 497 | __do_free char *parent_cgroup = NULL, *child_cgroup = NULL, *dup = NULL; |
f62cf1d4 | 498 | __do_close int cgroup_fd = -EBADF; |
c5b8049e | 499 | int fret = -1; |
7793add3 CB |
500 | int ret; |
501 | char v; | |
f990d3bf | 502 | char *leaf, *slash; |
e3a3fecf | 503 | |
c04a6d4e | 504 | if (is_unified_hierarchy(h)) |
fe70edee | 505 | return 0; |
c04a6d4e | 506 | |
e3a3fecf | 507 | if (!string_in_list(h->controllers, "cpuset")) |
fe70edee | 508 | return 0; |
e3a3fecf | 509 | |
f990d3bf CB |
510 | if (!cgroup_leaf) |
511 | return ret_set_errno(-1, EINVAL); | |
512 | ||
513 | dup = strdup(cgroup_leaf); | |
514 | if (!dup) | |
515 | return ret_set_errno(-1, ENOMEM); | |
516 | ||
c5b8049e CB |
517 | parent_cgroup = must_make_path(h->mountpoint, h->container_base_path, NULL); |
518 | ||
519 | leaf = dup; | |
f990d3bf CB |
520 | leaf += strspn(leaf, "/"); |
521 | slash = strchr(leaf, '/'); | |
e3a3fecf SH |
522 | if (slash) |
523 | *slash = '\0'; | |
c5b8049e | 524 | child_cgroup = must_make_path(parent_cgroup, leaf, NULL); |
e3a3fecf SH |
525 | if (slash) |
526 | *slash = '/'; | |
7793add3 | 527 | |
fe70edee | 528 | fret = 1; |
c5b8049e | 529 | ret = mkdir(child_cgroup, 0755); |
7793add3 | 530 | if (ret < 0) { |
fe70edee | 531 | if (errno != EEXIST) |
c5b8049e | 532 | return log_error_errno(-1, errno, "Failed to create directory \"%s\"", child_cgroup); |
fe70edee CB |
533 | |
534 | fret = 0; | |
e3a3fecf | 535 | } |
6f9584d8 | 536 | |
c5b8049e | 537 | cgroup_fd = lxc_open_dirfd(child_cgroup); |
c04a6d4e | 538 | if (cgroup_fd < 0) |
fe70edee | 539 | return -1; |
7793add3 | 540 | |
c04a6d4e | 541 | ret = lxc_readat(cgroup_fd, "cgroup.clone_children", &v, 1); |
fe70edee | 542 | if (ret < 0) |
c5b8049e | 543 | return log_error_errno(-1, errno, "Failed to read file \"%s/cgroup.clone_children\"", child_cgroup); |
e3a3fecf | 544 | |
a54694f8 | 545 | /* Make sure any isolated cpus are removed from cpuset.cpus. */ |
c5b8049e | 546 | if (!cg_legacy_filter_and_set_cpus(parent_cgroup, child_cgroup, v == '1')) |
fe70edee | 547 | return log_error_errno(-1, errno, "Failed to remove isolated cpus"); |
a54694f8 | 548 | |
7793add3 | 549 | /* Already set for us by someone else. */ |
b28c2810 CB |
550 | if (v == '1') |
551 | TRACE("\"cgroup.clone_children\" was already set to \"1\""); | |
e3a3fecf SH |
552 | |
553 | /* copy parent's settings */ | |
c5b8049e | 554 | if (!copy_parent_file(parent_cgroup, child_cgroup, "cpuset.mems")) |
fe70edee | 555 | return log_error_errno(-1, errno, "Failed to copy \"cpuset.mems\" settings"); |
e3a3fecf | 556 | |
fe70edee | 557 | /* Set clone_children so children inherit our settings */ |
c04a6d4e | 558 | ret = lxc_writeat(cgroup_fd, "cgroup.clone_children", "1", 1); |
fe70edee | 559 | if (ret < 0) |
c5b8049e | 560 | return log_error_errno(-1, errno, "Failed to write 1 to \"%s/cgroup.clone_children\"", child_cgroup); |
d97919ab | 561 | |
fe70edee | 562 | return fret; |
e3a3fecf SH |
563 | } |
564 | ||
5c0089ae CB |
565 | /* Given two null-terminated lists of strings, return true if any string is in |
566 | * both. | |
ccb4cabe SH |
567 | */ |
568 | static bool controller_lists_intersect(char **l1, char **l2) | |
569 | { | |
ccb4cabe SH |
570 | if (!l1 || !l2) |
571 | return false; | |
572 | ||
77c3e9a2 | 573 | for (int i = 0; l1[i]; i++) |
ccb4cabe SH |
574 | if (string_in_list(l2, l1[i])) |
575 | return true; | |
5c0089ae | 576 | |
ccb4cabe SH |
577 | return false; |
578 | } | |
579 | ||
258449e5 CB |
580 | /* For a null-terminated list of controllers @clist, return true if any of those |
581 | * controllers is already listed the null-terminated list of hierarchies @hlist. | |
582 | * Realistically, if one is present, all must be present. | |
ccb4cabe SH |
583 | */ |
584 | static bool controller_list_is_dup(struct hierarchy **hlist, char **clist) | |
585 | { | |
ccb4cabe SH |
586 | if (!hlist) |
587 | return false; | |
258449e5 | 588 | |
77c3e9a2 | 589 | for (int i = 0; hlist[i]; i++) |
ccb4cabe SH |
590 | if (controller_lists_intersect(hlist[i]->controllers, clist)) |
591 | return true; | |
ccb4cabe | 592 | |
258449e5 | 593 | return false; |
ccb4cabe SH |
594 | } |
595 | ||
f57ac67f CB |
596 | /* Return true if the controller @entry is found in the null-terminated list of |
597 | * hierarchies @hlist. | |
ccb4cabe SH |
598 | */ |
599 | static bool controller_found(struct hierarchy **hlist, char *entry) | |
600 | { | |
ccb4cabe SH |
601 | if (!hlist) |
602 | return false; | |
603 | ||
77c3e9a2 | 604 | for (int i = 0; hlist[i]; i++) |
ccb4cabe SH |
605 | if (string_in_list(hlist[i]->controllers, entry)) |
606 | return true; | |
d6337a5f | 607 | |
ccb4cabe SH |
608 | return false; |
609 | } | |
610 | ||
e1c27ab0 CB |
611 | /* Return true if all of the controllers which we require have been found. The |
612 | * required list is freezer and anything in lxc.cgroup.use. | |
ccb4cabe | 613 | */ |
2202afc9 | 614 | static bool all_controllers_found(struct cgroup_ops *ops) |
ccb4cabe | 615 | { |
77c3e9a2 | 616 | struct hierarchy **hlist; |
ccb4cabe | 617 | |
2202afc9 | 618 | if (!ops->cgroup_use) |
ccb4cabe | 619 | return true; |
c2712f64 | 620 | |
77c3e9a2 CB |
621 | hlist = ops->hierarchies; |
622 | for (char **cur = ops->cgroup_use; cur && *cur; cur++) | |
623 | if (!controller_found(hlist, *cur)) | |
624 | return log_error(false, "No %s controller mountpoint found", *cur); | |
c2712f64 | 625 | |
ccb4cabe SH |
626 | return true; |
627 | } | |
628 | ||
f205f10c CB |
629 | /* Get the controllers from a mountinfo line There are other ways we could get |
630 | * this info. For lxcfs, field 3 is /cgroup/controller-list. For cgroupfs, we | |
631 | * could parse the mount options. But we simply assume that the mountpoint must | |
632 | * be /sys/fs/cgroup/controller-list | |
ccb4cabe | 633 | */ |
a3926f6a CB |
634 | static char **cg_hybrid_get_controllers(char **klist, char **nlist, char *line, |
635 | int type) | |
ccb4cabe | 636 | { |
f205f10c CB |
637 | /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list |
638 | * for legacy hierarchies. | |
639 | */ | |
f761d24d | 640 | __do_free_string_list char **aret = NULL; |
ccb4cabe | 641 | int i; |
d97919ab | 642 | char *p2, *tok; |
0be0d78f | 643 | char *p = line, *sep = ","; |
6328fd9c | 644 | |
ccb4cabe | 645 | for (i = 0; i < 4; i++) { |
235f1815 | 646 | p = strchr(p, ' '); |
ccb4cabe SH |
647 | if (!p) |
648 | return NULL; | |
649 | p++; | |
650 | } | |
a55f31bd | 651 | |
f205f10c CB |
652 | /* Note, if we change how mountinfo works, then our caller will need to |
653 | * verify /sys/fs/cgroup/ in this field. | |
654 | */ | |
77c3e9a2 CB |
655 | if (strncmp(p, DEFAULT_CGROUP_MOUNTPOINT "/", 15) != 0) |
656 | return log_error(NULL, "Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT ": \"%s\"", p); | |
d6337a5f | 657 | |
ccb4cabe | 658 | p += 15; |
235f1815 | 659 | p2 = strchr(p, ' '); |
77c3e9a2 CB |
660 | if (!p2) |
661 | return log_error(NULL, "Corrupt mountinfo"); | |
ccb4cabe | 662 | *p2 = '\0'; |
6328fd9c | 663 | |
d6337a5f | 664 | if (type == CGROUP_SUPER_MAGIC) { |
88396101 | 665 | __do_free char *dup = NULL; |
d97919ab | 666 | |
0be0d78f CB |
667 | /* strdup() here for v1 hierarchies. Otherwise |
668 | * lxc_iterate_parts() will destroy mountpoints such as | |
669 | * "/sys/fs/cgroup/cpu,cpuacct". | |
d6337a5f | 670 | */ |
d97919ab | 671 | dup = must_copy_string(p); |
d6337a5f CB |
672 | if (!dup) |
673 | return NULL; | |
674 | ||
d97919ab | 675 | lxc_iterate_parts (tok, dup, sep) |
d6337a5f | 676 | must_append_controller(klist, nlist, &aret, tok); |
411ac6d8 | 677 | } |
d6337a5f | 678 | *p2 = ' '; |
f205f10c | 679 | |
f761d24d | 680 | return move_ptr(aret); |
d6337a5f | 681 | } |
411ac6d8 | 682 | |
d6337a5f CB |
683 | static char **cg_unified_make_empty_controller(void) |
684 | { | |
f761d24d | 685 | __do_free_string_list char **aret = NULL; |
d6337a5f | 686 | int newentry; |
d6337a5f CB |
687 | |
688 | newentry = append_null_to_list((void ***)&aret); | |
689 | aret[newentry] = NULL; | |
f761d24d | 690 | return move_ptr(aret); |
d6337a5f CB |
691 | } |
692 | ||
693 | static char **cg_unified_get_controllers(const char *file) | |
694 | { | |
d97919ab | 695 | __do_free char *buf = NULL; |
f761d24d | 696 | __do_free_string_list char **aret = NULL; |
0be0d78f | 697 | char *sep = " \t\n"; |
2a63b5cb | 698 | char *tok; |
d6337a5f CB |
699 | |
700 | buf = read_file(file); | |
701 | if (!buf) | |
411ac6d8 | 702 | return NULL; |
6328fd9c | 703 | |
0be0d78f | 704 | lxc_iterate_parts(tok, buf, sep) { |
d6337a5f CB |
705 | int newentry; |
706 | char *copy; | |
707 | ||
708 | newentry = append_null_to_list((void ***)&aret); | |
709 | copy = must_copy_string(tok); | |
710 | aret[newentry] = copy; | |
ccb4cabe SH |
711 | } |
712 | ||
f761d24d | 713 | return move_ptr(aret); |
ccb4cabe SH |
714 | } |
715 | ||
2202afc9 | 716 | static struct hierarchy *add_hierarchy(struct hierarchy ***h, char **clist, char *mountpoint, |
bb221ad1 | 717 | char *container_base_path, int type) |
ccb4cabe SH |
718 | { |
719 | struct hierarchy *new; | |
720 | int newentry; | |
721 | ||
1973b62a | 722 | new = zalloc(sizeof(*new)); |
ccb4cabe SH |
723 | new->controllers = clist; |
724 | new->mountpoint = mountpoint; | |
bb221ad1 | 725 | new->container_base_path = container_base_path; |
d6337a5f | 726 | new->version = type; |
1973b62a CB |
727 | new->cgfd_con = -EBADF; |
728 | new->cgfd_mon = -EBADF; | |
6328fd9c | 729 | |
2202afc9 CB |
730 | newentry = append_null_to_list((void ***)h); |
731 | (*h)[newentry] = new; | |
d6337a5f | 732 | return new; |
ccb4cabe SH |
733 | } |
734 | ||
798c3b33 CB |
735 | /* Get a copy of the mountpoint from @line, which is a line from |
736 | * /proc/self/mountinfo. | |
ccb4cabe | 737 | */ |
a3926f6a | 738 | static char *cg_hybrid_get_mountpoint(char *line) |
ccb4cabe | 739 | { |
77c3e9a2 | 740 | char *p = line, *sret = NULL; |
ccb4cabe | 741 | size_t len; |
798c3b33 | 742 | char *p2; |
ccb4cabe | 743 | |
77c3e9a2 | 744 | for (int i = 0; i < 4; i++) { |
235f1815 | 745 | p = strchr(p, ' '); |
ccb4cabe SH |
746 | if (!p) |
747 | return NULL; | |
748 | p++; | |
749 | } | |
d6337a5f | 750 | |
dca9587a | 751 | if (strncmp(p, DEFAULT_CGROUP_MOUNTPOINT "/", 15) != 0) |
d6337a5f CB |
752 | return NULL; |
753 | ||
754 | p2 = strchr(p + 15, ' '); | |
755 | if (!p2) | |
756 | return NULL; | |
757 | *p2 = '\0'; | |
758 | ||
ccb4cabe | 759 | len = strlen(p); |
f25a2044 | 760 | sret = must_realloc(NULL, len + 1); |
ccb4cabe SH |
761 | memcpy(sret, p, len); |
762 | sret[len] = '\0'; | |
77c3e9a2 | 763 | |
ccb4cabe SH |
764 | return sret; |
765 | } | |
766 | ||
f523291e | 767 | /* Given a multi-line string, return a null-terminated copy of the current line. */ |
ccb4cabe SH |
768 | static char *copy_to_eol(char *p) |
769 | { | |
77c3e9a2 | 770 | char *p2, *sret; |
ccb4cabe SH |
771 | size_t len; |
772 | ||
77c3e9a2 | 773 | p2 = strchr(p, '\n'); |
ccb4cabe SH |
774 | if (!p2) |
775 | return NULL; | |
776 | ||
777 | len = p2 - p; | |
f25a2044 | 778 | sret = must_realloc(NULL, len + 1); |
ccb4cabe SH |
779 | memcpy(sret, p, len); |
780 | sret[len] = '\0'; | |
77c3e9a2 | 781 | |
ccb4cabe SH |
782 | return sret; |
783 | } | |
784 | ||
bced39de CB |
785 | /* cgline: pointer to character after the first ':' in a line in a \n-terminated |
786 | * /proc/self/cgroup file. Check whether controller c is present. | |
ccb4cabe SH |
787 | */ |
788 | static bool controller_in_clist(char *cgline, char *c) | |
789 | { | |
d97919ab CB |
790 | __do_free char *tmp = NULL; |
791 | char *tok, *eol; | |
ccb4cabe SH |
792 | size_t len; |
793 | ||
235f1815 | 794 | eol = strchr(cgline, ':'); |
ccb4cabe SH |
795 | if (!eol) |
796 | return false; | |
797 | ||
798 | len = eol - cgline; | |
861cb8c2 | 799 | tmp = must_realloc(NULL, len + 1); |
ccb4cabe SH |
800 | memcpy(tmp, cgline, len); |
801 | tmp[len] = '\0'; | |
802 | ||
d97919ab CB |
803 | lxc_iterate_parts(tok, tmp, ",") |
804 | if (strcmp(tok, c) == 0) | |
ccb4cabe | 805 | return true; |
d6337a5f | 806 | |
ccb4cabe SH |
807 | return false; |
808 | } | |
809 | ||
c3ef912e CB |
810 | /* @basecginfo is a copy of /proc/$$/cgroup. Return the current cgroup for |
811 | * @controller. | |
ccb4cabe | 812 | */ |
c3ef912e CB |
813 | static char *cg_hybrid_get_current_cgroup(char *basecginfo, char *controller, |
814 | int type) | |
ccb4cabe SH |
815 | { |
816 | char *p = basecginfo; | |
6328fd9c | 817 | |
d6337a5f CB |
818 | for (;;) { |
819 | bool is_cgv2_base_cgroup = false; | |
820 | ||
6328fd9c | 821 | /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */ |
d6337a5f CB |
822 | if ((type == CGROUP2_SUPER_MAGIC) && (*p == '0')) |
823 | is_cgv2_base_cgroup = true; | |
ccb4cabe | 824 | |
235f1815 | 825 | p = strchr(p, ':'); |
ccb4cabe SH |
826 | if (!p) |
827 | return NULL; | |
828 | p++; | |
d6337a5f CB |
829 | |
830 | if (is_cgv2_base_cgroup || (controller && controller_in_clist(p, controller))) { | |
235f1815 | 831 | p = strchr(p, ':'); |
ccb4cabe SH |
832 | if (!p) |
833 | return NULL; | |
834 | p++; | |
835 | return copy_to_eol(p); | |
836 | } | |
837 | ||
235f1815 | 838 | p = strchr(p, '\n'); |
ccb4cabe SH |
839 | if (!p) |
840 | return NULL; | |
841 | p++; | |
842 | } | |
843 | } | |
844 | ||
ccb4cabe SH |
845 | static void must_append_string(char ***list, char *entry) |
846 | { | |
6dfb18bf | 847 | int newentry; |
ccb4cabe SH |
848 | char *copy; |
849 | ||
6dfb18bf | 850 | newentry = append_null_to_list((void ***)list); |
ccb4cabe SH |
851 | copy = must_copy_string(entry); |
852 | (*list)[newentry] = copy; | |
853 | } | |
854 | ||
d6337a5f | 855 | static int get_existing_subsystems(char ***klist, char ***nlist) |
ccb4cabe | 856 | { |
d97919ab CB |
857 | __do_free char *line = NULL; |
858 | __do_fclose FILE *f = NULL; | |
ccb4cabe SH |
859 | size_t len = 0; |
860 | ||
4110345b | 861 | f = fopen("/proc/self/cgroup", "re"); |
d6337a5f CB |
862 | if (!f) |
863 | return -1; | |
864 | ||
ccb4cabe | 865 | while (getline(&line, &len, f) != -1) { |
0be0d78f | 866 | char *p, *p2, *tok; |
235f1815 | 867 | p = strchr(line, ':'); |
ccb4cabe SH |
868 | if (!p) |
869 | continue; | |
870 | p++; | |
235f1815 | 871 | p2 = strchr(p, ':'); |
ccb4cabe SH |
872 | if (!p2) |
873 | continue; | |
874 | *p2 = '\0'; | |
ff8d6ee9 | 875 | |
6328fd9c CB |
