]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
ccb4cabe SH |
2 | |
3 | /* | |
4 | * cgfs-ng.c: this is a new, simplified implementation of a filesystem | |
5 | * cgroup backend. The original cgfs.c was designed to be as flexible | |
6 | * as possible. It would try to find cgroup filesystems no matter where | |
7 | * or how you had them mounted, and deduce the most usable mount for | |
0e7ff52c | 8 | * each controller. |
ccb4cabe SH |
9 | * |
10 | * This new implementation assumes that cgroup filesystems are mounted | |
11 | * under /sys/fs/cgroup/clist where clist is either the controller, or | |
18406e5a | 12 | * a comma-separated list of controllers. |
ccb4cabe | 13 | */ |
a54694f8 | 14 | |
d38dd64a CB |
15 | #ifndef _GNU_SOURCE |
16 | #define _GNU_SOURCE 1 | |
17 | #endif | |
a54694f8 CB |
18 | #include <ctype.h> |
19 | #include <dirent.h> | |
20 | #include <errno.h> | |
21 | #include <grp.h> | |
d38dd64a CB |
22 | #include <linux/kdev_t.h> |
23 | #include <linux/types.h> | |
942e193e CB |
24 | #include <poll.h> |
25 | #include <signal.h> | |
a54694f8 | 26 | #include <stdint.h> |
ccb4cabe SH |
27 | #include <stdio.h> |
28 | #include <stdlib.h> | |
a54694f8 | 29 | #include <string.h> |
438c4581 | 30 | #include <sys/types.h> |
d38dd64a | 31 | #include <unistd.h> |
c8bf519d | 32 | |
b635e92d | 33 | #include "caps.h" |
ccb4cabe | 34 | #include "cgroup.h" |
bf651989 | 35 | #include "cgroup2_devices.h" |
6328fd9c | 36 | #include "cgroup_utils.h" |
ccb4cabe | 37 | #include "commands.h" |
43654d34 | 38 | #include "conf.h" |
d38dd64a | 39 | #include "config.h" |
a54694f8 | 40 | #include "log.h" |
c19ad94b | 41 | #include "macro.h" |
018051e3 | 42 | #include "mainloop.h" |
861cb8c2 | 43 | #include "memory_utils.h" |
43654d34 | 44 | #include "storage/storage.h" |
a54694f8 | 45 | #include "utils.h" |
ccb4cabe | 46 | |
64e82f8b DJ |
47 | #ifndef HAVE_STRLCPY |
48 | #include "include/strlcpy.h" | |
49 | #endif | |
50 | ||
3ebe2fbd DJ |
51 | #ifndef HAVE_STRLCAT |
52 | #include "include/strlcat.h" | |
53 | #endif | |
54 | ||
ac2cecc4 | 55 | lxc_log_define(cgfsng, cgroup); |
ccb4cabe | 56 | |
ccb4cabe SH |
57 | static void free_string_list(char **clist) |
58 | { | |
2d5fe5ba | 59 | int i; |
ccb4cabe | 60 | |
2d5fe5ba CB |
61 | if (!clist) |
62 | return; | |
63 | ||
64 | for (i = 0; clist[i]; i++) | |
65 | free(clist[i]); | |
66 | ||
67 | free(clist); | |
ccb4cabe SH |
68 | } |
69 | ||
8b8db2f6 CB |
70 | /* Given a pointer to a null-terminated array of pointers, realloc to add one |
71 | * entry, and point the new entry to NULL. Do not fail. Return the index to the | |
72 | * second-to-last entry - that is, the one which is now available for use | |
73 | * (keeping the list null-terminated). | |
ccb4cabe SH |
74 | */ |
75 | static int append_null_to_list(void ***list) | |
76 | { | |
77 | int newentry = 0; | |
78 | ||
79 | if (*list) | |
8b8db2f6 CB |
80 | for (; (*list)[newentry]; newentry++) |
81 | ; | |
ccb4cabe SH |
82 | |
83 | *list = must_realloc(*list, (newentry + 2) * sizeof(void **)); | |
84 | (*list)[newentry + 1] = NULL; | |
85 | return newentry; | |
86 | } | |
87 | ||
8073018d CB |
88 | /* Given a null-terminated array of strings, check whether @entry is one of the |
89 | * strings. | |
ccb4cabe SH |
90 | */ |
91 | static bool string_in_list(char **list, const char *entry) | |
92 | { | |
93 | int i; | |
94 | ||
95 | if (!list) | |
96 | return false; | |
d6337a5f | 97 | |
ccb4cabe SH |
98 | for (i = 0; list[i]; i++) |
99 | if (strcmp(list[i], entry) == 0) | |
100 | return true; | |
101 | ||
102 | return false; | |
103 | } | |
104 | ||
ac010944 CB |
105 | /* Return a copy of @entry prepending "name=", i.e. turn "systemd" into |
106 | * "name=systemd". Do not fail. | |
107 | */ | |
108 | static char *cg_legacy_must_prefix_named(char *entry) | |
109 | { | |
110 | size_t len; | |
111 | char *prefixed; | |
112 | ||
113 | len = strlen(entry); | |
f25a2044 | 114 | prefixed = must_realloc(NULL, len + 6); |
ac010944 | 115 | |
6333c915 CB |
116 | memcpy(prefixed, "name=", STRLITERALLEN("name=")); |
117 | memcpy(prefixed + STRLITERALLEN("name="), entry, len); | |
ac010944 | 118 | prefixed[len + 5] = '\0'; |
99bb3fa8 | 119 | |
ac010944 CB |
120 | return prefixed; |
121 | } | |
122 | ||
42a993b4 CB |
123 | /* Append an entry to the clist. Do not fail. @clist must be NULL the first time |
124 | * we are called. | |
ccb4cabe | 125 | * |
42a993b4 CB |
126 | * We also handle named subsystems here. Any controller which is not a kernel |
127 | * subsystem, we prefix "name=". Any which is both a kernel and named subsystem, | |
128 | * we refuse to use because we're not sure which we have here. | |
129 | * (TODO: We could work around this in some cases by just remounting to be | |
130 | * unambiguous, or by comparing mountpoint contents with current cgroup.) | |
ccb4cabe SH |
131 | * |
132 | * The last entry will always be NULL. | |
133 | */ | |
42a993b4 CB |
134 | static void must_append_controller(char **klist, char **nlist, char ***clist, |
135 | char *entry) | |
ccb4cabe SH |
136 | { |
137 | int newentry; | |
138 | char *copy; | |
139 | ||
140 | if (string_in_list(klist, entry) && string_in_list(nlist, entry)) { | |
c2712f64 | 141 | ERROR("Refusing to use ambiguous controller \"%s\"", entry); |
ccb4cabe SH |
142 | ERROR("It is both a named and kernel subsystem"); |
143 | return; | |
144 | } | |
145 | ||
146 | newentry = append_null_to_list((void ***)clist); | |
147 | ||
148 | if (strncmp(entry, "name=", 5) == 0) | |
149 | copy = must_copy_string(entry); | |
150 | else if (string_in_list(klist, entry)) | |
151 | copy = must_copy_string(entry); | |
152 | else | |
7745483d | 153 | copy = cg_legacy_must_prefix_named(entry); |
ccb4cabe SH |
154 | |
155 | (*clist)[newentry] = copy; | |
156 | } | |
157 | ||
2a63b5cb CB |
158 | static inline bool pure_unified_layout(const struct cgroup_ops *ops) |
159 | { | |
160 | return ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED; | |
161 | } | |
162 | ||
5ae0207c CB |
163 | /* Given a handler's cgroup data, return the struct hierarchy for the controller |
164 | * @c, or NULL if there is none. | |
ccb4cabe | 165 | */ |
27a5132c | 166 | struct hierarchy *get_hierarchy(struct cgroup_ops *ops, const char *controller) |
ccb4cabe SH |
167 | { |
168 | int i; | |
169 | ||
27a5132c CB |
170 | errno = ENOENT; |
171 | ||
172 | if (!ops->hierarchies) { | |
173 | TRACE("There are no useable cgroup controllers"); | |
ccb4cabe | 174 | return NULL; |
27a5132c | 175 | } |
d6337a5f | 176 | |
2202afc9 | 177 | for (i = 0; ops->hierarchies[i]; i++) { |
27a5132c | 178 | if (!controller) { |
d6337a5f | 179 | /* This is the empty unified hierarchy. */ |
2202afc9 CB |
180 | if (ops->hierarchies[i]->controllers && |
181 | !ops->hierarchies[i]->controllers[0]) | |
182 | return ops->hierarchies[i]; | |
106f1f38 | 183 | continue; |
2a63b5cb CB |
184 | } else if (pure_unified_layout(ops) && |
185 | strcmp(controller, "devices") == 0) { | |
186 | if (ops->unified->bpf_device_controller) | |
187 | return ops->unified; | |
188 | break; | |
d6337a5f CB |
189 | } |
190 | ||
27a5132c | 191 | if (string_in_list(ops->hierarchies[i]->controllers, controller)) |
2202afc9 | 192 | return ops->hierarchies[i]; |