876 | /* If the kernel has cgroup v2 support, then /proc/self/cgroup |
877 | * contains an entry of the form: | |
ff8d6ee9 CB |
878 | * |
879 | * 0::/some/path | |
880 | * | |
6328fd9c | 881 | * In this case we use "cgroup2" as controller name. |
ff8d6ee9 | 882 | */ |
6328fd9c CB |
883 | if ((p2 - p) == 0) { |
884 | must_append_string(klist, "cgroup2"); | |
ff8d6ee9 | 885 | continue; |
6328fd9c | 886 | } |
ff8d6ee9 | 887 | |
0be0d78f | 888 | lxc_iterate_parts(tok, p, ",") { |
ccb4cabe SH |
889 | if (strncmp(tok, "name=", 5) == 0) |
890 | must_append_string(nlist, tok); | |
891 | else | |
892 | must_append_string(klist, tok); | |
893 | } | |
894 | } | |
895 | ||
d6337a5f | 896 | return 0; |
ccb4cabe SH |
897 | } |
898 | ||
d7314671 | 899 | static char *trim(char *s) |
ccb4cabe | 900 | { |
7689dfd7 CB |
901 | size_t len; |
902 | ||
903 | len = strlen(s); | |
2c28d76b | 904 | while ((len > 1) && (s[len - 1] == '\n')) |
ccb4cabe | 905 | s[--len] = '\0'; |
d7314671 CB |
906 | |
907 | return s; | |
ccb4cabe SH |
908 | } |
909 | ||
2202afc9 | 910 | static void lxc_cgfsng_print_hierarchies(struct cgroup_ops *ops) |
ccb4cabe SH |
911 | { |
912 | int i; | |
27d84737 | 913 | struct hierarchy **it; |
41c33dbe | 914 | |
2202afc9 CB |
915 | if (!ops->hierarchies) { |
916 | TRACE(" No hierarchies found"); | |
ccb4cabe SH |
917 | return; |
918 | } | |
27d84737 | 919 | |
2202afc9 CB |
920 | TRACE(" Hierarchies:"); |
921 | for (i = 0, it = ops->hierarchies; it && *it; it++, i++) { | |
ccb4cabe | 922 | int j; |
27d84737 CB |
923 | char **cit; |
924 | ||
bb221ad1 | 925 | TRACE(" %d: base_cgroup: %s", i, (*it)->container_base_path ? (*it)->container_base_path : "(null)"); |
2202afc9 CB |
926 | TRACE(" mountpoint: %s", (*it)->mountpoint ? (*it)->mountpoint : "(null)"); |
927 | TRACE(" controllers:"); | |
a7b0cc4c | 928 | for (j = 0, cit = (*it)->controllers; cit && *cit; cit++, j++) |
2202afc9 | 929 | TRACE(" %d: %s", j, *cit); |
ccb4cabe SH |
930 | } |
931 | } | |
41c33dbe | 932 | |
a3926f6a CB |
933 | static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist, |
934 | char **nlist) | |
41c33dbe SH |
935 | { |
936 | int k; | |
a7b0cc4c | 937 | char **it; |
41c33dbe | 938 | |
2202afc9 CB |
939 | TRACE("basecginfo is:"); |
940 | TRACE("%s", basecginfo); | |
41c33dbe | 941 | |
a7b0cc4c | 942 | for (k = 0, it = klist; it && *it; it++, k++) |
2202afc9 | 943 | TRACE("kernel subsystem %d: %s", k, *it); |
0f71dd9b | 944 | |
a7b0cc4c | 945 | for (k = 0, it = nlist; it && *it; it++, k++) |
2202afc9 | 946 | TRACE("named subsystem %d: %s", k, *it); |
41c33dbe | 947 | } |
ccb4cabe | 948 | |
de6fe132 | 949 | static int cgroup_tree_remove(struct hierarchy **hierarchies, |
2202afc9 | 950 | const char *container_cgroup) |
c71d83e1 | 951 | { |
2202afc9 CB |
952 | if (!container_cgroup || !hierarchies) |
953 | return 0; | |
d6337a5f | 954 | |
8e64b673 | 955 | for (int i = 0; hierarchies[i]; i++) { |
2202afc9 | 956 | struct hierarchy *h = hierarchies[i]; |
77c3e9a2 | 957 | int ret; |
d6337a5f | 958 | |
eb697136 | 959 | if (!h->container_full_path) |
2202afc9 CB |
960 | continue; |
961 | ||
8408a9cc | 962 | ret = lxc_rm_rf(h->container_full_path); |
2202afc9 | 963 | if (ret < 0) |
eb697136 | 964 | WARN("Failed to destroy \"%s\"", h->container_full_path); |
2202afc9 | 965 | |
77c3e9a2 | 966 | free_disarm(h->container_full_path); |
2202afc9 | 967 | } |
d6337a5f | 968 | |
c71d83e1 | 969 | return 0; |
d6337a5f CB |
970 | } |
971 | ||
2202afc9 CB |
972 | struct generic_userns_exec_data { |
973 | struct hierarchy **hierarchies; | |
974 | const char *container_cgroup; | |
975 | struct lxc_conf *conf; | |
976 | uid_t origuid; /* target uid in parent namespace */ | |
977 | char *path; | |
978 | }; | |
d6337a5f | 979 | |
de6fe132 | 980 | static int cgroup_tree_remove_wrapper(void *data) |
2202afc9 | 981 | { |
2202afc9 CB |
982 | struct generic_userns_exec_data *arg = data; |
983 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
984 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
8e64b673 | 985 | int ret; |
d6337a5f | 986 | |
b58214ac CB |
987 | if (!lxc_setgroups(0, NULL) && errno != EPERM) |
988 | return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)"); | |
989 | ||
2202afc9 | 990 | ret = setresgid(nsgid, nsgid, nsgid); |
8e64b673 | 991 | if (ret < 0) |
77c3e9a2 | 992 | return log_error_errno(-1, errno, "Failed to setresgid(%d, %d, %d)", |
8e64b673 | 993 | (int)nsgid, (int)nsgid, (int)nsgid); |
d6337a5f | 994 | |
2202afc9 | 995 | ret = setresuid(nsuid, nsuid, nsuid); |
8e64b673 | 996 | if (ret < 0) |
77c3e9a2 | 997 | return log_error_errno(-1, errno, "Failed to setresuid(%d, %d, %d)", |
8e64b673 | 998 | (int)nsuid, (int)nsuid, (int)nsuid); |
d6337a5f | 999 | |
de6fe132 | 1000 | return cgroup_tree_remove(arg->hierarchies, arg->container_cgroup); |
d6337a5f CB |
1001 | } |
1002 | ||
434c8e15 CB |
1003 | __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, |
1004 | struct lxc_handler *handler) | |
d6337a5f CB |
1005 | { |
1006 | int ret; | |
bd8ef4e4 | 1007 | |
fc3b9533 CB |
1008 | if (!ops) { |
1009 | ERROR("Called with uninitialized cgroup operations"); | |
1010 | return; | |
1011 | } | |
fc1c3af9 | 1012 | |
69b4a4bb CB |
1013 | if (!ops->hierarchies) |
1014 | return; | |
1015 | ||
fc3b9533 CB |
1016 | if (!handler) { |
1017 | ERROR("Called with uninitialized handler"); | |
1018 | return; | |
1019 | } | |
fc1c3af9 | 1020 | |
fc3b9533 CB |
1021 | if (!handler->conf) { |
1022 | ERROR("Called with uninitialized conf"); | |
1023 | return; | |
1024 | } | |
fc1c3af9 | 1025 | |
bf651989 CB |
1026 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX |
1027 | ret = bpf_program_cgroup_detach(handler->conf->cgroup2_devices); | |
1028 | if (ret < 0) | |
1029 | WARN("Failed to detach bpf program from cgroup"); | |
1030 | #endif | |
1031 | ||
8e64b673 CB |
1032 | if (handler->conf && !lxc_list_empty(&handler->conf->id_map)) { |
1033 | struct generic_userns_exec_data wrap = { | |
77c3e9a2 CB |
1034 | .conf = handler->conf, |
1035 | .container_cgroup = ops->container_cgroup, | |
1036 | .hierarchies = ops->hierarchies, | |
1037 | .origuid = 0, | |
8e64b673 | 1038 | }; |
de6fe132 CB |
1039 | ret = userns_exec_1(handler->conf, cgroup_tree_remove_wrapper, |
1040 | &wrap, "cgroup_tree_remove_wrapper"); | |
8e64b673 | 1041 | } else { |
de6fe132 | 1042 | ret = cgroup_tree_remove(ops->hierarchies, ops->container_cgroup); |
ccb4cabe | 1043 | } |
8e64b673 | 1044 | if (ret < 0) |
fc3b9533 | 1045 | SYSWARN("Failed to destroy cgroups"); |
ccb4cabe SH |
1046 | } |
1047 | ||
434c8e15 CB |
1048 | __cgfsng_ops static void cgfsng_monitor_destroy(struct cgroup_ops *ops, |
1049 | struct lxc_handler *handler) | |
1050 | { | |
1051 | int len; | |
434c8e15 | 1052 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; |
1973b62a | 1053 | const struct lxc_conf *conf; |
b376d3d0 | 1054 | |
fc3b9533 CB |
1055 | if (!ops) { |
1056 | ERROR("Called with uninitialized cgroup operations"); | |
1057 | return; | |
1058 | } | |
434c8e15 CB |
1059 | |
1060 | if (!ops->hierarchies) | |
1061 | return; | |
1062 | ||
fc3b9533 CB |
1063 | if (!handler) { |
1064 | ERROR("Called with uninitialized handler"); | |
1065 | return; | |
1066 | } | |
b376d3d0 | 1067 | |
fc3b9533 CB |
1068 | if (!handler->conf) { |
1069 | ERROR("Called with uninitialized conf"); | |
1070 | return; | |
1071 | } | |
1973b62a CB |
1072 | conf = handler->conf; |
1073 | ||
434c8e15 CB |
1074 | len = snprintf(pidstr, sizeof(pidstr), "%d", handler->monitor_pid); |
1075 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
1076 | return; | |
1077 | ||
1078 | for (int i = 0; ops->hierarchies[i]; i++) { | |
1973b62a | 1079 | __do_free char *pivot_path = NULL; |
434c8e15 | 1080 | struct hierarchy *h = ops->hierarchies[i]; |
fe70edee | 1081 | int ret; |
434c8e15 CB |
1082 | |
1083 | if (!h->monitor_full_path) | |
1084 | continue; | |
1085 | ||
c468e4d4 CB |
1086 | /* Monitor might have died before we entered the cgroup. */ |
1087 | if (handler->monitor_pid <= 0) { | |
1088 | WARN("No valid monitor process found while destroying cgroups"); | |
8408a9cc | 1089 | goto try_lxc_rm_rf; |
c468e4d4 CB |
1090 | } |
1091 | ||
1973b62a CB |
1092 | if (conf && conf->cgroup_meta.dir) |
1093 | pivot_path = must_make_path(h->mountpoint, | |
1094 | h->container_base_path, | |
1095 | conf->cgroup_meta.dir, | |
1096 | CGROUP_PIVOT, NULL); | |
1097 | else | |
1098 | pivot_path = must_make_path(h->mountpoint, | |
1099 | h->container_base_path, | |
1100 | CGROUP_PIVOT, NULL); | |
1101 | ||
1102 | ret = mkdir_p(pivot_path, 0755); | |
fc3b9533 CB |
1103 | if (ret < 0 && errno != EEXIST) { |
1104 | ERROR("Failed to create %s", pivot_path); | |
8408a9cc | 1105 | goto try_lxc_rm_rf; |
fc3b9533 | 1106 | } |
1973b62a | 1107 | |
c468e4d4 CB |
1108 | ret = lxc_write_openat(pivot_path, "cgroup.procs", pidstr, len); |
1109 | if (ret != 0) { | |
1110 | SYSWARN("Failed to move monitor %s to \"%s\"", pidstr, pivot_path); | |
1111 | continue; | |
fc3b9533 | 1112 | } |
434c8e15 | 1113 | |
8408a9cc CB |
1114 | try_lxc_rm_rf: |
1115 | ret = lxc_rm_rf(h->monitor_full_path); | |
434c8e15 CB |
1116 | if (ret < 0) |
1117 | WARN("Failed to destroy \"%s\"", h->monitor_full_path); | |
434c8e15 CB |
1118 | } |
1119 | } | |
1120 | ||
6099dd5a CB |
1121 | static int mkdir_eexist_on_last(const char *dir, mode_t mode) |
1122 | { | |
1123 | const char *tmp = dir; | |
1124 | const char *orig = dir; | |
1125 | size_t orig_len; | |
1126 | ||
1127 | orig_len = strlen(dir); | |
1128 | do { | |
6453ba56 | 1129 | __do_free char *makeme = NULL; |
6099dd5a CB |
1130 | int ret; |
1131 | size_t cur_len; | |
6099dd5a CB |
1132 | |
1133 | dir = tmp + strspn(tmp, "/"); | |
1134 | tmp = dir + strcspn(dir, "/"); | |
1135 | ||
6099dd5a CB |
1136 | cur_len = dir - orig; |
1137 | makeme = strndup(orig, cur_len); | |
1138 | if (!makeme) | |
77c3e9a2 | 1139 | return ret_set_errno(-1, ENOMEM); |
6099dd5a CB |
1140 | |
1141 | ret = mkdir(makeme, mode); | |
77c3e9a2 CB |
1142 | if (ret < 0 && ((errno != EEXIST) || (orig_len == cur_len))) |
1143 | return log_error_errno(-1, errno, "Failed to create directory \"%s\"", makeme); | |
6099dd5a CB |
1144 | } while (tmp != dir); |
1145 | ||
1146 | return 0; | |
1147 | } | |
1148 | ||
de6fe132 | 1149 | static bool cgroup_tree_create(struct hierarchy *h, const char *cgroup_tree, |
f990d3bf | 1150 | const char *cgroup_leaf, bool payload) |
72068e74 | 1151 | { |
fe70edee CB |
1152 | __do_free char *path = NULL; |
1153 | int ret, ret_cpuset; | |
72068e74 | 1154 | |
fe70edee CB |
1155 | path = must_make_path(h->mountpoint, h->container_base_path, cgroup_leaf, NULL); |
1156 | if (dir_exists(path)) | |
1157 | return log_warn_errno(false, errno, "The %s cgroup already existed", path); | |
72068e74 | 1158 | |
fe70edee CB |
1159 | ret_cpuset = cg_legacy_handle_cpuset_hierarchy(h, cgroup_leaf); |
1160 | if (ret_cpuset < 0) | |
1161 | return log_error_errno(false, errno, "Failed to handle legacy cpuset controller"); | |
0c3deb94 | 1162 | |
fe70edee | 1163 | ret = mkdir_eexist_on_last(path, 0755); |
6099dd5a | 1164 | if (ret < 0) { |
fe70edee CB |
1165 | /* |
1166 | * This is the cpuset controller and | |
1167 | * cg_legacy_handle_cpuset_hierarchy() has created our target | |
1168 | * directory for us to ensure correct initialization. | |
1169 | */ | |
1170 | if (ret_cpuset != 1 || cgroup_tree) | |
1171 | return log_error_errno(false, errno, "Failed to create %s cgroup", path); | |
6f9584d8 | 1172 | } |
0c3deb94 | 1173 | |
1973b62a CB |
1174 | if (payload) { |
1175 | h->cgfd_con = lxc_open_dirfd(path); | |
1176 | if (h->cgfd_con < 0) | |
1177 | return log_error_errno(false, errno, "Failed to open %s", path); | |
fe70edee | 1178 | h->container_full_path = move_ptr(path); |
1973b62a CB |
1179 | } else { |
1180 | h->cgfd_mon = lxc_open_dirfd(path); | |
1181 | if (h->cgfd_mon < 0) | |
1182 | return log_error_errno(false, errno, "Failed to open %s", path); | |
fe70edee | 1183 | h->monitor_full_path = move_ptr(path); |
1973b62a | 1184 | } |
fe70edee | 1185 | |
c581d2a6 | 1186 | return true; |
ccb4cabe SH |
1187 | } |
1188 | ||
de6fe132 | 1189 | static void cgroup_tree_leaf_remove(struct hierarchy *h, bool payload) |
ccb4cabe | 1190 | { |
fe70edee | 1191 | __do_free char *full_path = NULL; |
72068e74 | 1192 | |
1973b62a | 1193 | if (payload) { |
f62cf1d4 | 1194 | __lxc_unused __do_close int fd = move_fd(h->cgfd_con); |
d6bdd182 | 1195 | full_path = move_ptr(h->container_full_path); |
1973b62a | 1196 | } else { |
f62cf1d4 | 1197 | __lxc_unused __do_close int fd = move_fd(h->cgfd_mon); |
d6bdd182 | 1198 | full_path = move_ptr(h->monitor_full_path); |
1973b62a | 1199 | } |
e56639fb | 1200 | |
d6bdd182 | 1201 | if (full_path && rmdir(full_path)) |
fe70edee | 1202 | SYSWARN("Failed to rmdir(\"%s\") cgroup", full_path); |
72068e74 CB |
1203 | } |
1204 | ||
b857f4be | 1205 | __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops, |
f2668eea | 1206 | struct lxc_handler *handler) |
72068e74 | 1207 | { |
b3ed2061 | 1208 | __do_free char *monitor_cgroup = NULL, *__cgroup_tree = NULL; |
fe70edee CB |
1209 | const char *cgroup_tree; |
1210 | int idx = 0; | |
1211 | int i; | |
5ce03bc0 | 1212 | size_t len; |
fe70edee | 1213 | char *suffix; |
0d66e29a | 1214 | struct lxc_conf *conf; |
72068e74 | 1215 | |
0d66e29a CB |
1216 | if (!ops) |
1217 | return ret_set_errno(false, ENOENT); | |
e56639fb | 1218 | |
69b4a4bb CB |
1219 | if (!ops->hierarchies) |
1220 | return true; | |
1221 | ||
0d66e29a CB |
1222 | if (ops->monitor_cgroup) |
1223 | return ret_set_errno(false, EEXIST); | |
1224 | ||
1225 | if (!handler || !handler->conf) | |
1226 | return ret_set_errno(false, EINVAL); | |
1227 | ||
1228 | conf = handler->conf; | |
1229 | ||
b3ed2061 CB |
1230 | if (conf->cgroup_meta.dir) { |
1231 | cgroup_tree = conf->cgroup_meta.dir; | |
fe70edee CB |
1232 | monitor_cgroup = must_concat(&len, conf->cgroup_meta.dir, "/", |
1233 | DEFAULT_MONITOR_CGROUP_PREFIX, | |
1234 | handler->name, | |
1235 | CGROUP_CREATE_RETRY, NULL); | |
b3ed2061 CB |
1236 | } else if (ops->cgroup_pattern) { |
1237 | __cgroup_tree = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); | |
d6bdd182 CB |
1238 | if (!__cgroup_tree) |
1239 | return ret_set_errno(false, ENOMEM); | |
1240 | ||
b3ed2061 | 1241 | cgroup_tree = __cgroup_tree; |
d6bdd182 CB |
1242 | monitor_cgroup = must_concat(&len, cgroup_tree, "/", |
1243 | DEFAULT_MONITOR_CGROUP, | |
b3ed2061 CB |
1244 | CGROUP_CREATE_RETRY, NULL); |
1245 | } else { | |
d6bdd182 | 1246 | cgroup_tree = NULL; |
fe70edee CB |
1247 | monitor_cgroup = must_concat(&len, DEFAULT_MONITOR_CGROUP_PREFIX, |
1248 | handler->name, | |
1249 | CGROUP_CREATE_RETRY, NULL); | |
b3ed2061 | 1250 | } |
fe70edee | 1251 | if (!monitor_cgroup) |
0d66e29a | 1252 | return ret_set_errno(false, ENOMEM); |
72068e74 | 1253 | |
fe70edee CB |
1254 | suffix = monitor_cgroup + len - CGROUP_CREATE_RETRY_LEN; |
1255 | *suffix = '\0'; | |
5ce03bc0 | 1256 | do { |
0d66e29a | 1257 | if (idx) |
fe70edee | 1258 | sprintf(suffix, "-%d", idx); |
72068e74 | 1259 | |
ebc10afe | 1260 | for (i = 0; ops->hierarchies[i]; i++) { |
de6fe132 | 1261 | if (cgroup_tree_create(ops->hierarchies[i], cgroup_tree, monitor_cgroup, false)) |
fe70edee CB |
1262 | continue; |
1263 | ||
1264 | ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->monitor_full_path ?: "(null)"); | |
1265 | for (int j = 0; j < i; j++) | |
de6fe132 | 1266 | cgroup_tree_leaf_remove(ops->hierarchies[j], false); |
fe70edee CB |
1267 | |
1268 | idx++; | |
1269 | break; | |
5ce03bc0 | 1270 | } |
ebc10afe | 1271 | } while (ops->hierarchies[i] && idx > 0 && idx < 1000); |
5ce03bc0 | 1272 | |
d97919ab | 1273 | if (idx == 1000) |
0d66e29a | 1274 | return ret_set_errno(false, ERANGE); |
72068e74 | 1275 | |
c581d2a6 | 1276 | ops->monitor_cgroup = move_ptr(monitor_cgroup); |
6e8703a4 | 1277 | return log_info(true, "The monitor process uses \"%s\" as cgroup", ops->monitor_cgroup); |
ccb4cabe SH |
1278 | } |
1279 | ||
fe70edee CB |
1280 | /* |
1281 | * Try to create the same cgroup in all hierarchies. Start with cgroup_pattern; | |
cecad0c1 | 1282 | * next cgroup_pattern-1, -2, ..., -999. |
ccb4cabe | 1283 | */ |
b857f4be | 1284 | __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, |
f3839f12 | 1285 | struct lxc_handler *handler) |
ccb4cabe | 1286 | { |
b3ed2061 | 1287 | __do_free char *container_cgroup = NULL, *__cgroup_tree = NULL; |
fe70edee | 1288 | const char *cgroup_tree; |
f3839f12 | 1289 | int idx = 0; |
fe70edee | 1290 | int i; |
ccb4cabe | 1291 | size_t len; |
fe70edee | 1292 | char *suffix; |
f3839f12 | 1293 | struct lxc_conf *conf; |
43654d34 | 1294 | |
f3839f12 CB |
1295 | if (!ops) |
1296 | return ret_set_errno(false, ENOENT); | |
ccb4cabe | 1297 | |
69b4a4bb CB |
1298 | if (!ops->hierarchies) |
1299 | return true; | |
1300 | ||
f3839f12 CB |
1301 | if (ops->container_cgroup) |
1302 | return ret_set_errno(false, EEXIST); | |
1303 | ||
1304 | if (!handler || !handler->conf) | |
1305 | return ret_set_errno(false, EINVAL); | |
1306 | ||
1307 | conf = handler->conf; | |
1308 | ||
b3ed2061 CB |
1309 | if (conf->cgroup_meta.dir) { |
1310 | cgroup_tree = conf->cgroup_meta.dir; | |
fe70edee CB |
1311 | container_cgroup = must_concat(&len, cgroup_tree, "/", |
1312 | DEFAULT_PAYLOAD_CGROUP_PREFIX, | |
1313 | handler->name, | |
1314 | CGROUP_CREATE_RETRY, NULL); | |
b3ed2061 CB |
1315 | } else if (ops->cgroup_pattern) { |
1316 | __cgroup_tree = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); | |
d6bdd182 CB |
1317 | if (!__cgroup_tree) |
1318 | return ret_set_errno(false, ENOMEM); | |
1319 | ||
b3ed2061 | 1320 | cgroup_tree = __cgroup_tree; |
d6bdd182 CB |
1321 | container_cgroup = must_concat(&len, cgroup_tree, "/", |
1322 | DEFAULT_PAYLOAD_CGROUP, | |
b3ed2061 CB |
1323 | CGROUP_CREATE_RETRY, NULL); |
1324 | } else { | |
d6bdd182 | 1325 | cgroup_tree = NULL; |
fe70edee CB |
1326 | container_cgroup = must_concat(&len, DEFAULT_PAYLOAD_CGROUP_PREFIX, |
1327 | handler->name, | |
1328 | CGROUP_CREATE_RETRY, NULL); | |
b3ed2061 | 1329 | } |
fe70edee CB |
1330 | if (!container_cgroup) |
1331 | return ret_set_errno(false, ENOMEM); | |
ccb4cabe | 1332 | |
fe70edee CB |
1333 | suffix = container_cgroup + len - CGROUP_CREATE_RETRY_LEN; |
1334 | *suffix = '\0'; | |
d97919ab | 1335 | do { |
f3839f12 | 1336 | if (idx) |
fe70edee | 1337 | sprintf(suffix, "-%d", idx); |
bb30b52a | 1338 | |
d97919ab | 1339 | for (i = 0; ops->hierarchies[i]; i++) { |
de6fe132 | 1340 | if (cgroup_tree_create(ops->hierarchies[i], cgroup_tree, container_cgroup, true)) |
fe70edee CB |
1341 | continue; |
1342 | ||
1343 | ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->container_full_path ?: "(null)"); | |
1344 | for (int j = 0; j < i; j++) | |
de6fe132 | 1345 | cgroup_tree_leaf_remove(ops->hierarchies[j], true); |
fe70edee CB |
1346 | |
1347 | idx++; | |
1348 | break; | |
66b66624 | 1349 | } |
d97919ab | 1350 | } while (ops->hierarchies[i] && idx > 0 && idx < 1000); |
cecad0c1 | 1351 | |
d97919ab | 1352 | if (idx == 1000) |
f3839f12 | 1353 | return ret_set_errno(false, ERANGE); |
cecad0c1 | 1354 | |
fe70edee CB |
1355 | ops->container_cgroup = move_ptr(container_cgroup); |
1356 | INFO("The container process uses \"%s\" as cgroup", ops->container_cgroup); | |
ccb4cabe | 1357 | return true; |
ccb4cabe SH |
1358 | } |
1359 | ||
c581d2a6 CB |
1360 | __cgfsng_ops static bool cgfsng_monitor_enter(struct cgroup_ops *ops, |
1361 | struct lxc_handler *handler) | |
ccb4cabe | 1362 | { |
fdb0b8ab | 1363 | int monitor_len, transient_len = 0; |
c581d2a6 CB |
1364 | char monitor[INTTYPE_TO_STRLEN(pid_t)], |
1365 | transient[INTTYPE_TO_STRLEN(pid_t)]; | |
ccb4cabe | 1366 | |
797fa65e CB |
1367 | if (!ops) |
1368 | return ret_set_errno(false, ENOENT); | |
1369 | ||
69b4a4bb CB |
1370 | if (!ops->hierarchies) |
1371 | return true; | |
1372 | ||
797fa65e CB |
1373 | if (!ops->monitor_cgroup) |
1374 | return ret_set_errno(false, ENOENT); | |
1375 | ||
1376 | if (!handler || !handler->conf) | |
1377 | return ret_set_errno(false, EINVAL); | |
1378 | ||
c581d2a6 CB |
1379 | monitor_len = snprintf(monitor, sizeof(monitor), "%d", handler->monitor_pid); |
1380 | if (handler->transient_pid > 0) | |
1973b62a | 1381 | transient_len = snprintf(transient, sizeof(transient), "%d", handler->transient_pid); |
ccb4cabe | 1382 | |
eeef32bb | 1383 | for (int i = 0; ops->hierarchies[i]; i++) { |
1973b62a | 1384 | struct hierarchy *h = ops->hierarchies[i]; |
c581d2a6 | 1385 | int ret; |
08768001 | 1386 | |
1973b62a CB |
1387 | ret = lxc_writeat(h->cgfd_mon, "cgroup.procs", monitor, monitor_len); |
1388 | if (ret) | |
1389 | return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", h->monitor_full_path); | |
c581d2a6 | 1390 | |
34683042 | 1391 | if (handler->transient_pid <= 0) |
c581d2a6 CB |
1392 | return true; |
1393 | ||
1973b62a CB |
1394 | ret = lxc_writeat(h->cgfd_mon, "cgroup.procs", transient, transient_len); |
1395 | if (ret) | |
1396 | return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", h->monitor_full_path); | |
1397 | ||
1398 | /* | |
78eb6aa6 | 1399 | * we don't keep the fds for non-unified hierarchies around |
1973b62a | 1400 | * mainly because we don't make use of them anymore after the |
78eb6aa6 | 1401 | * core cgroup setup is done but also because there are quite a |
1973b62a CB |
1402 | * lot of them. |
1403 | */ | |
1404 | if (!is_unified_hierarchy(h)) | |
1405 | close_prot_errno_disarm(h->cgfd_mon); | |
ccb4cabe | 1406 | } |
c581d2a6 | 1407 | handler->transient_pid = -1; |
ccb4cabe SH |
1408 | |
1409 | return true; | |
1410 | } | |
1411 | ||
c581d2a6 CB |
1412 | __cgfsng_ops static bool cgfsng_payload_enter(struct cgroup_ops *ops, |
1413 | struct lxc_handler *handler) | |
eeef32bb | 1414 | { |
c581d2a6 CB |
1415 | int len; |
1416 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; | |
eeef32bb | 1417 | |
4490328e CB |
1418 | if (!ops) |
1419 | return ret_set_errno(false, ENOENT); | |
1420 | ||
c581d2a6 CB |
1421 | if (!ops->hierarchies) |
1422 | return true; | |
1423 | ||
4490328e CB |
1424 | if (!ops->container_cgroup) |
1425 | return ret_set_errno(false, ENOENT); | |
1426 | ||
1427 | if (!handler || !handler->conf) | |
1428 | return ret_set_errno(false, EINVAL); | |
1429 | ||
c581d2a6 CB |
1430 | len = snprintf(pidstr, sizeof(pidstr), "%d", handler->pid); |
1431 | ||
1432 | for (int i = 0; ops->hierarchies[i]; i++) { | |
1973b62a | 1433 | struct hierarchy *h = ops->hierarchies[i]; |
c581d2a6 CB |
1434 | int ret; |
1435 | ||
1973b62a | 1436 | ret = lxc_writeat(h->cgfd_con, "cgroup.procs", pidstr, len); |
c581d2a6 | 1437 | if (ret != 0) |
1973b62a | 1438 | return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", h->container_full_path); |
c581d2a6 CB |
1439 | } |
1440 | ||
1441 | return true; | |
eeef32bb CB |
1442 | } |
1443 | ||
1973b62a CB |
1444 | static int fchowmodat(int dirfd, const char *path, uid_t chown_uid, |
1445 | gid_t chown_gid, mode_t chmod_mode) | |
6efacf80 CB |
1446 | { |
1447 | int ret; | |
1448 | ||
1973b62a CB |
1449 | ret = fchownat(dirfd, path, chown_uid, chown_gid, |
1450 | AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); | |
1451 | if (ret < 0) | |
1452 | return log_warn_errno(-1, | |
1453 | errno, "Failed to fchownat(%d, %s, %d, %d, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW )", | |
1454 | dirfd, path, (int)chown_uid, | |
1455 | (int)chown_gid); | |
6efacf80 | 1456 | |
1973b62a CB |
1457 | ret = fchmodat(dirfd, (*path != '\0') ? path : ".", chmod_mode, 0); |
1458 | if (ret < 0) | |
1459 | return log_warn_errno(-1, errno, "Failed to fchmodat(%d, %s, %d, AT_SYMLINK_NOFOLLOW)", | |
1460 | dirfd, path, (int)chmod_mode); | |
6efacf80 CB |
1461 | |
1462 | return 0; | |
1463 | } | |
1464 | ||
1465 | /* chgrp the container cgroups to container group. We leave | |
c0888dfe SH |
1466 | * the container owner as cgroup owner. So we must make the |
1467 | * directories 775 so that the container can create sub-cgroups. | |
43647298 SH |
1468 | * |
1469 | * Also chown the tasks and cgroup.procs files. Those may not | |
1470 | * exist depending on kernel version. | |
c0888dfe | 1471 | */ |
ccb4cabe SH |
1472 | static int chown_cgroup_wrapper(void *data) |
1473 | { | |
6a720d74 | 1474 | int ret; |
4160c3a0 CB |
1475 | uid_t destuid; |
1476 | struct generic_userns_exec_data *arg = data; | |
1477 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1478 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
ccb4cabe | 1479 | |
b58214ac CB |
1480 | if (!lxc_setgroups(0, NULL) && errno != EPERM) |
1481 | return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)"); | |
1482 | ||
6efacf80 | 1483 | ret = setresgid(nsgid, nsgid, nsgid); |
803e4123 | 1484 | if (ret < 0) |
77c3e9a2 | 1485 | return log_error_errno(-1, errno, "Failed to setresgid(%d, %d, %d)", |
803e4123 | 1486 | (int)nsgid, (int)nsgid, (int)nsgid); |
6efacf80 CB |
1487 | |
1488 | ret = setresuid(nsuid, nsuid, nsuid); | |
803e4123 | 1489 | if (ret < 0) |
77c3e9a2 | 1490 | return log_error_errno(-1, errno, "Failed to setresuid(%d, %d, %d)", |
803e4123 | 1491 | (int)nsuid, (int)nsuid, (int)nsuid); |
6efacf80 | 1492 | |
ccb4cabe | 1493 | destuid = get_ns_uid(arg->origuid); |
b962868f CB |
1494 | if (destuid == LXC_INVALID_UID) |
1495 | destuid = 0; | |
ccb4cabe | 1496 | |
6a720d74 | 1497 | for (int i = 0; arg->hierarchies[i]; i++) { |
1973b62a | 1498 | int dirfd = arg->hierarchies[i]->cgfd_con; |
43647298 | 1499 | |
1973b62a | 1500 | (void)fchowmodat(dirfd, "", destuid, nsgid, 0775); |
c0888dfe | 1501 | |
1973b62a CB |
1502 | /* |
1503 | * Failures to chown() these are inconvenient but not | |
6efacf80 CB |
1504 | * detrimental We leave these owned by the container launcher, |
1505 | * so that container root can write to the files to attach. We | |
1506 | * chmod() them 664 so that container systemd can write to the | |
1507 | * files (which systemd in wily insists on doing). | |
ab8f5424 | 1508 | */ |
6efacf80 | 1509 | |
1973b62a CB |
1510 | if (arg->hierarchies[i]->version == CGROUP_SUPER_MAGIC) |
1511 | (void)fchowmodat(dirfd, "tasks", destuid, nsgid, 0664); | |
43647298 | 1512 | |
1973b62a | 1513 | (void)fchowmodat(dirfd, "cgroup.procs", destuid, nsgid, 0664); |
0e17357c | 1514 | |
2202afc9 | 1515 | if (arg->hierarchies[i]->version != CGROUP2_SUPER_MAGIC) |
0e17357c CB |
1516 | continue; |
1517 | ||
1973b62a CB |
1518 | for (char **p = arg->hierarchies[i]->cgroup2_chown; p && *p; p++) |
1519 | (void)fchowmodat(dirfd, *p, destuid, nsgid, 0664); | |
ccb4cabe SH |
1520 | } |
1521 | ||
1522 | return 0; | |
1523 | } | |
1524 | ||
b857f4be | 1525 | __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, |
c98bbf71 | 1526 | struct lxc_conf *conf) |
ccb4cabe | 1527 | { |
4160c3a0 | 1528 | struct generic_userns_exec_data wrap; |
ccb4cabe | 1529 | |
c98bbf71 CB |
1530 | if (!ops) |
1531 | return ret_set_errno(false, ENOENT); | |
ccb4cabe | 1532 | |
69b4a4bb CB |
1533 | if (!ops->hierarchies) |
1534 | return true; | |
1535 | ||
c98bbf71 CB |
1536 | if (!ops->container_cgroup) |
1537 | return ret_set_errno(false, ENOENT); | |
1538 | ||
1539 | if (!conf) | |
1540 | return ret_set_errno(false, EINVAL); | |
1541 | ||
1542 | if (lxc_list_empty(&conf->id_map)) | |
1543 | return true; | |
1544 | ||
ccb4cabe | 1545 | wrap.origuid = geteuid(); |
4160c3a0 | 1546 | wrap.path = NULL; |
2202afc9 | 1547 | wrap.hierarchies = ops->hierarchies; |
4160c3a0 | 1548 | wrap.conf = conf; |
ccb4cabe | 1549 | |
c98bbf71 CB |
1550 | if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, "chown_cgroup_wrapper") < 0) |
1551 | return log_error_errno(false, errno, "Error requesting cgroup chown in new user namespace"); | |
ccb4cabe SH |
1552 | |
1553 | return true; | |
1554 | } | |
1555 | ||
78eb6aa6 CB |
1556 | __cgfsng_ops void cgfsng_payload_finalize(struct cgroup_ops *ops) |
1557 | { | |
1558 | if (!ops) | |
1559 | return; | |
1560 | ||
1561 | if (!ops->hierarchies) | |
1562 | return; | |
1563 | ||
1564 | for (int i = 0; ops->hierarchies[i]; i++) { | |
1565 | struct hierarchy *h = ops->hierarchies[i]; | |
1566 | /* | |
1567 | * we don't keep the fds for non-unified hierarchies around | |
1568 | * mainly because we don't make use of them anymore after the | |
1569 | * core cgroup setup is done but also because there are quite a | |
1570 | * lot of them. | |
1571 | */ | |
1572 | if (!is_unified_hierarchy(h)) | |
1573 | close_prot_errno_disarm(h->cgfd_con); | |
1574 | } | |
1575 | } | |
1576 | ||
8aa1044f | 1577 | /* cgroup-full:* is done, no need to create subdirs */ |
77c3e9a2 | 1578 | static inline bool cg_mount_needs_subdirs(int type) |
8aa1044f | 1579 | { |
77c3e9a2 | 1580 | return !(type >= LXC_AUTO_CGROUP_FULL_RO); |