ccb4cabe | 193 | } |
d6337a5f | 194 | |
27a5132c CB |
195 | if (controller) |
196 | WARN("There is no useable %s controller", controller); | |
197 | else | |
198 | WARN("There is no empty unified cgroup hierarchy"); | |
199 | ||
ccb4cabe SH |
200 | return NULL; |
201 | } | |
202 | ||
a54694f8 CB |
203 | #define BATCH_SIZE 50 |
204 | static void batch_realloc(char **mem, size_t oldlen, size_t newlen) | |
205 | { | |
206 | int newbatches = (newlen / BATCH_SIZE) + 1; | |
207 | int oldbatches = (oldlen / BATCH_SIZE) + 1; | |
208 | ||
209 | if (!*mem || newbatches > oldbatches) { | |
210 | *mem = must_realloc(*mem, newbatches * BATCH_SIZE); | |
211 | } | |
212 | } | |
213 | ||
214 | static void append_line(char **dest, size_t oldlen, char *new, size_t newlen) | |
215 | { | |
216 | size_t full = oldlen + newlen; | |
217 | ||
218 | batch_realloc(dest, oldlen, full + 1); | |
219 | ||
220 | memcpy(*dest + oldlen, new, newlen + 1); | |
221 | } | |
222 | ||
223 | /* Slurp in a whole file */ | |
d6337a5f | 224 | static char *read_file(const char *fnam) |
a54694f8 | 225 | { |
d97919ab CB |
226 | __do_free char *line = NULL; |
227 | __do_fclose FILE *f = NULL; | |
a54694f8 | 228 | int linelen; |
d97919ab CB |
229 | char *buf = NULL; |
230 | size_t len = 0, fulllen = 0; | |
a54694f8 CB |
231 | |
232 | f = fopen(fnam, "r"); | |
233 | if (!f) | |
234 | return NULL; | |
235 | while ((linelen = getline(&line, &len, f)) != -1) { | |
236 | append_line(&buf, fulllen, line, linelen); | |
237 | fulllen += linelen; | |
238 | } | |
a54694f8 CB |
239 | return buf; |
240 | } | |
241 | ||
242 | /* Taken over modified from the kernel sources. */ | |
243 | #define NBITS 32 /* bits in uint32_t */ | |
244 | #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d)) | |
245 | #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS) | |
246 | ||
247 | static void set_bit(unsigned bit, uint32_t *bitarr) | |
248 | { | |
249 | bitarr[bit / NBITS] |= (1 << (bit % NBITS)); | |
250 | } | |
251 | ||
252 | static void clear_bit(unsigned bit, uint32_t *bitarr) | |
253 | { | |
254 | bitarr[bit / NBITS] &= ~(1 << (bit % NBITS)); | |
255 | } | |
256 | ||
257 | static bool is_set(unsigned bit, uint32_t *bitarr) | |
258 | { | |
259 | return (bitarr[bit / NBITS] & (1 << (bit % NBITS))) != 0; | |
260 | } | |
261 | ||
262 | /* Create cpumask from cpulist aka turn: | |
263 | * | |
264 | * 0,2-3 | |
265 | * | |
d5d468f6 | 266 | * into bit array |
a54694f8 CB |
267 | * |
268 | * 1 0 1 1 | |
269 | */ | |
270 | static uint32_t *lxc_cpumask(char *buf, size_t nbits) | |
271 | { | |
272 | char *token; | |
d5d468f6 CB |
273 | size_t arrlen; |
274 | uint32_t *bitarr; | |
d5d468f6 CB |
275 | |
276 | arrlen = BITS_TO_LONGS(nbits); | |
277 | bitarr = calloc(arrlen, sizeof(uint32_t)); | |
a54694f8 CB |
278 | if (!bitarr) |
279 | return NULL; | |
280 | ||
0be0d78f | 281 | lxc_iterate_parts(token, buf, ",") { |
a54694f8 | 282 | errno = 0; |
d5d468f6 CB |
283 | unsigned end, start; |
284 | char *range; | |
a54694f8 | 285 | |
d5d468f6 CB |
286 | start = strtoul(token, NULL, 0); |
287 | end = start; | |
288 | range = strchr(token, '-'); | |
a54694f8 CB |
289 | if (range) |
290 | end = strtoul(range + 1, NULL, 0); | |
d5d468f6 | 291 | |
a54694f8 CB |
292 | if (!(start <= end)) { |
293 | free(bitarr); | |
294 | return NULL; | |
295 | } | |
296 | ||
297 | if (end >= nbits) { | |
298 | free(bitarr); | |
299 | return NULL; | |
300 | } | |
301 | ||
302 | while (start <= end) | |
303 | set_bit(start++, bitarr); | |
304 | } | |
305 | ||
306 | return bitarr; | |
307 | } | |
308 | ||
a54694f8 CB |
309 | /* Turn cpumask into simple, comma-separated cpulist. */ |
310 | static char *lxc_cpumask_to_cpulist(uint32_t *bitarr, size_t nbits) | |
311 | { | |
a54694f8 | 312 | int ret; |
414c6719 | 313 | size_t i; |
24cac6af | 314 | char *tmp = NULL; |
a54694f8 | 315 | char **cpulist = NULL; |
c19ad94b | 316 | char numstr[INTTYPE_TO_STRLEN(size_t)] = {0}; |
a54694f8 CB |
317 | |
318 | for (i = 0; i <= nbits; i++) { | |
414c6719 CB |
319 | if (!is_set(i, bitarr)) |
320 | continue; | |
321 | ||
979a0d93 CB |
322 | ret = snprintf(numstr, sizeof(numstr), "%zu", i); |
323 | if (ret < 0 || (size_t)ret >= sizeof(numstr)) { | |
414c6719 CB |
324 | lxc_free_array((void **)cpulist, free); |
325 | return NULL; | |
326 | } | |
327 | ||
328 | ret = lxc_append_string(&cpulist, numstr); | |
329 | if (ret < 0) { | |
330 | lxc_free_array((void **)cpulist, free); | |
331 | return NULL; | |
a54694f8 CB |
332 | } |
333 | } | |
414c6719 CB |
334 | |
335 | if (!cpulist) | |
336 | return NULL; | |
337 | ||
24cac6af L |
338 | tmp = lxc_string_join(",", (const char **)cpulist, false); |
339 | lxc_free_array((void **)cpulist, free); | |
340 | ||
341 | return tmp; | |
a54694f8 CB |
342 | } |
343 | ||
344 | static ssize_t get_max_cpus(char *cpulist) | |
345 | { | |
346 | char *c1, *c2; | |
347 | char *maxcpus = cpulist; | |
348 | size_t cpus = 0; | |
349 | ||
350 | c1 = strrchr(maxcpus, ','); | |
351 | if (c1) | |
352 | c1++; | |
353 | ||
354 | c2 = strrchr(maxcpus, '-'); | |
355 | if (c2) | |
356 | c2++; | |
357 | ||
358 | if (!c1 && !c2) | |
359 | c1 = maxcpus; | |
360 | else if (c1 > c2) | |
361 | c2 = c1; | |
362 | else if (c1 < c2) | |
363 | c1 = c2; | |
333987b9 | 364 | else if (!c1 && c2) |
a54694f8 CB |
365 | c1 = c2; |
366 | ||
a54694f8 CB |
367 | errno = 0; |
368 | cpus = strtoul(c1, NULL, 0); | |
369 | if (errno != 0) | |
370 | return -1; | |
371 | ||
372 | return cpus; | |
373 | } | |
374 | ||
6f9584d8 | 375 | #define __ISOL_CPUS "/sys/devices/system/cpu/isolated" |
36f70181 | 376 | #define __OFFLINE_CPUS "/sys/devices/system/cpu/offline" |
a3926f6a | 377 | static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized) |
a54694f8 | 378 | { |
d97919ab | 379 | __do_free char *cpulist = NULL, *fpath = NULL, *isolcpus = NULL, |
36f70181 CB |
380 | *offlinecpus = NULL, *posscpus = NULL; |
381 | __do_free uint32_t *isolmask = NULL, *offlinemask = NULL, | |
382 | *possmask = NULL; | |
a54694f8 CB |
383 | int ret; |
384 | ssize_t i; | |
d97919ab | 385 | char oldv; |
7717e175 | 386 | char *lastslash; |
36f70181 | 387 | ssize_t maxisol = 0, maxoffline = 0, maxposs = 0; |
6f9584d8 | 388 | bool bret = false, flipped_bit = false; |
a54694f8 CB |
389 | |
390 | lastslash = strrchr(path, '/'); | |
59ac3b88 CB |
391 | if (!lastslash) { |
392 | ERROR("Failed to detect \"/\" in \"%s\"", path); | |
a54694f8 CB |
393 | return bret; |
394 | } | |
395 | oldv = *lastslash; | |
396 | *lastslash = '\0'; | |
397 | fpath = must_make_path(path, "cpuset.cpus", NULL); | |
f68ea354 | 398 | *lastslash = oldv; |
a54694f8 | 399 | posscpus = read_file(fpath); |
6f9584d8 | 400 | if (!posscpus) { |
59ac3b88 | 401 | SYSERROR("Failed to read file \"%s\"", fpath); |
d97919ab | 402 | return false; |
6f9584d8 | 403 | } |
a54694f8 CB |
404 | |
405 | /* Get maximum number of cpus found in possible cpuset. */ | |
406 | maxposs = get_max_cpus(posscpus); | |
92d5ea57 | 407 | if (maxposs < 0 || maxposs >= INT_MAX - 1) |
d97919ab | 408 | return false; |
a54694f8 | 409 | |
36f70181 CB |
410 | if (file_exists(__ISOL_CPUS)) { |
411 | isolcpus = read_file(__ISOL_CPUS); | |
412 | if (!isolcpus) { | |
413 | SYSERROR("Failed to read file \"%s\"", __ISOL_CPUS); | |
414 | return false; | |
65d29cbc | 415 | } |
6f9584d8 | 416 | |
36f70181 CB |
417 | if (isdigit(isolcpus[0])) { |
418 | /* Get maximum number of cpus found in isolated cpuset. */ | |
419 | maxisol = get_max_cpus(isolcpus); | |
420 | if (maxisol < 0 || maxisol >= INT_MAX - 1) | |
421 | return false; | |
6f9584d8 | 422 | } |
36f70181 CB |
423 | |
424 | if (maxposs < maxisol) | |
425 | maxposs = maxisol; | |
426 | maxposs++; | |
427 | } else { | |
428 | TRACE("The path \""__ISOL_CPUS"\" to read isolated cpus from does not exist"); | |
a54694f8 CB |
429 | } |
430 | ||
36f70181 CB |
431 | if (file_exists(__OFFLINE_CPUS)) { |
432 | offlinecpus = read_file(__OFFLINE_CPUS); | |
433 | if (!offlinecpus) { | |
434 | SYSERROR("Failed to read file \"%s\"", __OFFLINE_CPUS); | |
435 | return false; | |
436 | } | |
437 | ||
438 | if (isdigit(offlinecpus[0])) { | |
439 | /* Get maximum number of cpus found in offline cpuset. */ | |
440 | maxoffline = get_max_cpus(offlinecpus); | |
441 | if (maxoffline < 0 || maxoffline >= INT_MAX - 1) | |
442 | return false; | |
443 | } | |
444 | ||
445 | if (maxposs < maxoffline) | |
446 | maxposs = maxoffline; | |
447 | maxposs++; | |
448 | } else { | |
449 | TRACE("The path \""__OFFLINE_CPUS"\" to read offline cpus from does not exist"); | |
450 | } | |
a54694f8 | 451 | |
dcd14a3d CB |
452 | if ((maxisol == 0) && (maxoffline == 0)) { |
453 | cpulist = move_ptr(posscpus); | |
36f70181 | 454 | goto copy_parent; |
dcd14a3d | 455 | } |
a54694f8 CB |
456 | |
457 | possmask = lxc_cpumask(posscpus, maxposs); | |
6f9584d8 | 458 | if (!possmask) { |
59ac3b88 | 459 | ERROR("Failed to create cpumask for possible cpus"); |
d97919ab | 460 | return false; |
6f9584d8 | 461 | } |
a54694f8 | 462 | |
36f70181 CB |
463 | if (maxisol > 0) { |
464 | isolmask = lxc_cpumask(isolcpus, maxposs); | |
465 | if (!isolmask) { | |
466 | ERROR("Failed to create cpumask for isolated cpus"); | |
467 | return false; | |
468 | } | |
469 | } | |
470 | ||
471 | if (maxoffline > 0) { | |
472 | offlinemask = lxc_cpumask(offlinecpus, maxposs); | |
473 | if (!offlinemask) { | |
474 | ERROR("Failed to create cpumask for offline cpus"); | |
475 | return false; | |
476 | } | |
6f9584d8 | 477 | } |
a54694f8 CB |
478 | |
479 | for (i = 0; i <= maxposs; i++) { | |
36f70181 CB |
480 | if ((isolmask && !is_set(i, isolmask)) || |
481 | (offlinemask && !is_set(i, offlinemask)) || | |
482 | !is_set(i, possmask)) | |
59ac3b88 CB |
483 | continue; |
484 | ||
485 | flipped_bit = true; | |
486 | clear_bit(i, possmask); | |
a54694f8 CB |
487 | } |
488 | ||
6f9584d8 | 489 | if (!flipped_bit) { |
b31d62b8 CB |
490 | cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); |
491 | TRACE("No isolated or offline cpus present in cpuset"); | |
492 | } else { | |
493 | cpulist = move_ptr(posscpus); | |
494 | TRACE("Removed isolated or offline cpus from cpuset"); | |
6f9584d8 | 495 | } |
6f9584d8 | 496 | if (!cpulist) { |
59ac3b88 | 497 | ERROR("Failed to create cpu list"); |
d97919ab | 498 | return false; |
6f9584d8 | 499 | } |
a54694f8 CB |
500 | |
501 | copy_parent: | |
36f70181 | 502 | if (!am_initialized) { |
36f70181 CB |
503 | fpath = must_make_path(path, "cpuset.cpus", NULL); |
504 | ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false, | |
505 | 0666); | |
36f70181 CB |
506 | if (ret < 0) { |
507 | SYSERROR("Failed to write cpu list to \"%s\"", fpath); | |
508 | return false; | |
509 | } | |
510 | ||
511 | TRACE("Copied cpu settings of parent cgroup"); | |
6f9584d8 CB |
512 | } |
513 | ||
d97919ab | 514 | return true; |
a54694f8 CB |
515 | } |
516 | ||
e3a3fecf SH |
517 | /* Copy contents of parent(@path)/@file to @path/@file */ |
518 | static bool copy_parent_file(char *path, char *file) | |
519 | { | |
d97919ab | 520 | __do_free char *child_path = NULL, *parent_path = NULL, *value = NULL; |
e3a3fecf | 521 | int ret; |
d97919ab | 522 | char oldv; |
b095a8eb | 523 | int len = 0; |
d97919ab | 524 | char *lastslash = NULL; |
e3a3fecf SH |
525 | |
526 | lastslash = strrchr(path, '/'); | |
b095a8eb CB |
527 | if (!lastslash) { |
528 | ERROR("Failed to detect \"/\" in \"%s\"", path); | |
e3a3fecf SH |
529 | return false; |
530 | } | |
531 | oldv = *lastslash; | |
532 | *lastslash = '\0'; | |
d97919ab CB |
533 | parent_path = must_make_path(path, file, NULL); |
534 | len = lxc_read_from_file(parent_path, NULL, 0); | |
b53a0853 CB |
535 | if (len <= 0) { |
536 | SYSERROR("Failed to determine buffer size"); | |
537 | return false; | |
538 | } | |
b095a8eb | 539 | |
f25a2044 | 540 | value = must_realloc(NULL, len + 1); |
d97919ab | 541 | ret = lxc_read_from_file(parent_path, value, len); |
b53a0853 CB |
542 | if (ret != len) { |
543 | SYSERROR("Failed to read from parent file \"%s\"", parent_path); | |
544 | return false; | |
545 | } | |
b095a8eb | 546 | |
e3a3fecf | 547 | *lastslash = oldv; |
d97919ab CB |
548 | child_path = must_make_path(path, file, NULL); |
549 | ret = lxc_write_to_file(child_path, value, len, false, 0666); | |
e3a3fecf | 550 | if (ret < 0) |
d97919ab | 551 | SYSERROR("Failed to write \"%s\" to file \"%s\"", value, child_path); |
e3a3fecf | 552 | return ret >= 0; |
e3a3fecf SH |
553 | } |
554 | ||
7793add3 CB |
555 | /* Initialize the cpuset hierarchy in first directory of @gname and set |
556 | * cgroup.clone_children so that children inherit settings. Since the | |
557 | * h->base_path is populated by init or ourselves, we know it is already | |
558 | * initialized. | |
e3a3fecf | 559 | */ |
a3926f6a | 560 | static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) |
e3a3fecf | 561 | { |
d97919ab | 562 | __do_free char *cgpath = NULL, *clonechildrenpath = NULL; |
7793add3 CB |
563 | int ret; |
564 | char v; | |
d97919ab | 565 | char *slash; |
e3a3fecf SH |
566 | |
567 | if (!string_in_list(h->controllers, "cpuset")) | |
568 | return true; | |
569 | ||
570 | if (*cgname == '/') | |
571 | cgname++; | |
572 | slash = strchr(cgname, '/'); | |
573 | if (slash) | |
574 | *slash = '\0'; | |
575 | ||
bb221ad1 | 576 | cgpath = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); |
e3a3fecf SH |
577 | if (slash) |
578 | *slash = '/'; | |
7793add3 CB |
579 | |
580 | ret = mkdir(cgpath, 0755); | |
581 | if (ret < 0) { | |
582 | if (errno != EEXIST) { | |
583 | SYSERROR("Failed to create directory \"%s\"", cgpath); | |
7793add3 CB |
584 | return false; |
585 | } | |
e3a3fecf | 586 | } |
6f9584d8 | 587 | |
f8390327 | 588 | clonechildrenpath = must_make_path(cgpath, "cgroup.clone_children", NULL); |
6328fd9c | 589 | /* unified hierarchy doesn't have clone_children */ |
d97919ab | 590 | if (!file_exists(clonechildrenpath)) |
e3a3fecf | 591 | return true; |
7793add3 CB |
592 | |
593 | ret = lxc_read_from_file(clonechildrenpath, &v, 1); | |
594 | if (ret < 0) { | |
595 | SYSERROR("Failed to read file \"%s\"", clonechildrenpath); | |
e3a3fecf SH |
596 | return false; |
597 | } | |
598 | ||
a54694f8 | 599 | /* Make sure any isolated cpus are removed from cpuset.cpus. */ |
a3926f6a | 600 | if (!cg_legacy_filter_and_set_cpus(cgpath, v == '1')) { |
7793add3 | 601 | SYSERROR("Failed to remove isolated cpus"); |
a54694f8 | 602 | return false; |
6f9584d8 | 603 | } |
a54694f8 | 604 | |
7793add3 | 605 | /* Already set for us by someone else. */ |