8aa1044f SH |
1581 | } |
1582 | ||
886cac86 CB |
1583 | /* After $rootfs/sys/fs/container/controller/the/cg/path has been created, |
1584 | * remount controller ro if needed and bindmount the cgroupfs onto | |
25fa6f8c | 1585 | * control/the/cg/path. |
8aa1044f | 1586 | */ |
6812d833 CB |
1587 | static int cg_legacy_mount_controllers(int type, struct hierarchy *h, |
1588 | char *controllerpath, char *cgpath, | |
1589 | const char *container_cgroup) | |
8aa1044f | 1590 | { |
d97919ab | 1591 | __do_free char *sourcepath = NULL; |
5285689c | 1592 | int ret, remount_flags; |
886cac86 CB |
1593 | int flags = MS_BIND; |
1594 | ||
8aa1044f | 1595 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_MIXED) { |
886cac86 | 1596 | ret = mount(controllerpath, controllerpath, "cgroup", MS_BIND, NULL); |
77c3e9a2 CB |
1597 | if (ret < 0) |
1598 | return log_error_errno(-1, errno, "Failed to bind mount \"%s\" onto \"%s\"", | |
1599 | controllerpath, controllerpath); | |
886cac86 | 1600 | |
5285689c CB |
1601 | remount_flags = add_required_remount_flags(controllerpath, |
1602 | controllerpath, | |
1603 | flags | MS_REMOUNT); | |
886cac86 | 1604 | ret = mount(controllerpath, controllerpath, "cgroup", |
8186c5c7 CB |
1605 | remount_flags | MS_REMOUNT | MS_BIND | MS_RDONLY, |
1606 | NULL); | |
77c3e9a2 CB |
1607 | if (ret < 0) |
1608 | return log_error_errno(-1, errno, "Failed to remount \"%s\" ro", controllerpath); | |
886cac86 | 1609 | |
8aa1044f SH |
1610 | INFO("Remounted %s read-only", controllerpath); |
1611 | } | |
886cac86 | 1612 | |
bb221ad1 | 1613 | sourcepath = must_make_path(h->mountpoint, h->container_base_path, |
886cac86 | 1614 | container_cgroup, NULL); |
8aa1044f SH |
1615 | if (type == LXC_AUTO_CGROUP_RO) |
1616 | flags |= MS_RDONLY; | |
886cac86 CB |
1617 | |
1618 | ret = mount(sourcepath, cgpath, "cgroup", flags, NULL); | |
77c3e9a2 CB |
1619 | if (ret < 0) |
1620 | return log_error_errno(-1, errno, "Failed to mount \"%s\" onto \"%s\"", | |
1621 | h->controllers[0], cgpath); | |
886cac86 | 1622 | INFO("Mounted \"%s\" onto \"%s\"", h->controllers[0], cgpath); |
f8c40ffa L |
1623 | |
1624 | if (flags & MS_RDONLY) { | |
5285689c CB |
1625 | remount_flags = add_required_remount_flags(sourcepath, cgpath, |
1626 | flags | MS_REMOUNT); | |
1627 | ret = mount(sourcepath, cgpath, "cgroup", remount_flags, NULL); | |
77c3e9a2 CB |
1628 | if (ret < 0) |
1629 | return log_error_errno(-1, errno, "Failed to remount \"%s\" ro", cgpath); | |
5285689c | 1630 | INFO("Remounted %s read-only", cgpath); |
f8c40ffa L |
1631 | } |
1632 | ||
886cac86 | 1633 | INFO("Completed second stage cgroup automounts for \"%s\"", cgpath); |
8aa1044f SH |
1634 | return 0; |
1635 | } | |
1636 | ||
6812d833 CB |
1637 | /* __cg_mount_direct |
1638 | * | |
1639 | * Mount cgroup hierarchies directly without using bind-mounts. The main | |
1640 | * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting | |
1641 | * cgroups for the LXC_AUTO_CGROUP_FULL option. | |
1642 | */ | |
1643 | static int __cg_mount_direct(int type, struct hierarchy *h, | |
1644 | const char *controllerpath) | |
b635e92d | 1645 | { |
d97919ab | 1646 | __do_free char *controllers = NULL; |
a760603e CB |
1647 | char *fstype = "cgroup2"; |
1648 | unsigned long flags = 0; | |
f6b54668 | 1649 | int ret; |
b635e92d | 1650 | |
a760603e CB |
1651 | flags |= MS_NOSUID; |
1652 | flags |= MS_NOEXEC; | |
1653 | flags |= MS_NODEV; | |
1654 | flags |= MS_RELATIME; | |
1655 | ||
1656 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO) | |
1657 | flags |= MS_RDONLY; | |
1658 | ||
d6337a5f | 1659 | if (h->version != CGROUP2_SUPER_MAGIC) { |
a760603e CB |
1660 | controllers = lxc_string_join(",", (const char **)h->controllers, false); |
1661 | if (!controllers) | |
1662 | return -ENOMEM; | |
1663 | fstype = "cgroup"; | |
b635e92d CB |
1664 | } |
1665 | ||
a760603e | 1666 | ret = mount("cgroup", controllerpath, fstype, flags, controllers); |
77c3e9a2 CB |
1667 | if (ret < 0) |
1668 | return log_error_errno(-1, errno, "Failed to mount \"%s\" with cgroup filesystem type %s", | |
1669 | controllerpath, fstype); | |
b635e92d | 1670 | |
6812d833 | 1671 | DEBUG("Mounted \"%s\" with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1672 | return 0; |
1673 | } | |
1674 | ||
6812d833 CB |
1675 | static inline int cg_mount_in_cgroup_namespace(int type, struct hierarchy *h, |
1676 | const char *controllerpath) | |
1677 | { | |
1678 | return __cg_mount_direct(type, h, controllerpath); | |
1679 | } | |
1680 | ||
1681 | static inline int cg_mount_cgroup_full(int type, struct hierarchy *h, | |
1682 | const char *controllerpath) | |
1683 | { | |
1684 | if (type < LXC_AUTO_CGROUP_FULL_RO || type > LXC_AUTO_CGROUP_FULL_MIXED) | |
1685 | return 0; | |
1686 | ||
1687 | return __cg_mount_direct(type, h, controllerpath); | |
1688 | } | |
1689 | ||
b857f4be | 1690 | __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, |
8d661d38 CB |
1691 | struct lxc_handler *handler, |
1692 | const char *root, int type) | |
ccb4cabe | 1693 | { |
6607d6e9 | 1694 | __do_free char *cgroup_root = NULL; |
d7314671 | 1695 | bool has_cgns = false, wants_force_mount = false; |
dfa835ac | 1696 | int ret; |
8aa1044f | 1697 | |
9585ccb3 CB |
1698 | if (!ops) |
1699 | return ret_set_errno(false, ENOENT); | |
1700 | ||
69b4a4bb CB |
1701 | if (!ops->hierarchies) |
1702 | return true; | |
1703 | ||
9585ccb3 CB |
1704 | if (!handler || !handler->conf) |
1705 | return ret_set_errno(false, EINVAL); | |
1706 | ||
8aa1044f SH |
1707 | if ((type & LXC_AUTO_CGROUP_MASK) == 0) |
1708 | return true; | |
1709 | ||
3f69fb12 SY |
1710 | if (type & LXC_AUTO_CGROUP_FORCE) { |
1711 | type &= ~LXC_AUTO_CGROUP_FORCE; | |
1712 | wants_force_mount = true; | |
1713 | } | |
b635e92d | 1714 | |
3f69fb12 SY |
1715 | if (!wants_force_mount){ |
1716 | if (!lxc_list_empty(&handler->conf->keepcaps)) | |
1717 | wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); | |
1718 | else | |
1719 | wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps); | |
1720 | } | |
8aa1044f | 1721 | |
3f69fb12 SY |
1722 | has_cgns = cgns_supported(); |
1723 | if (has_cgns && !wants_force_mount) | |
1724 | return true; | |
8aa1044f SH |
1725 | |
1726 | if (type == LXC_AUTO_CGROUP_NOSPEC) | |
1727 | type = LXC_AUTO_CGROUP_MIXED; | |
1728 | else if (type == LXC_AUTO_CGROUP_FULL_NOSPEC) | |
1729 | type = LXC_AUTO_CGROUP_FULL_MIXED; | |
1730 | ||
dca9587a | 1731 | cgroup_root = must_make_path(root, DEFAULT_CGROUP_MOUNTPOINT, NULL); |
8d661d38 | 1732 | if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) { |
8d661d38 | 1733 | if (has_cgns && wants_force_mount) { |
d7314671 CB |
1734 | /* |
1735 | * If cgroup namespaces are supported but the container | |
8d661d38 CB |
1736 | * will not have CAP_SYS_ADMIN after it has started we |
1737 | * need to mount the cgroups manually. | |
1738 | */ | |
d7314671 | 1739 | return cg_mount_in_cgroup_namespace(type, ops->unified, cgroup_root) == 0; |
8d661d38 CB |
1740 | } |
1741 | ||
6607d6e9 | 1742 | return cg_mount_cgroup_full(type, ops->unified, cgroup_root) == 0; |
8d661d38 CB |
1743 | } |
1744 | ||
1745 | /* mount tmpfs */ | |
6607d6e9 | 1746 | ret = safe_mount(NULL, cgroup_root, "tmpfs", |
3f69fb12 SY |
1747 | MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, |
1748 | "size=10240k,mode=755", root); | |
1749 | if (ret < 0) | |
d7314671 | 1750 | return false; |
8aa1044f | 1751 | |
dfa835ac | 1752 | for (int i = 0; ops->hierarchies[i]; i++) { |
d97919ab | 1753 | __do_free char *controllerpath = NULL, *path2 = NULL; |
2202afc9 | 1754 | struct hierarchy *h = ops->hierarchies[i]; |
8aa1044f | 1755 | char *controller = strrchr(h->mountpoint, '/'); |
8aa1044f SH |
1756 | |
1757 | if (!controller) | |
1758 | continue; | |
1759 | controller++; | |
affd10fa | 1760 | |
6607d6e9 | 1761 | controllerpath = must_make_path(cgroup_root, controller, NULL); |
d97919ab | 1762 | if (dir_exists(controllerpath)) |
8aa1044f | 1763 | continue; |
affd10fa | 1764 | |
3f69fb12 | 1765 | ret = mkdir(controllerpath, 0755); |
d7314671 CB |
1766 | if (ret < 0) |
1767 | return log_error_errno(false, errno, "Error creating cgroup path: %s", controllerpath); | |
b635e92d | 1768 | |
3f69fb12 | 1769 | if (has_cgns && wants_force_mount) { |
b635e92d CB |
1770 | /* If cgroup namespaces are supported but the container |
1771 | * will not have CAP_SYS_ADMIN after it has started we | |
1772 | * need to mount the cgroups manually. | |
1773 | */ | |
3f69fb12 | 1774 | ret = cg_mount_in_cgroup_namespace(type, h, controllerpath); |
3f69fb12 | 1775 | if (ret < 0) |
d7314671 | 1776 | return false; |
3f69fb12 | 1777 | |
b635e92d CB |
1778 | continue; |
1779 | } | |
1780 | ||
6812d833 | 1781 | ret = cg_mount_cgroup_full(type, h, controllerpath); |
d97919ab | 1782 | if (ret < 0) |
d7314671 | 1783 | return false; |
3f69fb12 | 1784 | |
d97919ab | 1785 | if (!cg_mount_needs_subdirs(type)) |
8aa1044f | 1786 | continue; |
3f69fb12 | 1787 | |
bb221ad1 | 1788 | path2 = must_make_path(controllerpath, h->container_base_path, |
2202afc9 | 1789 | ops->container_cgroup, NULL); |
3f69fb12 | 1790 | ret = mkdir_p(path2, 0755); |
d97919ab | 1791 | if (ret < 0) |
d7314671 | 1792 | return false; |
2f62fb00 | 1793 | |
6812d833 | 1794 | ret = cg_legacy_mount_controllers(type, h, controllerpath, |
2202afc9 | 1795 | path2, ops->container_cgroup); |
3f69fb12 | 1796 | if (ret < 0) |
d7314671 | 1797 | return false; |
8aa1044f | 1798 | } |
8aa1044f | 1799 | |
d7314671 | 1800 | return true; |
ccb4cabe SH |
1801 | } |
1802 | ||
11c23867 | 1803 | /* Only root needs to escape to the cgroup of its init. */ |
b857f4be | 1804 | __cgfsng_ops static bool cgfsng_escape(const struct cgroup_ops *ops, |
52d08ab0 | 1805 | struct lxc_conf *conf) |
ccb4cabe | 1806 | { |
52d08ab0 CB |
1807 | if (!ops) |
1808 | return ret_set_errno(false, ENOENT); | |
1809 | ||
1810 | if (!ops->hierarchies) | |
1811 | return true; | |
1812 | ||
1813 | if (!conf) | |
1814 | return ret_set_errno(false, EINVAL); | |
1815 | ||
1816 | if (conf->cgroup_meta.relative || geteuid()) | |
ccb4cabe SH |
1817 | return true; |
1818 | ||
779b3d82 | 1819 | for (int i = 0; ops->hierarchies[i]; i++) { |
88396101 | 1820 | __do_free char *fullpath = NULL; |
52d08ab0 | 1821 | int ret; |
11c23867 | 1822 | |
52d08ab0 CB |
1823 | fullpath = |
1824 | must_make_path(ops->hierarchies[i]->mountpoint, | |
1825 | ops->hierarchies[i]->container_base_path, | |
1826 | "cgroup.procs", NULL); | |
7cea5905 | 1827 | ret = lxc_write_to_file(fullpath, "0", 2, false, 0666); |
52d08ab0 | 1828 | if (ret != 0) |
77c3e9a2 | 1829 | return log_error_errno(false, errno, "Failed to escape to cgroup \"%s\"", fullpath); |
ccb4cabe SH |
1830 | } |
1831 | ||
6df334d1 | 1832 | return true; |
ccb4cabe SH |
1833 | } |
1834 | ||
b857f4be | 1835 | __cgfsng_ops static int cgfsng_num_hierarchies(struct cgroup_ops *ops) |
36662416 | 1836 | { |
69b4a4bb CB |
1837 | int i = 0; |
1838 | ||
e3ffb28b CB |
1839 | if (!ops) |
1840 | return ret_set_errno(-1, ENOENT); | |
1841 | ||
69b4a4bb CB |
1842 | if (!ops->hierarchies) |
1843 | return 0; | |
36662416 | 1844 | |
69b4a4bb | 1845 | for (; ops->hierarchies[i]; i++) |
36662416 TA |
1846 | ; |
1847 | ||
1848 | return i; | |
1849 | } | |
1850 | ||
aa48a34f CB |
1851 | __cgfsng_ops static bool cgfsng_get_hierarchies(struct cgroup_ops *ops, int n, |
1852 | char ***out) | |
36662416 TA |
1853 | { |
1854 | int i; | |
1855 | ||
aa48a34f CB |
1856 | if (!ops) |
1857 | return ret_set_errno(false, ENOENT); | |
1858 | ||
69b4a4bb | 1859 | if (!ops->hierarchies) |
77c3e9a2 | 1860 | return ret_set_errno(false, ENOENT); |
69b4a4bb | 1861 | |
36662416 | 1862 | /* sanity check n */ |
6b38e644 | 1863 | for (i = 0; i < n; i++) |
2202afc9 | 1864 | if (!ops->hierarchies[i]) |
aa48a34f | 1865 | return ret_set_errno(false, ENOENT); |
36662416 | 1866 | |
2202afc9 | 1867 | *out = ops->hierarchies[i]->controllers; |
36662416 TA |
1868 | |
1869 | return true; | |
1870 | } | |
1871 | ||
ee3a7775 | 1872 | static bool cg_legacy_freeze(struct cgroup_ops *ops) |
ccb4cabe | 1873 | { |
d6337a5f | 1874 | struct hierarchy *h; |
ccb4cabe | 1875 | |
ee3a7775 CB |
1876 | h = get_hierarchy(ops, "freezer"); |
1877 | if (!h) | |
d2203230 | 1878 | return ret_set_errno(-1, ENOENT); |
81468ea7 | 1879 | |
c04a6d4e CB |
1880 | return lxc_write_openat(h->container_full_path, "freezer.state", |
1881 | "FROZEN", STRLITERALLEN("FROZEN")); | |
ee3a7775 | 1882 | } |
942e193e | 1883 | |
018051e3 CB |
1884 | static int freezer_cgroup_events_cb(int fd, uint32_t events, void *cbdata, |
1885 | struct lxc_epoll_descr *descr) | |
ee3a7775 | 1886 | { |
f62cf1d4 | 1887 | __do_close int duped_fd = -EBADF; |
018051e3 | 1888 | __do_free char *line = NULL; |
ee3a7775 | 1889 | __do_fclose FILE *f = NULL; |
018051e3 CB |
1890 | int state = PTR_TO_INT(cbdata); |
1891 | size_t len; | |
1892 | const char *state_string; | |
1893 | ||
1894 | duped_fd = dup(fd); | |
1895 | if (duped_fd < 0) | |
1896 | return LXC_MAINLOOP_ERROR; | |
1897 | ||
1898 | if (lseek(duped_fd, 0, SEEK_SET) < (off_t)-1) | |
1899 | return LXC_MAINLOOP_ERROR; | |
1900 | ||
1901 | f = fdopen(duped_fd, "re"); | |
1902 | if (!f) | |
1903 | return LXC_MAINLOOP_ERROR; | |
1904 | move_fd(duped_fd); | |
1905 | ||
1906 | if (state == 1) | |
1907 | state_string = "frozen 1"; | |
1908 | else | |
1909 | state_string = "frozen 0"; | |
1910 | ||
1911 | while (getline(&line, &len, f) != -1) | |
1912 | if (strncmp(line, state_string, STRLITERALLEN("frozen") + 2) == 0) | |
1913 | return LXC_MAINLOOP_CLOSE; | |
1914 | ||
1915 | return LXC_MAINLOOP_CONTINUE; | |
1916 | } | |
1917 | ||
1918 | static int cg_unified_freeze(struct cgroup_ops *ops, int timeout) | |
1919 | { | |
f62cf1d4 | 1920 | __do_close int fd = -EBADF; |
eafc1bb6 | 1921 | call_cleaner(lxc_mainloop_close) struct lxc_epoll_descr *descr_ptr = NULL; |
018051e3 CB |
1922 | int ret; |
1923 | struct lxc_epoll_descr descr; | |
ee3a7775 | 1924 | struct hierarchy *h; |
942e193e CB |
1925 | |
1926 | h = ops->unified; | |
457ca9aa | 1927 | if (!h) |
d2203230 | 1928 | return ret_set_errno(-1, ENOENT); |
d6337a5f | 1929 | |
018051e3 | 1930 | if (!h->container_full_path) |
d2203230 | 1931 | return ret_set_errno(-1, EEXIST); |
d6337a5f | 1932 | |
018051e3 CB |
1933 | if (timeout != 0) { |
1934 | __do_free char *events_file = NULL; | |
942e193e | 1935 | |
018051e3 CB |
1936 | events_file = must_make_path(h->container_full_path, "cgroup.events", NULL); |
1937 | fd = open(events_file, O_RDONLY | O_CLOEXEC); | |
1938 | if (fd < 0) | |
d2203230 | 1939 | return log_error_errno(-1, errno, "Failed to open cgroup.events file"); |
942e193e | 1940 | |
018051e3 CB |
1941 | ret = lxc_mainloop_open(&descr); |
1942 | if (ret) | |
d2203230 | 1943 | return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container freeze"); |
942e193e | 1944 | |
018051e3 CB |
1945 | /* automatically cleaned up now */ |
1946 | descr_ptr = &descr; | |
942e193e | 1947 | |
018051e3 CB |
1948 | ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){1})); |
1949 | if (ret < 0) | |
d2203230 | 1950 | return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop"); |
018051e3 | 1951 | } |
942e193e | 1952 | |
c04a6d4e | 1953 | ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", "1", 1); |
018051e3 | 1954 | if (ret < 0) |
d2203230 | 1955 | return log_error_errno(-1, errno, "Failed to open cgroup.freeze file"); |
018051e3 CB |
1956 | |
1957 | if (timeout != 0 && lxc_mainloop(&descr, timeout)) | |
d2203230 | 1958 | return log_error_errno(-1, errno, "Failed to wait for container to be frozen"); |
018051e3 CB |
1959 | |
1960 | return 0; | |
942e193e CB |
1961 | } |
1962 | ||
018051e3 | 1963 | __cgfsng_ops static int cgfsng_freeze(struct cgroup_ops *ops, int timeout) |
942e193e | 1964 | { |
81468ea7 | 1965 | if (!ops->hierarchies) |
d2203230 | 1966 | return ret_set_errno(-1, ENOENT); |
81468ea7 | 1967 | |
ee3a7775 CB |
1968 | if (ops->cgroup_layout != CGROUP_LAYOUT_UNIFIED) |
1969 | return cg_legacy_freeze(ops); | |
942e193e | 1970 | |
018051e3 | 1971 | return cg_unified_freeze(ops, timeout); |
ee3a7775 CB |
1972 | } |
1973 | ||
018051e3 | 1974 | static int cg_legacy_unfreeze(struct cgroup_ops *ops) |
ee3a7775 | 1975 | { |
ee3a7775 CB |
1976 | struct hierarchy *h; |
1977 | ||
1978 | h = get_hierarchy(ops, "freezer"); | |
1979 | if (!h) | |
d2203230 | 1980 | return ret_set_errno(-1, ENOENT); |
ee3a7775 | 1981 | |
c04a6d4e CB |
1982 | return lxc_write_openat(h->container_full_path, "freezer.state", |
1983 | "THAWED", STRLITERALLEN("THAWED")); | |
ee3a7775 CB |
1984 | } |
1985 | ||
018051e3 | 1986 | static int cg_unified_unfreeze(struct cgroup_ops *ops, int timeout) |
ee3a7775 | 1987 | { |
f62cf1d4 | 1988 | __do_close int fd = -EBADF; |
eafc1bb6 | 1989 | call_cleaner(lxc_mainloop_close)struct lxc_epoll_descr *descr_ptr = NULL; |
018051e3 CB |
1990 | int ret; |
1991 | struct lxc_epoll_descr descr; | |
ee3a7775 | 1992 | struct hierarchy *h; |
942e193e CB |
1993 | |
1994 | h = ops->unified; | |
1995 | if (!h) | |
d2203230 | 1996 | return ret_set_errno(-1, ENOENT); |
018051e3 CB |
1997 | |
1998 | if (!h->container_full_path) | |
d2203230 | 1999 | return ret_set_errno(-1, EEXIST); |
018051e3 CB |
2000 | |
2001 | if (timeout != 0) { | |
2002 | __do_free char *events_file = NULL; | |
2003 | ||
2004 | events_file = must_make_path(h->container_full_path, "cgroup.events", NULL); | |
2005 | fd = open(events_file, O_RDONLY | O_CLOEXEC); | |
2006 | if (fd < 0) | |
d2203230 | 2007 | return log_error_errno(-1, errno, "Failed to open cgroup.events file"); |
018051e3 CB |
2008 | |
2009 | ret = lxc_mainloop_open(&descr); | |
2010 | if (ret) | |
d2203230 | 2011 | return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container unfreeze"); |
018051e3 CB |
2012 | |
2013 | /* automatically cleaned up now */ | |
2014 | descr_ptr = &descr; | |
2015 | ||
2016 | ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){0})); | |
2017 | if (ret < 0) | |
d2203230 | 2018 | return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop"); |
018051e3 | 2019 | } |
942e193e | 2020 | |
c04a6d4e | 2021 | ret = lxc_write_openat(h->container_full_path, "cgroup.freeze", "0", 1); |
018051e3 | 2022 | if (ret < 0) |
d2203230 | 2023 | return log_error_errno(-1, errno, "Failed to open cgroup.freeze file"); |
018051e3 CB |
2024 | |
2025 | if (timeout != 0 && lxc_mainloop(&descr, timeout)) | |
d2203230 | 2026 | return log_error_errno(-1, errno, "Failed to wait for container to be unfrozen"); |
018051e3 CB |
2027 | |
2028 | return 0; | |
ee3a7775 CB |
2029 | } |
2030 | ||
018051e3 | 2031 | __cgfsng_ops static int cgfsng_unfreeze(struct cgroup_ops *ops, int timeout) |
ee3a7775 CB |
2032 | { |
2033 | if (!ops->hierarchies) | |
d2203230 | 2034 | return ret_set_errno(-1, ENOENT); |
ee3a7775 CB |
2035 | |
2036 | if (ops->cgroup_layout != CGROUP_LAYOUT_UNIFIED) | |
2037 | return cg_legacy_unfreeze(ops); | |
2038 | ||
018051e3 | 2039 | return cg_unified_unfreeze(ops, timeout); |
ccb4cabe SH |
2040 | } |
2041 | ||
b857f4be | 2042 | __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, |
6bdf9691 | 2043 | const char *controller) |
ccb4cabe | 2044 | { |
d6337a5f CB |
2045 | struct hierarchy *h; |
2046 | ||
2202afc9 | 2047 | h = get_hierarchy(ops, controller); |
6bdf9691 | 2048 | if (!h) |
77c3e9a2 | 2049 | return log_warn_errno(NULL, ENOENT, "Failed to find hierarchy for controller \"%s\"", |
6bdf9691 | 2050 | controller ? controller : "(null)"); |
ccb4cabe | 2051 | |
6bdf9691 CB |
2052 | return h->container_full_path |
2053 | ? h->container_full_path + strlen(h->mountpoint) | |
2054 | : NULL; | |
371f834d SH |
2055 | } |
2056 | ||
c40c8209 CB |
2057 | /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path, |
2058 | * which must be freed by the caller. | |
371f834d | 2059 | */ |
c40c8209 CB |
2060 | static inline char *build_full_cgpath_from_monitorpath(struct hierarchy *h, |
2061 | const char *inpath, | |
2062 | const char *filename) | |
371f834d | 2063 | { |
371f834d | 2064 | return must_make_path(h->mountpoint, inpath, filename, NULL); |
ccb4cabe SH |
2065 | } |
2066 | ||
4b86fefd | 2067 | static int cgroup_attach_leaf(const struct lxc_conf *conf, int unified_fd, pid_t pid) |
c2aed66d | 2068 | { |
ad275c16 | 2069 | int idx = 1; |
c2aed66d | 2070 | int ret; |
900b6606 CB |
2071 | char pidstr[INTTYPE_TO_STRLEN(int64_t) + 1]; |
2072 | size_t pidstr_len; | |
c2aed66d | 2073 | |
ad275c16 | 2074 | /* Create leaf cgroup. */ |
275e8ef8 | 2075 | ret = mkdirat(unified_fd, ".lxc", 0755); |
ad275c16 | 2076 | if (ret < 0 && errno != EEXIST) |
275e8ef8 | 2077 | return log_error_errno(-1, errno, "Failed to create leaf cgroup \".lxc\""); |
ad275c16 | 2078 | |
7581a82f | 2079 | pidstr_len = sprintf(pidstr, INT64_FMT, (int64_t)pid); |
275e8ef8 | 2080 | ret = lxc_writeat(unified_fd, ".lxc/cgroup.procs", pidstr, pidstr_len); |
ad275c16 CB |
2081 | if (ret < 0) |
2082 | ret = lxc_writeat(unified_fd, "cgroup.procs", pidstr, pidstr_len); | |
c2aed66d | 2083 | if (ret == 0) |
bad788b0 | 2084 | return 0; |
ad275c16 | 2085 | |
bad788b0 CB |
2086 | /* this is a non-leaf node */ |
2087 | if (errno != EBUSY) | |
d2203230 | 2088 | return log_error_errno(-1, errno, "Failed to attach to unified cgroup"); |
c2aed66d | 2089 | |
c2aed66d | 2090 | do { |
7581a82f | 2091 | bool rm = false; |
275e8ef8 | 2092 | char attach_cgroup[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1]; |
bad788b0 | 2093 | char *slash; |
c2aed66d | 2094 | |
5045306b CB |
2095 | ret = snprintf(attach_cgroup, sizeof(attach_cgroup), ".lxc-%d/cgroup.procs", idx); |
2096 | if (ret < 0 || (size_t)ret >= sizeof(attach_cgroup)) | |
2097 | return ret_errno(EIO); | |
2098 | ||
bad788b0 CB |
2099 | slash = &attach_cgroup[ret] - STRLITERALLEN("/cgroup.procs"); |
2100 | *slash = '\0'; | |
ad275c16 | 2101 | |
bad788b0 | 2102 | ret = mkdirat(unified_fd, attach_cgroup, 0755); |
c2aed66d | 2103 | if (ret < 0 && errno != EEXIST) |
d2203230 | 2104 | return log_error_errno(-1, errno, "Failed to create cgroup %s", attach_cgroup); |
7581a82f CB |
2105 | if (ret == 0) |
2106 | rm = true; | |
c2aed66d | 2107 | |
bad788b0 | 2108 | *slash = '/'; |
ad275c16 | 2109 | |
bad788b0 | 2110 | ret = lxc_writeat(unified_fd, attach_cgroup, pidstr, pidstr_len); |
c2aed66d | 2111 | if (ret == 0) |
bad788b0 | 2112 | return 0; |
c2aed66d | 2113 | |
7581a82f CB |
2114 | if (rm && unlinkat(unified_fd, attach_cgroup, AT_REMOVEDIR)) |
2115 | SYSERROR("Failed to remove cgroup \"%d(%s)\"", unified_fd, attach_cgroup); | |
2116 | ||
c2aed66d CB |
2117 | /* this is a non-leaf node */ |
2118 | if (errno != EBUSY) | |
d2203230 | 2119 | return log_error_errno(-1, errno, "Failed to attach to unified cgroup"); |
c2aed66d | 2120 | |
edae86e9 CB |
2121 | idx++; |
2122 | } while (idx < 1000); | |
c2aed66d | 2123 | |
ad275c16 | 2124 | return log_error_errno(-1, errno, "Failed to attach to unified cgroup"); |
c2aed66d CB |
2125 | } |
2126 | ||
d1783ef4 CB |
2127 | static int cgroup_attach_create_leaf(const struct lxc_conf *conf, |
2128 | int unified_fd, int *sk_fd) | |
2129 | { | |
7d849163 CB |
2130 | __do_close int sk = *sk_fd, target_fd0 = -EBADF, target_fd1 = -EBADF; |
2131 | int target_fds[2]; | |
d1783ef4 CB |
2132 | ssize_t ret; |
2133 | ||
2134 | /* Create leaf cgroup. */ | |
2135 | ret = mkdirat(unified_fd, ".lxc", 0755); | |
2136 | if (ret < 0 && errno != EEXIST) | |
2137 | return log_error_errno(-1, errno, "Failed to create leaf cgroup \".lxc\""); | |
2138 | ||
7d849163 CB |
2139 | target_fd0 = openat(unified_fd, ".lxc/cgroup.procs", O_WRONLY | O_CLOEXEC | O_NOFOLLOW); |
2140 | if (target_fd0 < 0) | |
d1783ef4 | 2141 | return log_error_errno(-errno, errno, "Failed to open \".lxc/cgroup.procs\""); |
7d849163 | 2142 | target_fds[0] = target_fd0; |
d1783ef4 | 2143 | |
7d849163 CB |
2144 | target_fd1 = openat(unified_fd, "cgroup.procs", O_WRONLY | O_CLOEXEC | O_NOFOLLOW); |
2145 | if (target_fd1 < 0) | |
49df620b | 2146 | return log_error_errno(-errno, errno, "Failed to open \".lxc/cgroup.procs\""); |
7d849163 | 2147 | target_fds[1] = target_fd1; |
49df620b CB |
2148 | |
2149 | ret = lxc_abstract_unix_send_fds(sk, target_fds, 2, NULL, 0); | |
d1783ef4 | 2150 | if (ret <= 0) |
49df620b | 2151 | return log_error_errno(-errno, errno, "Failed to send \".lxc/cgroup.procs\" fds %d and %d", |
7d849163 | 2152 | target_fd0, target_fd1); |
d1783ef4 | 2153 | |
7d849163 | 2154 | return log_debug(0, "Sent target cgroup fds %d and %d", target_fd0, target_fd1); |
d1783ef4 CB |
2155 | } |
2156 | ||
2157 | static int cgroup_attach_move_into_leaf(const struct lxc_conf *conf, | |
2158 | int *sk_fd, pid_t pid) | |
2159 | { | |
7d849163 CB |
2160 | __do_close int sk = *sk_fd, target_fd0 = -EBADF, target_fd1 = -EBADF; |
2161 | int target_fds[2]; | |
d1783ef4 CB |
2162 | char pidstr[INTTYPE_TO_STRLEN(int64_t) + 1]; |
2163 | size_t pidstr_len; | |
2164 | ssize_t ret; | |
2165 | ||
49df620b | 2166 | ret = lxc_abstract_unix_recv_fds(sk, target_fds, 2, NULL, 0); |
d1783ef4 CB |
2167 | if (ret <= 0) |
2168 | return log_error_errno(-1, errno, "Failed to receive target cgroup fd"); | |
7d849163 CB |
2169 | target_fd0 = target_fds[0]; |
2170 | target_fd1 = target_fds[1]; | |
d1783ef4 CB |
2171 | |
2172 | pidstr_len = sprintf(pidstr, INT64_FMT, (int64_t)pid); | |
2173 | ||
7d849163 CB |
2174 | ret = lxc_write_nointr(target_fd0, pidstr, pidstr_len); |
2175 | if (ret > 0 && ret == pidstr_len) | |
2176 | return log_debug(0, "Moved process into target cgroup via fd %d", target_fd0); | |
2177 | ||
49df620b | 2178 | ret = lxc_write_nointr(target_fd1, pidstr, pidstr_len); |
7d849163 CB |
2179 | if (ret > 0 && ret == pidstr_len) |
2180 | return log_debug(0, "Moved process into target cgroup via fd %d", target_fd1); | |
d1783ef4 | 2181 | |
7d849163 CB |
2182 | return log_debug_errno(-1, errno, "Failed to move process into target cgroup via fd %d and %d", |
2183 | target_fd0, target_fd1); | |
d1783ef4 CB |
2184 | } |
2185 | ||
4b86fefd CB |
2186 | struct userns_exec_unified_attach_data { |
2187 | const struct lxc_conf *conf; | |
2188 | int unified_fd; | |
d1783ef4 | 2189 | int sk_pair[2]; |
4b86fefd CB |
2190 | pid_t pid; |
2191 | }; | |
2192 | ||
d1783ef4 CB |
2193 | static int cgroup_unified_attach_child_wrapper(void *data) |
2194 | { | |
2195 | struct userns_exec_unified_attach_data *args = data; | |
2196 | ||
2197 | if (!args->conf || args->unified_fd < 0 || args->pid <= 0 || | |
2198 | args->sk_pair[0] < 0 || args->sk_pair[1] < 0) | |
2199 | return ret_errno(EINVAL); | |
2200 | ||
2201 | close_prot_errno_disarm(args->sk_pair[0]); | |
2202 | return cgroup_attach_create_leaf(args->conf, args->unified_fd, | |
2203 | &args->sk_pair[1]); | |
2204 | } | |
2205 | ||
2206 | static int cgroup_unified_attach_parent_wrapper(void *data) | |
4b86fefd CB |
2207 | { |
2208 | struct userns_exec_unified_attach_data *args = data; | |
4b86fefd | 2209 | |
d1783ef4 CB |
2210 | if (!args->conf || args->unified_fd < 0 || args->pid <= 0 || |
2211 | args->sk_pair[0] < 0 || args->sk_pair[1] < 0) | |
4b86fefd CB |
2212 | return ret_errno(EINVAL); |
2213 | ||
d1783ef4 CB |
2214 | close_prot_errno_disarm(args->sk_pair[1]); |
2215 | return cgroup_attach_move_into_leaf(args->conf, &args->sk_pair[0], | |
2216 | args->pid); | |
4b86fefd CB |
2217 | } |
2218 | ||
7581a82f CB |
2219 | int cgroup_attach(const struct lxc_conf *conf, const char *name, |
2220 | const char *lxcpath, pid_t pid) | |
900b6606 | 2221 | { |
f62cf1d4 | 2222 | __do_close int unified_fd = -EBADF; |
7581a82f CB |
2223 | int ret; |
2224 | ||
2225 | if (!conf || !name || !lxcpath || pid <= 0) | |
2226 | return ret_errno(EINVAL); | |
900b6606 CB |
2227 | |
2228 | unified_fd = lxc_cmd_get_cgroup2_fd(name, lxcpath); | |
2229 | if (unified_fd < 0) | |
7581a82f | 2230 | return ret_errno(EBADF); |
900b6606 | 2231 | |
4b86fefd CB |
2232 | if (!lxc_list_empty(&conf->id_map)) { |
2233 | struct userns_exec_unified_attach_data args = { | |
2234 | .conf = conf, | |
2235 | .unified_fd = unified_fd, | |
2236 | .pid = pid, | |
2237 | }; | |
ba7ca43b | 2238 | |
d1783ef4 CB |
2239 | ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, args.sk_pair); |
2240 | if (ret < 0) | |
2241 | return -errno; | |
2242 | ||
2243 | ret = userns_exec_minimal(conf, | |
2244 | cgroup_unified_attach_parent_wrapper, | |
2245 | &args, | |
2246 | cgroup_unified_attach_child_wrapper, | |
2247 | &args); | |
4b86fefd CB |
2248 | } else { |
2249 | ret = cgroup_attach_leaf(conf, unified_fd, pid); | |
2250 | } | |
7581a82f | 2251 | |
4b86fefd | 2252 | return ret; |
900b6606 CB |
2253 | } |
2254 | ||
2255 | /* Technically, we're always at a delegation boundary here (This is especially | |