b28c2810 CB |
606 | if (v == '1') |
607 | TRACE("\"cgroup.clone_children\" was already set to \"1\""); | |
e3a3fecf SH |
608 | |
609 | /* copy parent's settings */ | |
a54694f8 | 610 | if (!copy_parent_file(cgpath, "cpuset.mems")) { |
7793add3 | 611 | SYSERROR("Failed to copy \"cpuset.mems\" settings"); |
e3a3fecf SH |
612 | return false; |
613 | } | |
e3a3fecf | 614 | |
7cea5905 | 615 | ret = lxc_write_to_file(clonechildrenpath, "1", 1, false, 0666); |
7793add3 | 616 | if (ret < 0) { |
e3a3fecf | 617 | /* Set clone_children so children inherit our settings */ |
7793add3 | 618 | SYSERROR("Failed to write 1 to \"%s\"", clonechildrenpath); |
e3a3fecf SH |
619 | return false; |
620 | } | |
d97919ab | 621 | |
e3a3fecf SH |
622 | return true; |
623 | } | |
624 | ||
5c0089ae CB |
625 | /* Given two null-terminated lists of strings, return true if any string is in |
626 | * both. | |
ccb4cabe SH |
627 | */ |
628 | static bool controller_lists_intersect(char **l1, char **l2) | |
629 | { | |
630 | int i; | |
631 | ||
632 | if (!l1 || !l2) | |
633 | return false; | |
634 | ||
635 | for (i = 0; l1[i]; i++) { | |
636 | if (string_in_list(l2, l1[i])) | |
637 | return true; | |
638 | } | |
5c0089ae | 639 | |
ccb4cabe SH |
640 | return false; |
641 | } | |
642 | ||
258449e5 CB |
643 | /* For a null-terminated list of controllers @clist, return true if any of those |
644 | * controllers is already listed the null-terminated list of hierarchies @hlist. | |
645 | * Realistically, if one is present, all must be present. | |
ccb4cabe SH |
646 | */ |
647 | static bool controller_list_is_dup(struct hierarchy **hlist, char **clist) | |
648 | { | |
649 | int i; | |
650 | ||
651 | if (!hlist) | |
652 | return false; | |
258449e5 | 653 | |
ccb4cabe SH |
654 | for (i = 0; hlist[i]; i++) |
655 | if (controller_lists_intersect(hlist[i]->controllers, clist)) | |
656 | return true; | |
ccb4cabe | 657 | |
258449e5 | 658 | return false; |
ccb4cabe SH |
659 | } |
660 | ||
f57ac67f CB |
661 | /* Return true if the controller @entry is found in the null-terminated list of |
662 | * hierarchies @hlist. | |
ccb4cabe SH |
663 | */ |
664 | static bool controller_found(struct hierarchy **hlist, char *entry) | |
665 | { | |
666 | int i; | |
d6337a5f | 667 | |
ccb4cabe SH |
668 | if (!hlist) |
669 | return false; | |
670 | ||
671 | for (i = 0; hlist[i]; i++) | |
672 | if (string_in_list(hlist[i]->controllers, entry)) | |
673 | return true; | |
d6337a5f | 674 | |
ccb4cabe SH |
675 | return false; |
676 | } | |
677 | ||
e1c27ab0 CB |
678 | /* Return true if all of the controllers which we require have been found. The |
679 | * required list is freezer and anything in lxc.cgroup.use. | |
ccb4cabe | 680 | */ |
2202afc9 | 681 | static bool all_controllers_found(struct cgroup_ops *ops) |
ccb4cabe | 682 | { |
b7b18fc5 | 683 | char **cur; |
2202afc9 | 684 | struct hierarchy **hlist = ops->hierarchies; |
ccb4cabe | 685 | |
2202afc9 | 686 | if (!ops->cgroup_use) |
ccb4cabe | 687 | return true; |
c2712f64 | 688 | |
b7b18fc5 CB |
689 | for (cur = ops->cgroup_use; cur && *cur; cur++) |
690 | if (!controller_found(hlist, *cur)) { | |
691 | ERROR("No %s controller mountpoint found", *cur); | |
ccb4cabe SH |
692 | return false; |
693 | } | |
c2712f64 | 694 | |
ccb4cabe SH |
695 | return true; |
696 | } | |
697 | ||
f205f10c CB |
698 | /* Get the controllers from a mountinfo line There are other ways we could get |
699 | * this info. For lxcfs, field 3 is /cgroup/controller-list. For cgroupfs, we | |
700 | * could parse the mount options. But we simply assume that the mountpoint must | |
701 | * be /sys/fs/cgroup/controller-list | |
ccb4cabe | 702 | */ |
a3926f6a CB |
703 | static char **cg_hybrid_get_controllers(char **klist, char **nlist, char *line, |
704 | int type) | |
ccb4cabe | 705 | { |
f205f10c CB |
706 | /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list |
707 | * for legacy hierarchies. | |
708 | */ | |
ccb4cabe | 709 | int i; |
d97919ab | 710 | char *p2, *tok; |
0be0d78f | 711 | char *p = line, *sep = ","; |
411ac6d8 | 712 | char **aret = NULL; |
6328fd9c | 713 | |
ccb4cabe | 714 | for (i = 0; i < 4; i++) { |
235f1815 | 715 | p = strchr(p, ' '); |
ccb4cabe SH |
716 | if (!p) |
717 | return NULL; | |
718 | p++; | |
719 | } | |
a55f31bd | 720 | |
f205f10c CB |
721 | /* Note, if we change how mountinfo works, then our caller will need to |
722 | * verify /sys/fs/cgroup/ in this field. | |
723 | */ | |
dca9587a CB |
724 | if (strncmp(p, DEFAULT_CGROUP_MOUNTPOINT "/", 15) != 0) { |
725 | ERROR("Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT ": \"%s\"", p); | |
ccb4cabe | 726 | return NULL; |
5059aae9 | 727 | } |
d6337a5f | 728 | |
ccb4cabe | 729 | p += 15; |
235f1815 | 730 | p2 = strchr(p, ' '); |
ccb4cabe | 731 | if (!p2) { |
2202afc9 | 732 | ERROR("Corrupt mountinfo"); |
ccb4cabe SH |
733 | return NULL; |
734 | } | |
735 | *p2 = '\0'; | |
6328fd9c | 736 | |
d6337a5f | 737 | if (type == CGROUP_SUPER_MAGIC) { |
88396101 | 738 | __do_free char *dup = NULL; |
d97919ab | 739 | |
0be0d78f CB |
740 | /* strdup() here for v1 hierarchies. Otherwise |
741 | * lxc_iterate_parts() will destroy mountpoints such as | |
742 | * "/sys/fs/cgroup/cpu,cpuacct". | |
d6337a5f | 743 | */ |
d97919ab | 744 | dup = must_copy_string(p); |
d6337a5f CB |
745 | if (!dup) |
746 | return NULL; | |
747 | ||
d97919ab | 748 | lxc_iterate_parts (tok, dup, sep) |
d6337a5f | 749 | must_append_controller(klist, nlist, &aret, tok); |
411ac6d8 | 750 | } |
d6337a5f | 751 | *p2 = ' '; |
f205f10c | 752 | |
d6337a5f CB |
753 | return aret; |
754 | } | |
411ac6d8 | 755 | |
d6337a5f CB |
756 | static char **cg_unified_make_empty_controller(void) |
757 | { | |
758 | int newentry; | |
759 | char **aret = NULL; | |
760 | ||
761 | newentry = append_null_to_list((void ***)&aret); | |
762 | aret[newentry] = NULL; | |
763 | return aret; | |
764 | } | |
765 | ||
766 | static char **cg_unified_get_controllers(const char *file) | |
767 | { | |
d97919ab | 768 | __do_free char *buf = NULL; |
0be0d78f | 769 | char *sep = " \t\n"; |
d6337a5f | 770 | char **aret = NULL; |
2a63b5cb | 771 | char *tok; |
d6337a5f CB |
772 | |
773 | buf = read_file(file); | |
774 | if (!buf) | |
411ac6d8 | 775 | return NULL; |
6328fd9c | 776 | |
0be0d78f | 777 | lxc_iterate_parts(tok, buf, sep) { |
d6337a5f CB |
778 | int newentry; |
779 | char *copy; | |
780 | ||
781 | newentry = append_null_to_list((void ***)&aret); | |
782 | copy = must_copy_string(tok); | |
783 | aret[newentry] = copy; | |
ccb4cabe SH |
784 | } |
785 | ||
786 | return aret; | |
787 | } | |
788 | ||
2202afc9 | 789 | static struct hierarchy *add_hierarchy(struct hierarchy ***h, char **clist, char *mountpoint, |
bb221ad1 | 790 | char *container_base_path, int type) |
ccb4cabe SH |
791 | { |
792 | struct hierarchy *new; | |
793 | int newentry; | |
794 | ||
f25a2044 | 795 | new = must_realloc(NULL, sizeof(*new)); |
ccb4cabe SH |
796 | new->controllers = clist; |
797 | new->mountpoint = mountpoint; | |
bb221ad1 | 798 | new->container_base_path = container_base_path; |
eb697136 | 799 | new->container_full_path = NULL; |
e09b62f9 | 800 | new->monitor_full_path = NULL; |
d6337a5f | 801 | new->version = type; |
a6ca2ed8 | 802 | new->cgroup2_chown = NULL; |
6328fd9c | 803 | |
2202afc9 CB |
804 | newentry = append_null_to_list((void ***)h); |
805 | (*h)[newentry] = new; | |
d6337a5f | 806 | return new; |
ccb4cabe SH |
807 | } |
808 | ||
798c3b33 CB |
809 | /* Get a copy of the mountpoint from @line, which is a line from |
810 | * /proc/self/mountinfo. | |
ccb4cabe | 811 | */ |
a3926f6a | 812 | static char *cg_hybrid_get_mountpoint(char *line) |
ccb4cabe SH |
813 | { |
814 | int i; | |
ccb4cabe | 815 | size_t len; |
798c3b33 CB |
816 | char *p2; |
817 | char *p = line, *sret = NULL; | |
ccb4cabe SH |
818 | |
819 | for (i = 0; i < 4; i++) { | |
235f1815 | 820 | p = strchr(p, ' '); |
ccb4cabe SH |
821 | if (!p) |
822 | return NULL; | |
823 | p++; | |
824 | } | |
d6337a5f | 825 | |
dca9587a | 826 | if (strncmp(p, DEFAULT_CGROUP_MOUNTPOINT "/", 15) != 0) |
d6337a5f CB |
827 | return NULL; |
828 | ||
829 | p2 = strchr(p + 15, ' '); | |
830 | if (!p2) | |
831 | return NULL; | |
832 | *p2 = '\0'; | |
833 | ||
ccb4cabe | 834 | len = strlen(p); |
f25a2044 | 835 | sret = must_realloc(NULL, len + 1); |
ccb4cabe SH |
836 | memcpy(sret, p, len); |
837 | sret[len] = '\0'; | |
838 | return sret; | |
839 | } | |
840 | ||
f523291e | 841 | /* Given a multi-line string, return a null-terminated copy of the current line. */ |
ccb4cabe SH |
842 | static char *copy_to_eol(char *p) |
843 | { | |
235f1815 | 844 | char *p2 = strchr(p, '\n'), *sret; |
ccb4cabe SH |
845 | size_t len; |
846 | ||
847 | if (!p2) | |
848 | return NULL; | |
849 | ||
850 | len = p2 - p; | |
f25a2044 | 851 | sret = must_realloc(NULL, len + 1); |
ccb4cabe SH |
852 | memcpy(sret, p, len); |
853 | sret[len] = '\0'; | |
854 | return sret; | |
855 | } | |
856 | ||
bced39de CB |
857 | /* cgline: pointer to character after the first ':' in a line in a \n-terminated |
858 | * /proc/self/cgroup file. Check whether controller c is present. | |
ccb4cabe SH |
859 | */ |
860 | static bool controller_in_clist(char *cgline, char *c) | |
861 | { | |
d97919ab CB |
862 | __do_free char *tmp = NULL; |
863 | char *tok, *eol; | |
ccb4cabe SH |
864 | size_t len; |
865 | ||
235f1815 | 866 | eol = strchr(cgline, ':'); |
ccb4cabe SH |
867 | if (!eol) |
868 | return false; | |
869 | ||
870 | len = eol - cgline; | |
861cb8c2 | 871 | tmp = must_realloc(NULL, len + 1); |
ccb4cabe SH |
872 | memcpy(tmp, cgline, len); |
873 | tmp[len] = '\0'; | |
874 | ||
d97919ab CB |
875 | lxc_iterate_parts(tok, tmp, ",") |
876 | if (strcmp(tok, c) == 0) | |
ccb4cabe | 877 | return true; |
d6337a5f | 878 | |
ccb4cabe SH |
879 | return false; |
880 | } | |
881 | ||
c3ef912e CB |
882 | /* @basecginfo is a copy of /proc/$$/cgroup. Return the current cgroup for |
883 | * @controller. | |
ccb4cabe | 884 | */ |
c3ef912e CB |
885 | static char *cg_hybrid_get_current_cgroup(char *basecginfo, char *controller, |
886 | int type) | |
ccb4cabe SH |
887 | { |
888 | char *p = basecginfo; | |
6328fd9c | 889 | |
d6337a5f CB |
890 | for (;;) { |
891 | bool is_cgv2_base_cgroup = false; | |
892 | ||
6328fd9c | 893 | /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */ |
d6337a5f CB |
894 | if ((type == CGROUP2_SUPER_MAGIC) && (*p == '0')) |
895 | is_cgv2_base_cgroup = true; | |
ccb4cabe | 896 | |
235f1815 | 897 | p = strchr(p, ':'); |
ccb4cabe SH |
898 | if (!p) |
899 | return NULL; | |
900 | p++; | |
d6337a5f CB |
901 | |
902 | if (is_cgv2_base_cgroup || (controller && controller_in_clist(p, controller))) { | |
235f1815 | 903 | p = strchr(p, ':'); |
ccb4cabe SH |
904 | if (!p) |
905 | return NULL; | |
906 | p++; | |
907 | return copy_to_eol(p); | |
908 | } | |
909 | ||
235f1815 | 910 | p = strchr(p, '\n'); |
ccb4cabe SH |
911 | if (!p) |
912 | return NULL; | |
913 | p++; | |
914 | } | |
915 | } | |
916 | ||
ccb4cabe SH |
917 | static void must_append_string(char ***list, char *entry) |
918 | { | |
6dfb18bf | 919 | int newentry; |
ccb4cabe SH |
920 | char *copy; |
921 | ||
6dfb18bf | 922 | newentry = append_null_to_list((void ***)list); |
ccb4cabe SH |
923 | copy = must_copy_string(entry); |
924 | (*list)[newentry] = copy; | |
925 | } | |
926 | ||
d6337a5f | 927 | static int get_existing_subsystems(char ***klist, char ***nlist) |
ccb4cabe | 928 | { |
d97919ab CB |
929 | __do_free char *line = NULL; |
930 | __do_fclose FILE *f = NULL; | |
ccb4cabe SH |
931 | size_t len = 0; |
932 | ||
d6337a5f CB |
933 | f = fopen("/proc/self/cgroup", "r"); |
934 | if (!f) | |
935 | return -1; | |
936 | ||
ccb4cabe | 937 | while (getline(&line, &len, f) != -1) { |
0be0d78f | 938 | char *p, *p2, *tok; |
235f1815 | 939 | p = strchr(line, ':'); |
ccb4cabe SH |
940 | if (!p) |
941 | continue; | |
942 | p++; | |
235f1815 | 943 | p2 = strchr(p, ':'); |
ccb4cabe SH |
944 | if (!p2) |
945 | continue; | |
946 | *p2 = '\0'; | |
ff8d6ee9 | 947 | |
6328fd9c CB |
948 | /* If the kernel has cgroup v2 support, then /proc/self/cgroup |
949 | * contains an entry of the form: | |
ff8d6ee9 CB |
950 | * |
951 | * 0::/some/path | |
952 | * | |
6328fd9c | 953 | * In this case we use "cgroup2" as controller name. |
ff8d6ee9 | 954 | */ |
6328fd9c CB |
955 | if ((p2 - p) == 0) { |
956 | must_append_string(klist, "cgroup2"); | |
ff8d6ee9 | 957 | continue; |
6328fd9c | 958 | } |
ff8d6ee9 | 959 | |
0be0d78f | 960 | lxc_iterate_parts(tok, p, ",") { |
ccb4cabe SH |
961 | if (strncmp(tok, "name=", 5) == 0) |
962 | must_append_string(nlist, tok); | |
963 | else | |
964 | must_append_string(klist, tok); | |
965 | } | |
966 | } | |
967 | ||
d6337a5f | 968 | return 0; |
ccb4cabe SH |
969 | } |
970 | ||
971 | static void trim(char *s) | |
972 | { | |
7689dfd7 CB |
973 | size_t len; |
974 | ||
975 | len = strlen(s); | |
2c28d76b | 976 | while ((len > 1) && (s[len - 1] == '\n')) |
ccb4cabe SH |
977 | s[--len] = '\0'; |
978 | } | |
979 | ||
2202afc9 | 980 | static void lxc_cgfsng_print_hierarchies(struct cgroup_ops *ops) |
ccb4cabe SH |
981 | { |
982 | int i; | |
27d84737 | 983 | struct hierarchy **it; |
41c33dbe | 984 | |
2202afc9 CB |
985 | if (!ops->hierarchies) { |
986 | TRACE(" No hierarchies found"); | |
ccb4cabe SH |
987 | return; |
988 | } | |
27d84737 | 989 | |
2202afc9 CB |
990 | TRACE(" Hierarchies:"); |
991 | for (i = 0, it = ops->hierarchies; it && *it; it++, i++) { | |
ccb4cabe | 992 | int j; |
27d84737 CB |
993 | char **cit; |
994 | ||
bb221ad1 | 995 | TRACE(" %d: base_cgroup: %s", i, (*it)->container_base_path ? (*it)->container_base_path : "(null)"); |
2202afc9 CB |
996 | TRACE(" mountpoint: %s", (*it)->mountpoint ? (*it)->mountpoint : "(null)"); |
997 | TRACE(" controllers:"); | |
a7b0cc4c | 998 | for (j = 0, cit = (*it)->controllers; cit && *cit; cit++, j++) |
2202afc9 | 999 | TRACE(" %d: %s", j, *cit); |
ccb4cabe SH |
1000 | } |
1001 | } | |
41c33dbe | 1002 | |
a3926f6a CB |
1003 | static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist, |
1004 | char **nlist) | |
41c33dbe SH |
1005 | { |
1006 | int k; | |
a7b0cc4c | 1007 | char **it; |
41c33dbe | 1008 | |
2202afc9 CB |
1009 | TRACE("basecginfo is:"); |
1010 | TRACE("%s", basecginfo); | |
41c33dbe | 1011 | |
a7b0cc4c | 1012 | for (k = 0, it = klist; it && *it; it++, k++) |
2202afc9 | 1013 | TRACE("kernel subsystem %d: %s", k, *it); |
0f71dd9b | 1014 | |
a7b0cc4c | 1015 | for (k = 0, it = nlist; it && *it; it++, k++) |