2256 | * true when cgroup namespaces are available.). The reasoning is that in order | |
2257 | * for us to have been able to start a container in the first place the root | |
2258 | * cgroup must have been a leaf node. Now, either the container's init system | |
2259 | * has populated the cgroup and kept it as a leaf node or it has created | |
2260 | * subtrees. In the former case we will simply attach to the leaf node we | |
2261 | * created when we started the container in the latter case we create our own | |
2262 | * cgroup for the attaching process. | |
2263 | */ | |
7581a82f CB |
2264 | static int __cg_unified_attach(const struct hierarchy *h, |
2265 | const struct lxc_conf *conf, const char *name, | |
900b6606 CB |
2266 | const char *lxcpath, pid_t pid, |
2267 | const char *controller) | |
2268 | { | |
f62cf1d4 | 2269 | __do_close int unified_fd = -EBADF; |
32908bfd | 2270 | __do_free char *path = NULL, *cgroup = NULL; |
900b6606 CB |
2271 | int ret; |
2272 | ||
7581a82f CB |
2273 | if (!conf || !name || !lxcpath || pid <= 0) |
2274 | return ret_errno(EINVAL); | |
2275 | ||
2276 | ret = cgroup_attach(conf, name, lxcpath, pid); | |
32908bfd CB |
2277 | if (ret == 0) |
2278 | return log_trace(0, "Attached to unified cgroup via command handler"); | |
2279 | if (ret != -EBADF) | |
2280 | return log_error_errno(ret, errno, "Failed to attach to unified cgroup"); | |
2281 | ||
2282 | /* Fall back to retrieving the path for the unified cgroup. */ | |
2283 | cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); | |
2284 | /* not running */ | |
2285 | if (!cgroup) | |
2286 | return 0; | |
900b6606 | 2287 | |
32908bfd | 2288 | path = must_make_path(h->mountpoint, cgroup, NULL); |
900b6606 | 2289 | |
32908bfd | 2290 | unified_fd = open(path, O_PATH | O_DIRECTORY | O_CLOEXEC); |
900b6606 | 2291 | if (unified_fd < 0) |
7581a82f CB |
2292 | return ret_errno(EBADF); |
2293 | ||
4b86fefd CB |
2294 | if (!lxc_list_empty(&conf->id_map)) { |
2295 | struct userns_exec_unified_attach_data args = { | |
2296 | .conf = conf, | |
2297 | .unified_fd = unified_fd, | |
2298 | .pid = pid, | |
2299 | }; | |
2300 | ||
d1783ef4 CB |
2301 | ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, args.sk_pair); |
2302 | if (ret < 0) | |
2303 | return -errno; | |
2304 | ||
2305 | ret = userns_exec_minimal(conf, | |
2306 | cgroup_unified_attach_parent_wrapper, | |
2307 | &args, | |
2308 | cgroup_unified_attach_child_wrapper, | |
2309 | &args); | |
4b86fefd CB |
2310 | } else { |
2311 | ret = cgroup_attach_leaf(conf, unified_fd, pid); | |
2312 | } | |
2313 | ||
2314 | return ret; | |
900b6606 CB |
2315 | } |
2316 | ||
7581a82f CB |
2317 | __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, |
2318 | const struct lxc_conf *conf, | |
2319 | const char *name, const char *lxcpath, | |
2320 | pid_t pid) | |
ccb4cabe | 2321 | { |
81b5d48a | 2322 | int len, ret; |
a3650c0c | 2323 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; |
ccb4cabe | 2324 | |
ab9a452d CB |
2325 | if (!ops) |
2326 | return ret_set_errno(false, ENOENT); | |
2327 | ||
69b4a4bb CB |
2328 | if (!ops->hierarchies) |
2329 | return true; | |
2330 | ||
a3650c0c CB |
2331 | len = snprintf(pidstr, sizeof(pidstr), "%d", pid); |
2332 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
ccb4cabe SH |
2333 | return false; |
2334 | ||
81b5d48a | 2335 | for (int i = 0; ops->hierarchies[i]; i++) { |
c05b17bd | 2336 | __do_free char *fullpath = NULL, *path = NULL; |
2202afc9 | 2337 | struct hierarchy *h = ops->hierarchies[i]; |
ccb4cabe | 2338 | |
c2aed66d | 2339 | if (h->version == CGROUP2_SUPER_MAGIC) { |
7581a82f | 2340 | ret = __cg_unified_attach(h, conf, name, lxcpath, pid, |
a3926f6a | 2341 | h->controllers[0]); |
c2aed66d CB |
2342 | if (ret < 0) |
2343 | return false; | |
2344 | ||
2345 | continue; | |
2346 | } | |
2347 | ||
ccb4cabe | 2348 | path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]); |
c2aed66d CB |
2349 | /* not running */ |
2350 | if (!path) | |
e2cb2e74 | 2351 | return false; |
ccb4cabe | 2352 | |
371f834d | 2353 | fullpath = build_full_cgpath_from_monitorpath(h, path, "cgroup.procs"); |
7cea5905 | 2354 | ret = lxc_write_to_file(fullpath, pidstr, len, false, 0666); |
ab9a452d | 2355 | if (ret < 0) |
77c3e9a2 | 2356 | return log_error_errno(false, errno, "Failed to attach %d to %s", |
ab9a452d | 2357 | (int)pid, fullpath); |
ccb4cabe SH |
2358 | } |
2359 | ||
ccb4cabe SH |
2360 | return true; |
2361 | } | |
2362 | ||
e2bd2b13 CB |
2363 | /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we |
2364 | * don't have a cgroup_data set up, so we ask the running container through the | |
2365 | * commands API for the cgroup path. | |
ccb4cabe | 2366 | */ |
b857f4be | 2367 | __cgfsng_ops static int cgfsng_get(struct cgroup_ops *ops, const char *filename, |
fb55e009 CB |
2368 | char *value, size_t len, const char *name, |
2369 | const char *lxcpath) | |
ccb4cabe | 2370 | { |
d97919ab | 2371 | __do_free char *path = NULL; |
88396101 | 2372 | __do_free char *controller = NULL; |
d97919ab | 2373 | char *p; |
0069cc61 | 2374 | struct hierarchy *h; |
861cb8c2 | 2375 | int ret = -1; |
ccb4cabe | 2376 | |
a358028a CB |
2377 | if (!ops) |
2378 | return ret_set_errno(-1, ENOENT); | |
2379 | ||
861cb8c2 | 2380 | controller = must_copy_string(filename); |
0069cc61 CB |
2381 | p = strchr(controller, '.'); |
2382 | if (p) | |
ccb4cabe SH |
2383 | *p = '\0'; |
2384 | ||
0069cc61 CB |
2385 | path = lxc_cmd_get_cgroup_path(name, lxcpath, controller); |
2386 | /* not running */ | |
2387 | if (!path) | |
ccb4cabe SH |
2388 | return -1; |
2389 | ||
2202afc9 | 2390 | h = get_hierarchy(ops, controller); |
ccb4cabe | 2391 | if (h) { |
88396101 | 2392 | __do_free char *fullpath = NULL; |
0069cc61 CB |
2393 | |
2394 | fullpath = build_full_cgpath_from_monitorpath(h, path, filename); | |
ccb4cabe | 2395 | ret = lxc_read_from_file(fullpath, value, len); |
ccb4cabe | 2396 | } |
ccb4cabe SH |
2397 | |
2398 | return ret; | |
2399 | } | |
2400 | ||
cb3fc90c CB |
2401 | static int device_cgroup_parse_access(struct device_item *device, const char *val) |
2402 | { | |
2403 | for (int count = 0; count < 3; count++, val++) { | |
2404 | switch (*val) { | |
2405 | case 'r': | |
2406 | device->access[count] = *val; | |
2407 | break; | |
2408 | case 'w': | |
2409 | device->access[count] = *val; | |
2410 | break; | |
2411 | case 'm': | |
2412 | device->access[count] = *val; | |
2413 | break; | |
2414 | case '\n': | |
2415 | case '\0': | |
2416 | count = 3; | |
2417 | break; | |
2418 | default: | |
2419 | return ret_errno(EINVAL); | |
2420 | } | |
2421 | } | |
2422 | ||
2423 | return 0; | |
2424 | } | |
2425 | ||
2a63b5cb CB |
2426 | static int device_cgroup_rule_parse(struct device_item *device, const char *key, |
2427 | const char *val) | |
2428 | { | |
2429 | int count, ret; | |
2430 | char temp[50]; | |
2431 | ||
2432 | if (strcmp("devices.allow", key) == 0) | |
2433 | device->allow = 1; | |
2434 | else | |
2435 | device->allow = 0; | |
2436 | ||
2437 | if (strcmp(val, "a") == 0) { | |
2438 | /* global rule */ | |
2439 | device->type = 'a'; | |
2440 | device->major = -1; | |
2441 | device->minor = -1; | |
fda39d45 CB |
2442 | device->global_rule = device->allow |
2443 | ? LXC_BPF_DEVICE_CGROUP_BLACKLIST | |
2444 | : LXC_BPF_DEVICE_CGROUP_WHITELIST; | |
2a63b5cb CB |
2445 | device->allow = -1; |
2446 | return 0; | |
2a63b5cb CB |
2447 | } |
2448 | ||
77c3e9a2 CB |
2449 | /* local rule */ |
2450 | device->global_rule = LXC_BPF_DEVICE_CGROUP_LOCAL_RULE; | |
2451 | ||
2a63b5cb CB |
2452 | switch (*val) { |
2453 | case 'a': | |
2454 | __fallthrough; | |
2455 | case 'b': | |
2456 | __fallthrough; | |
2457 | case 'c': | |
2458 | device->type = *val; | |
2459 | break; | |
2460 | default: | |
2461 | return -1; | |
2462 | } | |
2463 | ||
2464 | val++; | |
2465 | if (!isspace(*val)) | |
2466 | return -1; | |
2467 | val++; | |
2468 | if (*val == '*') { | |
2469 | device->major = -1; | |
2470 | val++; | |
2471 | } else if (isdigit(*val)) { | |
2472 | memset(temp, 0, sizeof(temp)); | |
2473 | for (count = 0; count < sizeof(temp) - 1; count++) { | |
2474 | temp[count] = *val; | |
2475 | val++; | |
2476 | if (!isdigit(*val)) | |
2477 | break; | |
2478 | } | |
2479 | ret = lxc_safe_int(temp, &device->major); | |
2480 | if (ret) | |
2481 | return -1; | |
2482 | } else { | |
2483 | return -1; | |
2484 | } | |
2485 | if (*val != ':') | |
2486 | return -1; | |
2487 | val++; | |
2488 | ||
2489 | /* read minor */ | |
2490 | if (*val == '*') { | |
2491 | device->minor = -1; | |
2492 | val++; | |
2493 | } else if (isdigit(*val)) { | |
2494 | memset(temp, 0, sizeof(temp)); | |
2495 | for (count = 0; count < sizeof(temp) - 1; count++) { | |
2496 | temp[count] = *val; | |
2497 | val++; | |
2498 | if (!isdigit(*val)) | |
2499 | break; | |
2500 | } | |
2501 | ret = lxc_safe_int(temp, &device->minor); | |
2502 | if (ret) | |
2503 | return -1; | |
2504 | } else { | |
2505 | return -1; | |
2506 | } | |
2507 | if (!isspace(*val)) | |
2508 | return -1; | |
2a63b5cb | 2509 | |
cb3fc90c | 2510 | return device_cgroup_parse_access(device, ++val); |
2a63b5cb CB |
2511 | } |
2512 | ||
eec533e3 CB |
2513 | /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we |
2514 | * don't have a cgroup_data set up, so we ask the running container through the | |
2515 | * commands API for the cgroup path. | |
ccb4cabe | 2516 | */ |
b857f4be | 2517 | __cgfsng_ops static int cgfsng_set(struct cgroup_ops *ops, |
2a63b5cb | 2518 | const char *key, const char *value, |
fb55e009 | 2519 | const char *name, const char *lxcpath) |
ccb4cabe | 2520 | { |
d97919ab | 2521 | __do_free char *path = NULL; |
88396101 | 2522 | __do_free char *controller = NULL; |
d97919ab | 2523 | char *p; |
87777968 | 2524 | struct hierarchy *h; |
861cb8c2 | 2525 | int ret = -1; |
ccb4cabe | 2526 | |
a358028a CB |
2527 | if (!ops) |
2528 | return ret_set_errno(-1, ENOENT); | |
2529 | ||
2a63b5cb | 2530 | controller = must_copy_string(key); |
87777968 CB |
2531 | p = strchr(controller, '.'); |
2532 | if (p) | |
ccb4cabe SH |
2533 | *p = '\0'; |
2534 | ||
2a63b5cb CB |
2535 | if (pure_unified_layout(ops) && strcmp(controller, "devices") == 0) { |
2536 | struct device_item device = {0}; | |
2537 | ||
2538 | ret = device_cgroup_rule_parse(&device, key, value); | |
2539 | if (ret < 0) | |
d2203230 | 2540 | return log_error_errno(-1, EINVAL, "Failed to parse device string %s=%s", |
2a63b5cb CB |
2541 | key, value); |
2542 | ||
2543 | ret = lxc_cmd_add_bpf_device_cgroup(name, lxcpath, &device); | |
2544 | if (ret < 0) | |
2545 | return -1; | |
2546 | ||
2547 | return 0; | |
2548 | } | |
2549 | ||
87777968 CB |
2550 | path = lxc_cmd_get_cgroup_path(name, lxcpath, controller); |
2551 | /* not running */ | |
2552 | if (!path) | |
ccb4cabe SH |
2553 | return -1; |
2554 | ||
2202afc9 | 2555 | h = get_hierarchy(ops, controller); |
ccb4cabe | 2556 | if (h) { |
88396101 | 2557 | __do_free char *fullpath = NULL; |
87777968 | 2558 | |
2a63b5cb | 2559 | fullpath = build_full_cgpath_from_monitorpath(h, path, key); |
7cea5905 | 2560 | ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); |
ccb4cabe | 2561 | } |
ccb4cabe SH |
2562 | |
2563 | return ret; | |
2564 | } | |
2565 | ||
91d1a13a | 2566 | /* take devices cgroup line |
72add155 SH |
2567 | * /dev/foo rwx |
2568 | * and convert it to a valid | |
2569 | * type major:minor mode | |
91d1a13a CB |
2570 | * line. Return <0 on error. Dest is a preallocated buffer long enough to hold |
2571 | * the output. | |
72add155 | 2572 | */ |
cb3fc90c CB |
2573 | static int device_cgroup_rule_parse_devpath(struct device_item *device, |
2574 | const char *devpath) | |
72add155 | 2575 | { |
88396101 | 2576 | __do_free char *path = NULL; |
2a06d041 | 2577 | char *mode = NULL; |
cb3fc90c CB |
2578 | int n_parts, ret; |
2579 | char *p; | |
2580 | struct stat sb; | |
72add155 | 2581 | |
cb3fc90c | 2582 | path = must_copy_string(devpath); |
72add155 | 2583 | |
cb3fc90c CB |
2584 | /* |
2585 | * Read path followed by mode. Ignore any trailing text. | |
91d1a13a CB |
2586 | * A ' # comment' would be legal. Technically other text is not |
2587 | * legal, we could check for that if we cared to. | |
72add155 | 2588 | */ |
0dbdb99e | 2589 | for (n_parts = 1, p = path; *p; p++) { |
2c2d6c49 SH |
2590 | if (*p != ' ') |
2591 | continue; | |
2592 | *p = '\0'; | |
91d1a13a | 2593 | |
2c2d6c49 SH |
2594 | if (n_parts != 1) |
2595 | break; | |
2596 | p++; | |
2597 | n_parts++; | |
91d1a13a | 2598 | |
2c2d6c49 SH |
2599 | while (*p == ' ') |
2600 | p++; | |
91d1a13a | 2601 | |
2c2d6c49 | 2602 | mode = p; |
91d1a13a | 2603 | |
2c2d6c49 | 2604 | if (*p == '\0') |
cb3fc90c | 2605 | return ret_set_errno(-1, EINVAL); |
72add155 | 2606 | } |
2c2d6c49 | 2607 | |
cb3fc90c CB |
2608 | if (device_cgroup_parse_access(device, mode) < 0) |
2609 | return -1; | |
2610 | ||
2c2d6c49 | 2611 | if (n_parts == 1) |
cb3fc90c | 2612 | return ret_set_errno(-1, EINVAL); |
72add155 SH |
2613 | |
2614 | ret = stat(path, &sb); | |
2615 | if (ret < 0) | |
cb3fc90c | 2616 | return ret_set_errno(-1, errno); |
72add155 | 2617 | |
72add155 SH |
2618 | mode_t m = sb.st_mode & S_IFMT; |
2619 | switch (m) { | |
2620 | case S_IFBLK: | |
cb3fc90c | 2621 | device->type = 'b'; |
72add155 SH |
2622 | break; |
2623 | case S_IFCHR: | |
cb3fc90c | 2624 | device->type = 'c'; |
72add155 | 2625 | break; |
2c2d6c49 | 2626 | default: |
77c3e9a2 | 2627 | return log_error_errno(-1, EINVAL, "Unsupported device type %i for \"%s\"", m, path); |
72add155 | 2628 | } |
2c2d6c49 | 2629 | |
cb3fc90c CB |
2630 | device->major = MAJOR(sb.st_rdev); |
2631 | device->minor = MINOR(sb.st_rdev); | |
2632 | device->allow = 1; | |
2633 | device->global_rule = LXC_BPF_DEVICE_CGROUP_LOCAL_RULE; | |
72add155 | 2634 | |
cb3fc90c CB |
2635 | return 0; |
2636 | } | |
2637 | ||
2638 | static int convert_devpath(const char *invalue, char *dest) | |
2639 | { | |
2640 | struct device_item device = {0}; | |
2641 | int ret; | |
2642 | ||
2643 | ret = device_cgroup_rule_parse_devpath(&device, invalue); | |
2644 | if (ret < 0) | |
2645 | return -1; | |
2646 | ||
2647 | ret = snprintf(dest, 50, "%c %d:%d %s", device.type, device.major, | |
2648 | device.minor, device.access); | |
2649 | if (ret < 0 || ret >= 50) | |
77c3e9a2 CB |
2650 | return log_error_errno(-1, ENAMETOOLONG, "Error on configuration value \"%c %d:%d %s\" (max 50 chars)", |
2651 | device.type, device.major, device.minor, device.access); | |
cb3fc90c CB |
2652 | |
2653 | return 0; | |
72add155 SH |
2654 | } |
2655 | ||
90e97284 CB |
2656 | /* Called from setup_limits - here we have the container's cgroup_data because |
2657 | * we created the cgroups. | |
ccb4cabe | 2658 | */ |
2202afc9 CB |
2659 | static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, |
2660 | const char *value) | |
ccb4cabe | 2661 | { |
88396101 | 2662 | __do_free char *controller = NULL; |
d97919ab | 2663 | char *p; |
1a0e70ac CB |
2664 | /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */ |
2665 | char converted_value[50]; | |
b3646d7e | 2666 | struct hierarchy *h; |
64e82f8b | 2667 | |
861cb8c2 | 2668 | controller = must_copy_string(filename); |
ab1a6cac CB |
2669 | p = strchr(controller, '.'); |
2670 | if (p) | |
ccb4cabe SH |
2671 | *p = '\0'; |
2672 | ||
c8bf519d | 2673 | if (strcmp("devices.allow", filename) == 0 && value[0] == '/') { |
c04a6d4e CB |
2674 | int ret; |
2675 | ||
72add155 SH |
2676 | ret = convert_devpath(value, converted_value); |
2677 | if (ret < 0) | |
c8bf519d | 2678 | return ret; |
72add155 | 2679 | value = converted_value; |
c8bf519d | 2680 | } |
2681 | ||
2202afc9 | 2682 | h = get_hierarchy(ops, controller); |
77c3e9a2 CB |
2683 | if (!h) |
2684 | return log_error_errno(-ENOENT, ENOENT, "Failed to setup limits for the \"%s\" controller. The controller seems to be unused by \"cgfsng\" cgroup driver or not enabled on the cgroup hierarchy", controller); | |
b3646d7e | 2685 | |
c04a6d4e | 2686 | return lxc_write_openat(h->container_full_path, filename, value, strlen(value)); |
ccb4cabe SH |
2687 | } |
2688 | ||
c581d2a6 CB |
2689 | __cgfsng_ops static bool cgfsng_setup_limits_legacy(struct cgroup_ops *ops, |
2690 | struct lxc_conf *conf, | |
2691 | bool do_devices) | |
ccb4cabe | 2692 | { |
d97919ab | 2693 | __do_free struct lxc_list *sorted_cgroup_settings = NULL; |
c581d2a6 | 2694 | struct lxc_list *cgroup_settings = &conf->cgroup; |
d97919ab | 2695 | struct lxc_list *iterator, *next; |
ccb4cabe | 2696 | struct lxc_cgroup *cg; |
ccb4cabe SH |
2697 | bool ret = false; |
2698 | ||
92ca7eb5 CB |
2699 | if (!ops) |
2700 | return ret_set_errno(false, ENOENT); | |
2701 | ||
2702 | if (!conf) | |
2703 | return ret_set_errno(false, EINVAL); | |
2704 | ||
2705 | cgroup_settings = &conf->cgroup; | |
ccb4cabe SH |
2706 | if (lxc_list_empty(cgroup_settings)) |
2707 | return true; | |
2708 | ||
69b4a4bb | 2709 | if (!ops->hierarchies) |
92ca7eb5 | 2710 | return ret_set_errno(false, EINVAL); |
69b4a4bb | 2711 | |
ccb4cabe | 2712 | sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); |
6b38e644 | 2713 | if (!sorted_cgroup_settings) |
ccb4cabe | 2714 | return false; |
ccb4cabe | 2715 | |
ccb4cabe SH |
2716 | lxc_list_for_each(iterator, sorted_cgroup_settings) { |
2717 | cg = iterator->elem; | |
2718 | ||
2719 | if (do_devices == !strncmp("devices", cg->subsystem, 7)) { | |
2202afc9 | 2720 | if (cg_legacy_set_data(ops, cg->subsystem, cg->value)) { |
fc3b9533 CB |
2721 | if (do_devices && (errno == EACCES || errno == EPERM)) { |
2722 | SYSWARN("Failed to set \"%s\" to \"%s\"", cg->subsystem, cg->value); | |
2723 | continue; | |
2724 | } | |
2725 | SYSERROR("Failed to set \"%s\" to \"%s\"", cg->subsystem, cg->value); | |
2726 | goto out; | |
ccb4cabe | 2727 | } |
77c3e9a2 | 2728 | DEBUG("Set controller \"%s\" set to \"%s\"", cg->subsystem, cg->value); |
ccb4cabe | 2729 | } |
ccb4cabe SH |
2730 | } |
2731 | ||
2732 | ret = true; | |
6b38e644 | 2733 | INFO("Limits for the legacy cgroup hierarchies have been setup"); |
ccb4cabe | 2734 | out: |
ccb4cabe SH |
2735 | lxc_list_for_each_safe(iterator, sorted_cgroup_settings, next) { |
2736 | lxc_list_del(iterator); | |
2737 | free(iterator); | |
2738 | } | |
d97919ab | 2739 | |
ccb4cabe SH |
2740 | return ret; |
2741 | } | |
2742 | ||
bf651989 CB |
2743 | /* |
2744 | * Some of the parsing logic comes from the original cgroup device v1 | |
2745 | * implementation in the kernel. | |
2746 | */ | |
4bfb655e CB |
2747 | static int bpf_device_cgroup_prepare(struct cgroup_ops *ops, |
2748 | struct lxc_conf *conf, const char *key, | |
bf651989 CB |
2749 | const char *val) |
2750 | { | |
2751 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX | |
4bfb655e | 2752 | struct device_item device_item = {0}; |
2a63b5cb | 2753 | int ret; |
bf651989 | 2754 | |
cb3fc90c CB |
2755 | if (strcmp("devices.allow", key) == 0 && *val == '/') |
2756 | ret = device_cgroup_rule_parse_devpath(&device_item, val); | |
2757 | else | |
2758 | ret = device_cgroup_rule_parse(&device_item, key, val); | |
2a63b5cb | 2759 | if (ret < 0) |
77c3e9a2 | 2760 | return log_error_errno(-1, EINVAL, "Failed to parse device string %s=%s", key, val); |
4bfb655e CB |
2761 | |
2762 | ret = bpf_list_add_device(conf, &device_item); | |
2a63b5cb | 2763 | if (ret < 0) |
4bfb655e | 2764 | return -1; |
bf651989 CB |
2765 | #endif |
2766 | return 0; | |
2767 | } | |
2768 | ||
c581d2a6 CB |
2769 | __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops, |
2770 | struct lxc_handler *handler) | |
6b38e644 | 2771 | { |
7e31931f CB |
2772 | struct lxc_list *cgroup_settings, *iterator; |
2773 | struct hierarchy *h; | |
2774 | struct lxc_conf *conf; | |
6b38e644 | 2775 | |
7e31931f CB |
2776 | if (!ops) |
2777 | return ret_set_errno(false, ENOENT); | |
2778 | ||
2779 | if (!ops->hierarchies) | |
6b38e644 CB |
2780 | return true; |
2781 | ||
7e31931f CB |
2782 | if (!ops->container_cgroup) |
2783 | return ret_set_errno(false, EINVAL); | |
2784 | ||
2785 | if (!handler || !handler->conf) | |
2786 | return ret_set_errno(false, EINVAL); | |
2787 | conf = handler->conf; | |
2788 | ||
2789 | if (lxc_list_empty(&conf->cgroup2)) | |
2790 | return true; | |
2791 | cgroup_settings = &conf->cgroup2; | |
2792 | ||
2793 | if (!ops->unified) | |
6b38e644 | 2794 | return false; |
7e31931f | 2795 | h = ops->unified; |
6b38e644 | 2796 | |
bf651989 | 2797 | lxc_list_for_each (iterator, cgroup_settings) { |
6b38e644 | 2798 | struct lxc_cgroup *cg = iterator->elem; |
c04a6d4e | 2799 | int ret; |
6b38e644 | 2800 | |
bf651989 | 2801 | if (strncmp("devices", cg->subsystem, 7) == 0) { |
4bfb655e | 2802 | ret = bpf_device_cgroup_prepare(ops, conf, cg->subsystem, |
bf651989 CB |
2803 | cg->value); |
2804 | } else { | |
c04a6d4e CB |
2805 | ret = lxc_write_openat(h->container_full_path, |
2806 | cg->subsystem, cg->value, | |
2807 | strlen(cg->value)); | |
7e31931f | 2808 | if (ret < 0) |
77c3e9a2 | 2809 | return log_error_errno(false, errno, "Failed to set \"%s\" to \"%s\"", |
7e31931f | 2810 | cg->subsystem, cg->value); |
6b38e644 CB |
2811 | } |
2812 | TRACE("Set \"%s\" to \"%s\"", cg->subsystem, cg->value); | |
2813 | } | |
2814 | ||
7e31931f | 2815 | return log_info(true, "Limits for the unified cgroup hierarchy have been setup"); |
6b38e644 CB |
2816 | } |
2817 | ||
bf651989 CB |
2818 | __cgfsng_ops bool cgfsng_devices_activate(struct cgroup_ops *ops, |
2819 | struct lxc_handler *handler) | |
2820 | { | |
2821 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX | |
2a63b5cb | 2822 | __do_bpf_program_free struct bpf_program *devices = NULL; |
bf651989 | 2823 | int ret; |
e552bd1a CB |
2824 | struct lxc_conf *conf; |
2825 | struct hierarchy *unified; | |
2a63b5cb CB |
2826 | struct lxc_list *it; |
2827 | struct bpf_program *devices_old; | |
bf651989 | 2828 | |
e552bd1a CB |
2829 | if (!ops) |
2830 | return ret_set_errno(false, ENOENT); | |
2831 | ||
2832 | if (!ops->hierarchies) | |
2833 | return true; | |
2834 | ||
2835 | if (!ops->container_cgroup) | |
2836 | return ret_set_errno(false, EEXIST); | |
2837 | ||
2838 | if (!handler || !handler->conf) | |
2839 | return ret_set_errno(false, EINVAL); | |
2840 | conf = handler->conf; | |
2841 | ||
2842 | unified = ops->unified; | |
9994db51 CB |
2843 | if (!unified || !unified->bpf_device_controller || |
2844 | !unified->container_full_path || lxc_list_empty(&conf->devices)) | |
bf651989 CB |
2845 | return true; |
2846 | ||
2a63b5cb CB |
2847 | devices = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE); |
2848 | if (!devices) | |
77c3e9a2 | 2849 | return log_error_errno(false, ENOMEM, "Failed to create new bpf program"); |
2a63b5cb CB |
2850 | |
2851 | ret = bpf_program_init(devices); | |
bf651989 | 2852 | if (ret) |
77c3e9a2 | 2853 | return log_error_errno(false, ENOMEM, "Failed to initialize bpf program"); |
2a63b5cb CB |
2854 | |
2855 | lxc_list_for_each(it, &conf->devices) { | |
2856 | struct device_item *cur = it->elem; | |
2857 | ||
2858 | ret = bpf_program_append_device(devices, cur); | |
2859 | if (ret) | |
77c3e9a2 CB |
2860 | return log_error_errno(false, ENOMEM, "Failed to add new rule to bpf device program: type %c, major %d, minor %d, access %s, allow %d, global_rule %d", |
2861 | cur->type, | |
2862 | cur->major, | |
2863 | cur->minor, | |
2864 | cur->access, | |
2865 | cur->allow, | |
2866 | cur->global_rule); | |
2a63b5cb | 2867 | TRACE("Added rule to bpf device program: type %c, major %d, minor %d, access %s, allow %d, global_rule %d", |
77c3e9a2 CB |
2868 | cur->type, |
2869 | cur->major, | |
2870 | cur->minor, | |
2871 | cur->access, | |
2872 | cur->allow, | |
2873 | cur->global_rule); | |
2a63b5cb CB |
2874 | } |
2875 | ||
2876 | ret = bpf_program_finalize(devices); | |
2877 | if (ret) | |
77c3e9a2 | 2878 | return log_error_errno(false, ENOMEM, "Failed to finalize bpf program"); |
bf651989 | 2879 | |
2a63b5cb CB |
2880 | ret = bpf_program_cgroup_attach(devices, BPF_CGROUP_DEVICE, |
2881 | unified->container_full_path, | |
cce5a3d7 CB |
2882 | BPF_F_ALLOW_MULTI); |
2883 | if (ret) | |
77c3e9a2 | 2884 | return log_error_errno(false, ENOMEM, "Failed to attach bpf program"); |
cce5a3d7 CB |
2885 | |
2886 | /* Replace old bpf program. */ | |
2a63b5cb CB |
2887 | devices_old = move_ptr(conf->cgroup2_devices); |
2888 | conf->cgroup2_devices = move_ptr(devices); | |
2889 | devices = move_ptr(devices_old); | |
bf651989 | 2890 | #endif |
cce5a3d7 | 2891 | return true; |
bf651989 CB |
2892 | } |
2893 | ||
c581d2a6 | 2894 | bool __cgfsng_delegate_controllers(struct cgroup_ops *ops, const char *cgroup) |
6b38e644 | 2895 | { |
c581d2a6 | 2896 | __do_free char *add_controllers = NULL, *base_path = NULL; |
f761d24d | 2897 | __do_free_string_list char **parts = NULL; |
c581d2a6 CB |
2898 | struct hierarchy *unified = ops->unified; |
2899 | ssize_t parts_len; | |
2900 | char **it; | |
2901 | size_t full_len = 0; | |
6b38e644 | 2902 | |
c581d2a6 CB |
2903 | if (!ops->hierarchies || !pure_unified_layout(ops) || |
2904 | !unified->controllers[0]) | |
bf651989 CB |
2905 | return true; |
2906 | ||
c581d2a6 CB |
2907 | /* For now we simply enable all controllers that we have detected by |
2908 | * creating a string like "+memory +pids +cpu +io". | |
2909 | * TODO: In the near future we might want to support "-<controller>" | |
2910 | * etc. but whether supporting semantics like this make sense will need | |
2911 | * some thinking. | |
2912 | */ | |
2913 | for (it = unified->controllers; it && *it; it++) { | |
2914 | full_len += strlen(*it) + 2; | |
2915 | add_controllers = must_realloc(add_controllers, full_len + 1); | |
2916 | ||
2917 | if (unified->controllers[0] == *it) | |
2918 | add_controllers[0] = '\0'; | |
2919 | ||
2920 | (void)strlcat(add_controllers, "+", full_len + 1); | |
2921 | (void)strlcat(add_controllers, *it, full_len + 1); | |
2922 | ||
2923 | if ((it + 1) && *(it + 1)) | |
2924 | (void)strlcat(add_controllers, " ", full_len + 1); | |
2925 | } | |
2926 | ||
2927 | parts = lxc_string_split(cgroup, '/'); | |
2928 | if (!parts) | |
f761d24d | 2929 | return false; |
c581d2a6 CB |
2930 | |
2931 | parts_len = lxc_array_len((void **)parts); | |
2932 | if (parts_len > 0) | |
2933 | parts_len--; | |
2934 | ||
2935 | base_path = must_make_path(unified->mountpoint, unified->container_base_path, NULL); | |
2936 | for (ssize_t i = -1; i < parts_len; i++) { | |
2937 | int ret; | |
2938 | __do_free char *target = NULL; | |
2939 | ||
2940 | if (i >= 0) | |
2941 | base_path = must_append_path(base_path, parts[i], NULL); | |
2942 | target = must_make_path(base_path, "cgroup.subtree_control", NULL); | |
2943 | ret = lxc_writeat(-1, target, add_controllers, full_len); | |
61fbc369 | 2944 | if (ret < 0) |
f761d24d CB |
2945 | return log_error_errno(false, errno, "Could not enable \"%s\" controllers in the unified cgroup \"%s\"", |
2946 | add_controllers, target); | |
c581d2a6 CB |
2947 | TRACE("Enable \"%s\" controllers in the unified cgroup \"%s\"", add_controllers, target); |
2948 | } | |
2949 | ||
f761d24d | 2950 | return true; |
c581d2a6 CB |
2951 | } |
2952 | ||
2953 | __cgfsng_ops bool cgfsng_monitor_delegate_controllers(struct cgroup_ops *ops) | |
2954 | { | |
61fbc369 CB |
2955 | if (!ops) |
2956 | return ret_set_errno(false, ENOENT); | |
2957 | ||
c581d2a6 CB |
2958 | return __cgfsng_delegate_controllers(ops, ops->monitor_cgroup); |
2959 | } | |
2960 | ||
2961 | __cgfsng_ops bool cgfsng_payload_delegate_controllers(struct cgroup_ops *ops) | |
2962 | { | |
61fbc369 CB |
2963 | if (!ops) |
2964 | return ret_set_errno(false, ENOENT); | |
2965 | ||
c581d2a6 | 2966 | return __cgfsng_delegate_controllers(ops, ops->container_cgroup); |
2202afc9 CB |
2967 | } |
2968 | ||
b7b18fc5 CB |
2969 | static bool cgroup_use_wants_controllers(const struct cgroup_ops *ops, |
2970 | char **controllers) | |
2971 | { | |
b7b18fc5 CB |
2972 | if (!ops->cgroup_use) |
2973 | return true; | |
2974 | ||
431e2c54 | 2975 | for (char **cur_ctrl = controllers; cur_ctrl && *cur_ctrl; cur_ctrl++) { |
b7b18fc5 CB |
2976 | bool found = false; |
2977 | ||
431e2c54 | 2978 | for (char **cur_use = ops->cgroup_use; cur_use && *cur_use; cur_use++) { |
b7b18fc5 CB |
2979 | if (strcmp(*cur_use, *cur_ctrl) != 0) |
2980 | continue; | |
2981 | ||
2982 | found = true; | |
2983 | break; | |
2984 | } | |
2985 | ||
2986 | if (found) | |
2987 | continue; | |
2988 | ||
2989 | return false; | |
2990 | } | |
2991 | ||
2992 | return true; | |
2993 | } | |
2994 | ||
a6ca2ed8 CB |
2995 | static void cg_unified_delegate(char ***delegate) |
2996 | { | |
d606c4e9 | 2997 | __do_free char *buf = NULL; |
a6ca2ed8 | 2998 | char *standard[] = {"cgroup.subtree_control", "cgroup.threads", NULL}; |