2202afc9 | 1016 | TRACE("named subsystem %d: %s", k, *it); |
41c33dbe | 1017 | } |
ccb4cabe | 1018 | |
2202afc9 CB |
1019 | static int cgroup_rmdir(struct hierarchy **hierarchies, |
1020 | const char *container_cgroup) | |
c71d83e1 | 1021 | { |
2202afc9 | 1022 | int i; |
d6337a5f | 1023 | |
2202afc9 CB |
1024 | if (!container_cgroup || !hierarchies) |
1025 | return 0; | |
d6337a5f | 1026 | |
2202afc9 CB |
1027 | for (i = 0; hierarchies[i]; i++) { |
1028 | int ret; | |
1029 | struct hierarchy *h = hierarchies[i]; | |
d6337a5f | 1030 | |
eb697136 | 1031 | if (!h->container_full_path) |
2202afc9 CB |
1032 | continue; |
1033 | ||
eb697136 | 1034 | ret = recursive_destroy(h->container_full_path); |
2202afc9 | 1035 | if (ret < 0) |
eb697136 | 1036 | WARN("Failed to destroy \"%s\"", h->container_full_path); |
2202afc9 | 1037 | |
eb697136 CB |
1038 | free(h->container_full_path); |
1039 | h->container_full_path = NULL; | |
2202afc9 | 1040 | } |
d6337a5f | 1041 | |
c71d83e1 | 1042 | return 0; |
d6337a5f CB |
1043 | } |
1044 | ||
2202afc9 CB |
1045 | struct generic_userns_exec_data { |
1046 | struct hierarchy **hierarchies; | |
1047 | const char *container_cgroup; | |
1048 | struct lxc_conf *conf; | |
1049 | uid_t origuid; /* target uid in parent namespace */ | |
1050 | char *path; | |
1051 | }; | |
d6337a5f | 1052 | |
2202afc9 CB |
1053 | static int cgroup_rmdir_wrapper(void *data) |
1054 | { | |
1055 | int ret; | |
1056 | struct generic_userns_exec_data *arg = data; | |
1057 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1058 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
d6337a5f | 1059 | |
2202afc9 CB |
1060 | ret = setresgid(nsgid, nsgid, nsgid); |
1061 | if (ret < 0) { | |
1062 | SYSERROR("Failed to setresgid(%d, %d, %d)", (int)nsgid, | |
1063 | (int)nsgid, (int)nsgid); | |
1064 | return -1; | |
1065 | } | |
d6337a5f | 1066 | |
2202afc9 CB |
1067 | ret = setresuid(nsuid, nsuid, nsuid); |
1068 | if (ret < 0) { | |
1069 | SYSERROR("Failed to setresuid(%d, %d, %d)", (int)nsuid, | |
1070 | (int)nsuid, (int)nsuid); | |
1071 | return -1; | |
1072 | } | |
d6337a5f | 1073 | |
2202afc9 CB |
1074 | ret = setgroups(0, NULL); |
1075 | if (ret < 0 && errno != EPERM) { | |
1076 | SYSERROR("Failed to setgroups(0, NULL)"); | |
1077 | return -1; | |
1078 | } | |
d6337a5f | 1079 | |
2202afc9 | 1080 | return cgroup_rmdir(arg->hierarchies, arg->container_cgroup); |
d6337a5f CB |
1081 | } |
1082 | ||
434c8e15 CB |
1083 | __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, |
1084 | struct lxc_handler *handler) | |
d6337a5f CB |
1085 | { |
1086 | int ret; | |
2202afc9 | 1087 | struct generic_userns_exec_data wrap; |
bd8ef4e4 | 1088 | |
fc1c3af9 CB |
1089 | if (!ops) |
1090 | log_error_errno(return, ENOENT, "Called with uninitialized cgroup operations"); | |
1091 | ||
69b4a4bb CB |
1092 | if (!ops->hierarchies) |
1093 | return; | |
1094 | ||
fc1c3af9 CB |
1095 | if (!handler) |
1096 | log_error_errno(return, EINVAL, "Called with uninitialized handler"); | |
1097 | ||
1098 | if (!handler->conf) | |
1099 | log_error_errno(return, EINVAL, "Called with uninitialized conf"); | |
1100 | ||
4160c3a0 | 1101 | wrap.origuid = 0; |
2202afc9 CB |
1102 | wrap.container_cgroup = ops->container_cgroup; |
1103 | wrap.hierarchies = ops->hierarchies; | |
1104 | wrap.conf = handler->conf; | |
4160c3a0 | 1105 | |
bf651989 CB |
1106 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX |
1107 | ret = bpf_program_cgroup_detach(handler->conf->cgroup2_devices); | |
1108 | if (ret < 0) | |
1109 | WARN("Failed to detach bpf program from cgroup"); | |
1110 | #endif | |
1111 | ||
2202afc9 CB |
1112 | if (handler->conf && !lxc_list_empty(&handler->conf->id_map)) |
1113 | ret = userns_exec_1(handler->conf, cgroup_rmdir_wrapper, &wrap, | |
bd8ef4e4 | 1114 | "cgroup_rmdir_wrapper"); |
ccb4cabe | 1115 | else |
2202afc9 | 1116 | ret = cgroup_rmdir(ops->hierarchies, ops->container_cgroup); |
bd8ef4e4 CB |
1117 | if (ret < 0) { |
1118 | WARN("Failed to destroy cgroups"); | |
ccb4cabe | 1119 | return; |
ccb4cabe | 1120 | } |
ccb4cabe SH |
1121 | } |
1122 | ||
434c8e15 CB |
1123 | __cgfsng_ops static void cgfsng_monitor_destroy(struct cgroup_ops *ops, |
1124 | struct lxc_handler *handler) | |
1125 | { | |
1126 | int len; | |
434c8e15 | 1127 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; |
b376d3d0 CB |
1128 | struct lxc_conf *conf; |
1129 | ||
1130 | if (!ops) | |
1131 | log_error_errno(return, ENOENT, "Called with uninitialized cgroup operations"); | |
434c8e15 CB |
1132 | |
1133 | if (!ops->hierarchies) | |
1134 | return; | |
1135 | ||
b376d3d0 CB |
1136 | if (!handler) |
1137 | log_error_errno(return, EINVAL, "Called with uninitialized handler"); | |
1138 | ||
1139 | if (!handler->conf) | |
1140 | log_error_errno(return, EINVAL, "Called with uninitialized conf"); | |
1141 | ||
1142 | conf = handler->conf; | |
1143 | ||
434c8e15 CB |
1144 | len = snprintf(pidstr, sizeof(pidstr), "%d", handler->monitor_pid); |
1145 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
1146 | return; | |
1147 | ||
1148 | for (int i = 0; ops->hierarchies[i]; i++) { | |
d97919ab | 1149 | __do_free char *pivot_path = NULL; |
434c8e15 | 1150 | int ret; |
23e5c045 | 1151 | char *chop; |
ecedb5de | 1152 | char pivot_cgroup[] = PIVOT_CGROUP; |
434c8e15 CB |
1153 | struct hierarchy *h = ops->hierarchies[i]; |
1154 | ||
1155 | if (!h->monitor_full_path) | |
1156 | continue; | |
1157 | ||
1158 | if (conf && conf->cgroup_meta.dir) | |
1159 | pivot_path = must_make_path(h->mountpoint, | |
1160 | h->container_base_path, | |
1161 | conf->cgroup_meta.dir, | |
625ad37b | 1162 | PIVOT_CGROUP, |
434c8e15 CB |
1163 | "cgroup.procs", NULL); |
1164 | else | |
1165 | pivot_path = must_make_path(h->mountpoint, | |
1166 | h->container_base_path, | |
625ad37b | 1167 | PIVOT_CGROUP, |
434c8e15 CB |
1168 | "cgroup.procs", NULL); |
1169 | ||
23e5c045 CB |
1170 | chop = strrchr(pivot_path, '/'); |
1171 | if (chop) | |
1172 | *chop = '\0'; | |
1173 | ||
ecedb5de CB |
1174 | /* |
1175 | * Make sure not to pass in the ro string literal PIVOT_CGROUP | |
1176 | * here. | |
1177 | */ | |
b376d3d0 CB |
1178 | if (!cg_legacy_handle_cpuset_hierarchy(h, pivot_cgroup)) |
1179 | log_warn_errno(continue, | |
1180 | errno, "Failed to handle legacy cpuset controller"); | |
ecedb5de | 1181 | |
434c8e15 | 1182 | ret = mkdir_p(pivot_path, 0755); |
b376d3d0 CB |
1183 | if (ret < 0 && errno != EEXIST) |
1184 | log_warn_errno(continue, errno, | |
1185 | "Failed to create cgroup \"%s\"\n", | |
1186 | pivot_path); | |
434c8e15 | 1187 | |
23e5c045 CB |
1188 | if (chop) |
1189 | *chop = '/'; | |
1190 | ||
434c8e15 CB |
1191 | /* Move ourselves into the pivot cgroup to delete our own |
1192 | * cgroup. | |
1193 | */ | |
1194 | ret = lxc_write_to_file(pivot_path, pidstr, len, false, 0666); | |
b376d3d0 CB |
1195 | if (ret != 0) |
1196 | log_warn_errno(continue, errno, | |
1197 | "Failed to move monitor %s to \"%s\"\n", | |
1198 | pidstr, pivot_path); | |
434c8e15 CB |
1199 | |
1200 | ret = recursive_destroy(h->monitor_full_path); | |
1201 | if (ret < 0) | |
1202 | WARN("Failed to destroy \"%s\"", h->monitor_full_path); | |
434c8e15 CB |
1203 | } |
1204 | } | |
1205 | ||
6099dd5a CB |
1206 | static int mkdir_eexist_on_last(const char *dir, mode_t mode) |
1207 | { | |
1208 | const char *tmp = dir; | |
1209 | const char *orig = dir; | |
1210 | size_t orig_len; | |
1211 | ||
1212 | orig_len = strlen(dir); | |
1213 | do { | |
6453ba56 | 1214 | __do_free char *makeme = NULL; |
6099dd5a CB |
1215 | int ret; |
1216 | size_t cur_len; | |
6099dd5a CB |
1217 | |
1218 | dir = tmp + strspn(tmp, "/"); | |
1219 | tmp = dir + strcspn(dir, "/"); | |
1220 | ||
1221 | errno = ENOMEM; | |
1222 | cur_len = dir - orig; | |
1223 | makeme = strndup(orig, cur_len); | |
1224 | if (!makeme) | |
1225 | return -1; | |
1226 | ||
1227 | ret = mkdir(makeme, mode); | |
1228 | if (ret < 0) { | |
1229 | if ((errno != EEXIST) || (orig_len == cur_len)) { | |
1230 | SYSERROR("Failed to create directory \"%s\"", makeme); | |
6099dd5a CB |
1231 | return -1; |
1232 | } | |
1233 | } | |
6099dd5a CB |
1234 | } while (tmp != dir); |
1235 | ||
1236 | return 0; | |
1237 | } | |
1238 | ||
72068e74 CB |
1239 | static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname) |
1240 | { | |
1241 | int ret; | |
1242 | ||
ef185360 CB |
1243 | if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) { |
1244 | ERROR("Failed to handle legacy cpuset controller"); | |
1245 | return false; | |
1246 | } | |
1247 | ||
72068e74 | 1248 | h->monitor_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); |
6099dd5a CB |
1249 | ret = mkdir_eexist_on_last(h->monitor_full_path, 0755); |
1250 | if (ret < 0) { | |
1251 | ERROR("Failed to create cgroup \"%s\"", h->monitor_full_path); | |
ee455be4 CB |
1252 | return false; |
1253 | } | |
72068e74 | 1254 | |
c581d2a6 | 1255 | return true; |
72068e74 CB |
1256 | } |
1257 | ||
1258 | static bool container_create_path_for_hierarchy(struct hierarchy *h, char *cgname) | |
ccb4cabe | 1259 | { |
0c3deb94 CB |
1260 | int ret; |
1261 | ||
ef185360 CB |
1262 | if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) { |
1263 | ERROR("Failed to handle legacy cpuset controller"); | |
1264 | return false; | |
1265 | } | |
1266 | ||
bb221ad1 | 1267 | h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); |
6099dd5a CB |
1268 | ret = mkdir_eexist_on_last(h->container_full_path, 0755); |
1269 | if (ret < 0) { | |
1270 | ERROR("Failed to create cgroup \"%s\"", h->container_full_path); | |
d8da679e | 1271 | return false; |
6f9584d8 | 1272 | } |
0c3deb94 | 1273 | |
c581d2a6 | 1274 | return true; |
ccb4cabe SH |
1275 | } |
1276 | ||
72068e74 | 1277 | static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname, bool monitor) |
ccb4cabe | 1278 | { |
e56639fb | 1279 | int ret; |
72068e74 CB |
1280 | char *full_path; |
1281 | ||
1282 | if (monitor) | |
1283 | full_path = h->monitor_full_path; | |
1284 | else | |
1285 | full_path = h->container_full_path; | |
e56639fb | 1286 | |
72068e74 | 1287 | ret = rmdir(full_path); |
e56639fb | 1288 | if (ret < 0) |
72068e74 CB |
1289 | SYSERROR("Failed to rmdir(\"%s\") from failed creation attempt", full_path); |
1290 | ||
1291 | free(full_path); | |
1292 | ||
1293 | if (monitor) | |
1294 | h->monitor_full_path = NULL; | |
1295 | else | |
1296 | h->container_full_path = NULL; | |
1297 | } | |
1298 | ||
b857f4be | 1299 | __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops, |
f2668eea | 1300 | struct lxc_handler *handler) |
72068e74 | 1301 | { |
d97919ab CB |
1302 | __do_free char *monitor_cgroup = NULL; |
1303 | char *offset, *tmp; | |
ebc10afe | 1304 | int i, idx = 0; |
5ce03bc0 | 1305 | size_t len; |
0d66e29a | 1306 | struct lxc_conf *conf; |
72068e74 | 1307 | |
0d66e29a CB |
1308 | if (!ops) |
1309 | return ret_set_errno(false, ENOENT); | |
e56639fb | 1310 | |
69b4a4bb CB |
1311 | if (!ops->hierarchies) |
1312 | return true; | |
1313 | ||
0d66e29a CB |
1314 | if (ops->monitor_cgroup) |
1315 | return ret_set_errno(false, EEXIST); | |
1316 | ||
1317 | if (!handler || !handler->conf) | |
1318 | return ret_set_errno(false, EINVAL); | |
1319 | ||
1320 | conf = handler->conf; | |
1321 | ||
72068e74 | 1322 | if (conf->cgroup_meta.dir) |
5ce03bc0 CB |
1323 | tmp = lxc_string_join("/", |
1324 | (const char *[]){conf->cgroup_meta.dir, | |
1325 | ops->monitor_pattern, | |
1326 | handler->name, NULL}, | |
1327 | false); | |
72068e74 | 1328 | else |
5ce03bc0 CB |
1329 | tmp = must_make_path(ops->monitor_pattern, handler->name, NULL); |
1330 | if (!tmp) | |
0d66e29a | 1331 | return ret_set_errno(false, ENOMEM); |
72068e74 | 1332 | |
5ce03bc0 | 1333 | len = strlen(tmp) + 5; /* leave room for -NNN\0 */ |
5407d095 | 1334 | monitor_cgroup = must_realloc(tmp, len); |
5ce03bc0 | 1335 | offset = monitor_cgroup + len - 5; |
5407d095 | 1336 | *offset = 0; |
5ce03bc0 CB |
1337 | |
1338 | do { | |
0d66e29a CB |
1339 | if (idx) |
1340 | sprintf(offset, "-%d", idx); | |
72068e74 | 1341 | |
ebc10afe | 1342 | for (i = 0; ops->hierarchies[i]; i++) { |
f2668eea CB |
1343 | if (!monitor_create_path_for_hierarchy(ops->hierarchies[i], |
1344 | monitor_cgroup)) { | |
1345 | ERROR("Failed to create cgroup \"%s\"", | |
1346 | ops->hierarchies[i]->monitor_full_path); | |
5ce03bc0 | 1347 | for (int j = 0; j < i; j++) |
f2668eea CB |
1348 | remove_path_for_hierarchy(ops->hierarchies[j], |
1349 | monitor_cgroup, | |
1350 | true); | |
5ce03bc0 CB |
1351 | |
1352 | idx++; | |
1353 | break; | |
1354 | } | |
1355 | } | |
ebc10afe | 1356 | } while (ops->hierarchies[i] && idx > 0 && idx < 1000); |
5ce03bc0 | 1357 | |
d97919ab | 1358 | if (idx == 1000) |
0d66e29a | 1359 | return ret_set_errno(false, ERANGE); |
72068e74 | 1360 | |
c581d2a6 | 1361 | ops->monitor_cgroup = move_ptr(monitor_cgroup); |
6e8703a4 | 1362 | return log_info(true, "The monitor process uses \"%s\" as cgroup", ops->monitor_cgroup); |
ccb4cabe SH |
1363 | } |
1364 | ||
cecad0c1 CB |
1365 | /* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern; |
1366 | * next cgroup_pattern-1, -2, ..., -999. | |
ccb4cabe | 1367 | */ |
b857f4be | 1368 | __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, |
6439f06e | 1369 | struct lxc_handler *handler) |
ccb4cabe | 1370 | { |
d97919ab | 1371 | __do_free char *container_cgroup = NULL, *tmp = NULL; |
bad788b0 | 1372 | int i, ret; |
ccb4cabe | 1373 | size_t len; |
d97919ab | 1374 | char *offset; |
7d531e9b | 1375 | int idx = 0; |
2202afc9 | 1376 | struct lxc_conf *conf = handler->conf; |
ccb4cabe | 1377 | |
d97919ab | 1378 | if (ops->container_cgroup) |
ccb4cabe | 1379 | return false; |
43654d34 | 1380 | |
2202afc9 | 1381 | if (!conf) |
ccb4cabe | 1382 | return false; |
ccb4cabe | 1383 | |
69b4a4bb CB |
1384 | if (!ops->hierarchies) |
1385 | return true; | |
1386 | ||
2202afc9 | 1387 | if (conf->cgroup_meta.dir) |
3ec12d39 | 1388 | tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); |
43654d34 | 1389 | else |
2202afc9 | 1390 | tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); |
ccb4cabe SH |
1391 | if (!tmp) { |
1392 | ERROR("Failed expanding cgroup name pattern"); | |
1393 | return false; | |
1394 | } | |
64e82f8b | 1395 | |
1a0e70ac | 1396 | len = strlen(tmp) + 5; /* leave room for -NNN\0 */ |
f25a2044 | 1397 | container_cgroup = must_realloc(NULL, len); |
64e82f8b | 1398 | (void)strlcpy(container_cgroup, tmp, len); |
0c3deb94 | 1399 | offset = container_cgroup + len - 5; |
ccb4cabe | 1400 | |