d606c4e9 CB |
2999 | char *token; |
3000 | int idx; | |
a6ca2ed8 | 3001 | |
d606c4e9 CB |
3002 | buf = read_file("/sys/kernel/cgroup/delegate"); |
3003 | if (!buf) { | |
a6ca2ed8 CB |
3004 | for (char **p = standard; p && *p; p++) { |
3005 | idx = append_null_to_list((void ***)delegate); | |
3006 | (*delegate)[idx] = must_copy_string(*p); | |
3007 | } | |
fc3b9533 CB |
3008 | SYSWARN("Failed to read /sys/kernel/cgroup/delegate"); |
3009 | return; | |
d606c4e9 | 3010 | } |
a6ca2ed8 | 3011 | |
d606c4e9 CB |
3012 | lxc_iterate_parts (token, buf, " \t\n") { |
3013 | /* | |
3014 | * We always need to chown this for both cgroup and | |
3015 | * cgroup2. | |
3016 | */ | |
3017 | if (strcmp(token, "cgroup.procs") == 0) | |
3018 | continue; | |
3019 | ||
3020 | idx = append_null_to_list((void ***)delegate); | |
3021 | (*delegate)[idx] = must_copy_string(token); | |
a6ca2ed8 CB |
3022 | } |
3023 | } | |
3024 | ||
2202afc9 CB |
3025 | /* At startup, parse_hierarchies finds all the info we need about cgroup |
3026 | * mountpoints and current cgroups, and stores it in @d. | |
3027 | */ | |
341e6516 | 3028 | static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileged) |
2202afc9 | 3029 | { |
bbba37f7 CB |
3030 | __do_free char *basecginfo = NULL, *line = NULL; |
3031 | __do_free_string_list char **klist = NULL, **nlist = NULL; | |
d97919ab | 3032 | __do_fclose FILE *f = NULL; |
2202afc9 | 3033 | int ret; |
2202afc9 | 3034 | size_t len = 0; |
2202afc9 CB |
3035 | |
3036 | /* Root spawned containers escape the current cgroup, so use init's | |
3037 | * cgroups as our base in that case. | |
3038 | */ | |
9caee129 | 3039 | if (!relative && (geteuid() == 0)) |
2202afc9 CB |
3040 | basecginfo = read_file("/proc/1/cgroup"); |
3041 | else | |
3042 | basecginfo = read_file("/proc/self/cgroup"); | |
3043 | if (!basecginfo) | |
341e6516 | 3044 | return ret_set_errno(-1, ENOMEM); |
2202afc9 CB |
3045 | |
3046 | ret = get_existing_subsystems(&klist, &nlist); | |
341e6516 CB |
3047 | if (ret < 0) |
3048 | return log_error_errno(-1, errno, "Failed to retrieve available legacy cgroup controllers"); | |
2202afc9 | 3049 | |
4110345b | 3050 | f = fopen("/proc/self/mountinfo", "re"); |
341e6516 CB |
3051 | if (!f) |
3052 | return log_error_errno(-1, errno, "Failed to open \"/proc/self/mountinfo\""); | |
2202afc9 CB |
3053 | |
3054 | lxc_cgfsng_print_basecg_debuginfo(basecginfo, klist, nlist); | |
3055 | ||
3056 | while (getline(&line, &len, f) != -1) { | |
bbba37f7 CB |
3057 | __do_free char *base_cgroup = NULL, *mountpoint = NULL; |
3058 | __do_free_string_list char **controller_list = NULL; | |
2202afc9 CB |
3059 | int type; |
3060 | bool writeable; | |
3061 | struct hierarchy *new; | |
2202afc9 CB |
3062 | |
3063 | type = get_cgroup_version(line); | |
3064 | if (type == 0) | |
3065 | continue; | |
3066 | ||
3067 | if (type == CGROUP2_SUPER_MAGIC && ops->unified) | |
3068 | continue; | |
3069 | ||
3070 | if (ops->cgroup_layout == CGROUP_LAYOUT_UNKNOWN) { | |
3071 | if (type == CGROUP2_SUPER_MAGIC) | |
3072 | ops->cgroup_layout = CGROUP_LAYOUT_UNIFIED; | |
3073 | else if (type == CGROUP_SUPER_MAGIC) | |
3074 | ops->cgroup_layout = CGROUP_LAYOUT_LEGACY; | |
3075 | } else if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) { | |
3076 | if (type == CGROUP_SUPER_MAGIC) | |
3077 | ops->cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
3078 | } else if (ops->cgroup_layout == CGROUP_LAYOUT_LEGACY) { | |
3079 | if (type == CGROUP2_SUPER_MAGIC) | |
3080 | ops->cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
3081 | } | |
3082 | ||
3083 | controller_list = cg_hybrid_get_controllers(klist, nlist, line, type); | |
3084 | if (!controller_list && type == CGROUP_SUPER_MAGIC) | |
3085 | continue; | |
3086 | ||
3087 | if (type == CGROUP_SUPER_MAGIC) | |
fc3b9533 CB |
3088 | if (controller_list_is_dup(ops->hierarchies, controller_list)) { |
3089 | TRACE("Skipping duplicating controller"); | |
3090 | continue; | |
3091 | } | |
2202afc9 CB |
3092 | |
3093 | mountpoint = cg_hybrid_get_mountpoint(line); | |
fc3b9533 CB |
3094 | if (!mountpoint) { |
3095 | ERROR("Failed parsing mountpoint from \"%s\"", line); | |
3096 | continue; | |
3097 | } | |
2202afc9 CB |
3098 | |
3099 | if (type == CGROUP_SUPER_MAGIC) | |
3100 | base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, controller_list[0], CGROUP_SUPER_MAGIC); | |
3101 | else | |
3102 | base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, NULL, CGROUP2_SUPER_MAGIC); | |
fc3b9533 CB |
3103 | if (!base_cgroup) { |
3104 | ERROR("Failed to find current cgroup"); | |
3105 | continue; | |
3106 | } | |
2202afc9 CB |
3107 | |
3108 | trim(base_cgroup); | |
3109 | prune_init_scope(base_cgroup); | |
3110 | if (type == CGROUP2_SUPER_MAGIC) | |
3111 | writeable = test_writeable_v2(mountpoint, base_cgroup); | |
3112 | else | |
3113 | writeable = test_writeable_v1(mountpoint, base_cgroup); | |
fc3b9533 CB |
3114 | if (!writeable) { |
3115 | TRACE("The %s group is not writeable", base_cgroup); | |
3116 | continue; | |
3117 | } | |
2202afc9 CB |
3118 | |
3119 | if (type == CGROUP2_SUPER_MAGIC) { | |
3120 | char *cgv2_ctrl_path; | |
3121 | ||
3122 | cgv2_ctrl_path = must_make_path(mountpoint, base_cgroup, | |
3123 | "cgroup.controllers", | |
3124 | NULL); | |
3125 | ||
3126 | controller_list = cg_unified_get_controllers(cgv2_ctrl_path); | |
3127 | free(cgv2_ctrl_path); | |
3128 | if (!controller_list) { | |
3129 | controller_list = cg_unified_make_empty_controller(); | |
3130 | TRACE("No controllers are enabled for " | |
3131 | "delegation in the unified hierarchy"); | |
3132 | } | |
3133 | } | |
3134 | ||
b7b18fc5 | 3135 | /* Exclude all controllers that cgroup use does not want. */ |
fc3b9533 CB |
3136 | if (!cgroup_use_wants_controllers(ops, controller_list)) { |
3137 | TRACE("Skipping controller"); | |
3138 | continue; | |
3139 | } | |
b7b18fc5 | 3140 | |
bbba37f7 | 3141 | new = add_hierarchy(&ops->hierarchies, move_ptr(controller_list), move_ptr(mountpoint), move_ptr(base_cgroup), type); |
a6ca2ed8 CB |
3142 | if (type == CGROUP2_SUPER_MAGIC && !ops->unified) { |
3143 | if (unprivileged) | |
3144 | cg_unified_delegate(&new->cgroup2_chown); | |
2202afc9 | 3145 | ops->unified = new; |
a6ca2ed8 | 3146 | } |
2202afc9 CB |
3147 | } |
3148 | ||
2202afc9 CB |
3149 | TRACE("Writable cgroup hierarchies:"); |
3150 | lxc_cgfsng_print_hierarchies(ops); | |
3151 | ||
3152 | /* verify that all controllers in cgroup.use and all crucial | |
3153 | * controllers are accounted for | |
3154 | */ | |
3155 | if (!all_controllers_found(ops)) | |
341e6516 | 3156 | return log_error_errno(-1, ENOENT, "Failed to find all required controllers"); |
2202afc9 | 3157 | |
341e6516 | 3158 | return 0; |
2202afc9 CB |
3159 | } |
3160 | ||
2202afc9 | 3161 | /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */ |
9caee129 | 3162 | static char *cg_unified_get_current_cgroup(bool relative) |
2202afc9 | 3163 | { |
88396101 | 3164 | __do_free char *basecginfo = NULL; |
d7314671 | 3165 | char *copy; |
d97919ab | 3166 | char *base_cgroup; |
2202afc9 | 3167 | |
9caee129 | 3168 | if (!relative && (geteuid() == 0)) |
2202afc9 CB |
3169 | basecginfo = read_file("/proc/1/cgroup"); |
3170 | else | |
3171 | basecginfo = read_file("/proc/self/cgroup"); | |
3172 | if (!basecginfo) | |
3173 | return NULL; | |
3174 | ||
3175 | base_cgroup = strstr(basecginfo, "0::/"); | |
3176 | if (!base_cgroup) | |
d7314671 | 3177 | return NULL; |
2202afc9 CB |
3178 | |
3179 | base_cgroup = base_cgroup + 3; | |
3180 | copy = copy_to_eol(base_cgroup); | |
3181 | if (!copy) | |
d7314671 | 3182 | return NULL; |
2202afc9 | 3183 | |
d7314671 | 3184 | return trim(copy); |
2202afc9 CB |
3185 | } |
3186 | ||
a6ca2ed8 CB |
3187 | static int cg_unified_init(struct cgroup_ops *ops, bool relative, |
3188 | bool unprivileged) | |
2202afc9 | 3189 | { |
d97919ab | 3190 | __do_free char *subtree_path = NULL; |
2202afc9 | 3191 | int ret; |
7717e175 | 3192 | char *mountpoint; |
2202afc9 | 3193 | char **delegatable; |
a6ca2ed8 | 3194 | struct hierarchy *new; |
2202afc9 CB |
3195 | char *base_cgroup = NULL; |
3196 | ||
d47ff01b | 3197 | ret = unified_cgroup_hierarchy(); |
2202afc9 | 3198 | if (ret == -ENOMEDIUM) |
d2203230 | 3199 | return ret_errno(ENOMEDIUM); |
2202afc9 CB |
3200 | |
3201 | if (ret != CGROUP2_SUPER_MAGIC) | |
3202 | return 0; | |
3203 | ||
9caee129 | 3204 | base_cgroup = cg_unified_get_current_cgroup(relative); |
2202afc9 | 3205 | if (!base_cgroup) |
d2203230 | 3206 | return ret_errno(EINVAL); |
c581d2a6 CB |
3207 | if (!relative) |
3208 | prune_init_scope(base_cgroup); | |
2202afc9 | 3209 | |
d606c4e9 CB |
3210 | /* |
3211 | * We assume that the cgroup we're currently in has been delegated to | |
3212 | * us and we are free to further delege all of the controllers listed | |
3213 | * in cgroup.controllers further down the hierarchy. | |
2202afc9 | 3214 | */ |
dca9587a | 3215 | mountpoint = must_copy_string(DEFAULT_CGROUP_MOUNTPOINT); |
c581d2a6 | 3216 | subtree_path = must_make_path(mountpoint, base_cgroup, "cgroup.controllers", NULL); |
2202afc9 | 3217 | delegatable = cg_unified_get_controllers(subtree_path); |
2202afc9 CB |
3218 | if (!delegatable) |
3219 | delegatable = cg_unified_make_empty_controller(); | |
3220 | if (!delegatable[0]) | |
3221 | TRACE("No controllers are enabled for delegation"); | |
3222 | ||
3223 | /* TODO: If the user requested specific controllers via lxc.cgroup.use | |
3224 | * we should verify here. The reason I'm not doing it right is that I'm | |
3225 | * not convinced that lxc.cgroup.use will be the future since it is a | |
3226 | * global property. I much rather have an option that lets you request | |
3227 | * controllers per container. | |
3228 | */ | |
3229 | ||
a6ca2ed8 | 3230 | new = add_hierarchy(&ops->hierarchies, delegatable, mountpoint, base_cgroup, CGROUP2_SUPER_MAGIC); |
d606c4e9 | 3231 | if (unprivileged) |
a6ca2ed8 | 3232 | cg_unified_delegate(&new->cgroup2_chown); |
2202afc9 | 3233 | |
2a63b5cb CB |
3234 | if (bpf_devices_cgroup_supported()) |
3235 | new->bpf_device_controller = 1; | |
3236 | ||
2202afc9 | 3237 | ops->cgroup_layout = CGROUP_LAYOUT_UNIFIED; |
908e0ee5 | 3238 | ops->unified = new; |
77c3e9a2 | 3239 | |
2202afc9 CB |
3240 | return CGROUP2_SUPER_MAGIC; |
3241 | } | |
3242 | ||
341e6516 | 3243 | static int cg_init(struct cgroup_ops *ops, struct lxc_conf *conf) |
2202afc9 CB |
3244 | { |
3245 | int ret; | |
3246 | const char *tmp; | |
9caee129 | 3247 | bool relative = conf->cgroup_meta.relative; |
2202afc9 CB |
3248 | |
3249 | tmp = lxc_global_config_value("lxc.cgroup.use"); | |
b7b18fc5 | 3250 | if (tmp) { |
88396101 | 3251 | __do_free char *pin = NULL; |
d97919ab | 3252 | char *chop, *cur; |
b7b18fc5 CB |
3253 | |
3254 | pin = must_copy_string(tmp); | |
3255 | chop = pin; | |
3256 | ||
d97919ab | 3257 | lxc_iterate_parts(cur, chop, ",") |
b7b18fc5 | 3258 | must_append_string(&ops->cgroup_use, cur); |
b7b18fc5 | 3259 | } |
2202afc9 | 3260 | |
a6ca2ed8 | 3261 | ret = cg_unified_init(ops, relative, !lxc_list_empty(&conf->id_map)); |
2202afc9 | 3262 | if (ret < 0) |
341e6516 | 3263 | return -1; |
2202afc9 CB |
3264 | |
3265 | if (ret == CGROUP2_SUPER_MAGIC) | |
341e6516 | 3266 | return 0; |
2202afc9 | 3267 | |
a6ca2ed8 | 3268 | return cg_hybrid_init(ops, relative, !lxc_list_empty(&conf->id_map)); |
2202afc9 CB |
3269 | } |
3270 | ||
341e6516 | 3271 | __cgfsng_ops static int cgfsng_data_init(struct cgroup_ops *ops) |
2202afc9 CB |
3272 | { |
3273 | const char *cgroup_pattern; | |
3274 | ||
341e6516 CB |
3275 | if (!ops) |
3276 | return ret_set_errno(-1, ENOENT); | |
3277 | ||
2202afc9 CB |
3278 | /* copy system-wide cgroup information */ |
3279 | cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); | |
b3ed2061 CB |
3280 | if (cgroup_pattern && strcmp(cgroup_pattern, "") != 0) |
3281 | ops->cgroup_pattern = must_copy_string(cgroup_pattern); | |
2202afc9 | 3282 | |
341e6516 | 3283 | return 0; |
2202afc9 CB |
3284 | } |
3285 | ||
5a087e05 | 3286 | struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf) |
2202afc9 | 3287 | { |
a64edc1c | 3288 | __do_free struct cgroup_ops *cgfsng_ops = NULL; |
2202afc9 CB |
3289 | |
3290 | cgfsng_ops = malloc(sizeof(struct cgroup_ops)); | |
3291 | if (!cgfsng_ops) | |
341e6516 | 3292 | return ret_set_errno(NULL, ENOMEM); |
2202afc9 CB |
3293 | |
3294 | memset(cgfsng_ops, 0, sizeof(struct cgroup_ops)); | |
3295 | cgfsng_ops->cgroup_layout = CGROUP_LAYOUT_UNKNOWN; | |
3296 | ||
341e6516 | 3297 | if (cg_init(cgfsng_ops, conf)) |
2202afc9 | 3298 | return NULL; |
2202afc9 CB |
3299 | |
3300 | cgfsng_ops->data_init = cgfsng_data_init; | |
434c8e15 CB |
3301 | cgfsng_ops->payload_destroy = cgfsng_payload_destroy; |
3302 | cgfsng_ops->monitor_destroy = cgfsng_monitor_destroy; | |
72068e74 | 3303 | cgfsng_ops->monitor_create = cgfsng_monitor_create; |
eeef32bb | 3304 | cgfsng_ops->monitor_enter = cgfsng_monitor_enter; |
c581d2a6 CB |
3305 | cgfsng_ops->monitor_delegate_controllers = cgfsng_monitor_delegate_controllers; |
3306 | cgfsng_ops->payload_delegate_controllers = cgfsng_payload_delegate_controllers; | |
e8b181f5 CB |
3307 | cgfsng_ops->payload_create = cgfsng_payload_create; |
3308 | cgfsng_ops->payload_enter = cgfsng_payload_enter; | |
78eb6aa6 | 3309 | cgfsng_ops->payload_finalize = cgfsng_payload_finalize; |
2202afc9 CB |
3310 | cgfsng_ops->escape = cgfsng_escape; |
3311 | cgfsng_ops->num_hierarchies = cgfsng_num_hierarchies; | |
3312 | cgfsng_ops->get_hierarchies = cgfsng_get_hierarchies; | |
3313 | cgfsng_ops->get_cgroup = cgfsng_get_cgroup; | |
3314 | cgfsng_ops->get = cgfsng_get; | |
3315 | cgfsng_ops->set = cgfsng_set; | |
942e193e | 3316 | cgfsng_ops->freeze = cgfsng_freeze; |
2202afc9 | 3317 | cgfsng_ops->unfreeze = cgfsng_unfreeze; |
c581d2a6 | 3318 | cgfsng_ops->setup_limits_legacy = cgfsng_setup_limits_legacy; |
2202afc9 CB |
3319 | cgfsng_ops->setup_limits = cgfsng_setup_limits; |
3320 | cgfsng_ops->driver = "cgfsng"; | |
3321 | cgfsng_ops->version = "1.0.0"; | |
3322 | cgfsng_ops->attach = cgfsng_attach; | |
3323 | cgfsng_ops->chown = cgfsng_chown; | |
3324 | cgfsng_ops->mount = cgfsng_mount; | |
bf651989 | 3325 | cgfsng_ops->devices_activate = cgfsng_devices_activate; |
2202afc9 | 3326 | |
a64edc1c | 3327 | return move_ptr(cgfsng_ops); |
2202afc9 | 3328 | } |