d97919ab | 1401 | do { |
c74da4ab | 1402 | if (idx) { |
bad788b0 | 1403 | ret = snprintf(offset, 5, "-%d", idx); |
c74da4ab CB |
1404 | if (ret < 0 || (size_t)ret >= 5) |
1405 | return false; | |
1406 | } | |
bb30b52a | 1407 | |
d97919ab | 1408 | for (i = 0; ops->hierarchies[i]; i++) { |
d99d5c93 CB |
1409 | if (!container_create_path_for_hierarchy(ops->hierarchies[i], |
1410 | container_cgroup)) { | |
1411 | ERROR("Failed to create cgroup \"%s\"", | |
1412 | ops->hierarchies[i]->container_full_path); | |
d97919ab | 1413 | for (int j = 0; j < i; j++) |
d99d5c93 CB |
1414 | remove_path_for_hierarchy(ops->hierarchies[j], |
1415 | container_cgroup, | |
1416 | false); | |
d97919ab CB |
1417 | idx++; |
1418 | break; | |
66b66624 CB |
1419 | } |
1420 | } | |
d97919ab | 1421 | } while (ops->hierarchies[i] && idx > 0 && idx < 1000); |
cecad0c1 | 1422 | |
d97919ab CB |
1423 | if (idx == 1000) |
1424 | return false; | |
cecad0c1 | 1425 | |
c74da4ab | 1426 | INFO("The container process uses \"%s\" as cgroup", container_cgroup); |
e4edf5d7 | 1427 | ops->container_cgroup = move_ptr(container_cgroup); |
bad788b0 CB |
1428 | |
1429 | if (ops->unified && ops->unified->container_full_path) { | |
1430 | ret = open(ops->unified->container_full_path, | |
1431 | O_DIRECTORY | O_RDONLY | O_CLOEXEC); | |
1432 | if (ret < 0) | |
1433 | return log_error_errno(false, | |
1434 | errno, "Failed to open file descriptor for unified hierarchy"); | |
1435 | ops->unified_fd = ret; | |
1436 | } | |
1437 | ||
ccb4cabe | 1438 | return true; |
ccb4cabe SH |
1439 | } |
1440 | ||
c581d2a6 CB |
1441 | __cgfsng_ops static bool cgfsng_monitor_enter(struct cgroup_ops *ops, |
1442 | struct lxc_handler *handler) | |
ccb4cabe | 1443 | { |
c581d2a6 CB |
1444 | int monitor_len, transient_len; |
1445 | char monitor[INTTYPE_TO_STRLEN(pid_t)], | |
1446 | transient[INTTYPE_TO_STRLEN(pid_t)]; | |
ccb4cabe | 1447 | |
797fa65e CB |
1448 | if (!ops) |
1449 | return ret_set_errno(false, ENOENT); | |
1450 | ||
69b4a4bb CB |
1451 | if (!ops->hierarchies) |
1452 | return true; | |
1453 | ||
797fa65e CB |
1454 | if (!ops->monitor_cgroup) |
1455 | return ret_set_errno(false, ENOENT); | |
1456 | ||
1457 | if (!handler || !handler->conf) | |
1458 | return ret_set_errno(false, EINVAL); | |
1459 | ||
c581d2a6 CB |
1460 | monitor_len = snprintf(monitor, sizeof(monitor), "%d", handler->monitor_pid); |
1461 | if (handler->transient_pid > 0) | |
1462 | transient_len = snprintf(transient, sizeof(transient), "%d", | |
1463 | handler->transient_pid); | |
ccb4cabe | 1464 | |
eeef32bb | 1465 | for (int i = 0; ops->hierarchies[i]; i++) { |
88396101 | 1466 | __do_free char *path = NULL; |
c581d2a6 | 1467 | int ret; |
08768001 | 1468 | |
c581d2a6 CB |
1469 | path = must_make_path(ops->hierarchies[i]->monitor_full_path, |
1470 | "cgroup.procs", NULL); | |
1471 | ret = lxc_writeat(-1, path, monitor, monitor_len); | |
1472 | if (ret != 0) | |
1473 | return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", path); | |
1474 | ||
1475 | if (handler->transient_pid < 0) | |
1476 | return true; | |
1477 | ||
1478 | ret = lxc_writeat(-1, path, transient, transient_len); | |
1479 | if (ret != 0) | |
1480 | return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", path); | |
ccb4cabe | 1481 | } |
c581d2a6 | 1482 | handler->transient_pid = -1; |
ccb4cabe SH |
1483 | |
1484 | return true; | |
1485 | } | |
1486 | ||
c581d2a6 CB |
1487 | __cgfsng_ops static bool cgfsng_payload_enter(struct cgroup_ops *ops, |
1488 | struct lxc_handler *handler) | |
eeef32bb | 1489 | { |
c581d2a6 CB |
1490 | int len; |
1491 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; | |
eeef32bb | 1492 | |
c581d2a6 CB |
1493 | if (!ops->hierarchies) |
1494 | return true; | |
1495 | ||
1496 | len = snprintf(pidstr, sizeof(pidstr), "%d", handler->pid); | |
1497 | ||
1498 | for (int i = 0; ops->hierarchies[i]; i++) { | |
1499 | __do_free char *path = NULL; | |
1500 | int ret; | |
1501 | ||
1502 | path = must_make_path(ops->hierarchies[i]->container_full_path, | |
1503 | "cgroup.procs", NULL); | |
1504 | ret = lxc_writeat(-1, path, pidstr, len); | |
1505 | if (ret != 0) | |
1506 | return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", path); | |
1507 | } | |
1508 | ||
1509 | return true; | |
eeef32bb CB |
1510 | } |
1511 | ||
6efacf80 CB |
1512 | static int chowmod(char *path, uid_t chown_uid, gid_t chown_gid, |
1513 | mode_t chmod_mode) | |
1514 | { | |
1515 | int ret; | |
1516 | ||
1517 | ret = chown(path, chown_uid, chown_gid); | |
1518 | if (ret < 0) { | |
a24c5678 | 1519 | SYSWARN("Failed to chown(%s, %d, %d)", path, (int)chown_uid, (int)chown_gid); |
6efacf80 CB |
1520 | return -1; |
1521 | } | |
1522 | ||
1523 | ret = chmod(path, chmod_mode); | |
1524 | if (ret < 0) { | |
a24c5678 | 1525 | SYSWARN("Failed to chmod(%s, %d)", path, (int)chmod_mode); |
6efacf80 CB |
1526 | return -1; |
1527 | } | |
1528 | ||
1529 | return 0; | |
1530 | } | |
1531 | ||
1532 | /* chgrp the container cgroups to container group. We leave | |
c0888dfe SH |
1533 | * the container owner as cgroup owner. So we must make the |
1534 | * directories 775 so that the container can create sub-cgroups. | |
43647298 SH |
1535 | * |
1536 | * Also chown the tasks and cgroup.procs files. Those may not | |
1537 | * exist depending on kernel version. | |
c0888dfe | 1538 | */ |
ccb4cabe SH |
1539 | static int chown_cgroup_wrapper(void *data) |
1540 | { | |
6a720d74 | 1541 | int ret; |
4160c3a0 CB |
1542 | uid_t destuid; |
1543 | struct generic_userns_exec_data *arg = data; | |
1544 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1545 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
ccb4cabe | 1546 | |
6efacf80 | 1547 | ret = setresgid(nsgid, nsgid, nsgid); |
803e4123 CB |
1548 | if (ret < 0) |
1549 | return log_error_errno(-1, errno, | |
1550 | "Failed to setresgid(%d, %d, %d)", | |
1551 | (int)nsgid, (int)nsgid, (int)nsgid); | |
6efacf80 CB |
1552 | |
1553 | ret = setresuid(nsuid, nsuid, nsuid); | |
803e4123 CB |
1554 | if (ret < 0) |
1555 | return log_error_errno(-1, errno, | |
1556 | "Failed to setresuid(%d, %d, %d)", | |
1557 | (int)nsuid, (int)nsuid, (int)nsuid); | |
6efacf80 CB |
1558 | |
1559 | ret = setgroups(0, NULL); | |
803e4123 CB |
1560 | if (ret < 0 && errno != EPERM) |
1561 | return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)"); | |
ccb4cabe SH |
1562 | |
1563 | destuid = get_ns_uid(arg->origuid); | |
b962868f CB |
1564 | if (destuid == LXC_INVALID_UID) |
1565 | destuid = 0; | |
ccb4cabe | 1566 | |
6a720d74 | 1567 | for (int i = 0; arg->hierarchies[i]; i++) { |
d97919ab | 1568 | __do_free char *fullpath = NULL; |
eb697136 | 1569 | char *path = arg->hierarchies[i]->container_full_path; |
43647298 | 1570 | |
63e42fee | 1571 | ret = chowmod(path, destuid, nsgid, 0775); |
6efacf80 | 1572 | if (ret < 0) |
803e4123 CB |
1573 | log_info_errno(continue, |
1574 | errno, "Failed to change %s to uid %d and gid %d and mode 0755", | |
1575 | path, destuid, nsgid); | |
c0888dfe | 1576 | |
6efacf80 CB |
1577 | /* Failures to chown() these are inconvenient but not |
1578 | * detrimental We leave these owned by the container launcher, | |
1579 | * so that container root can write to the files to attach. We | |
1580 | * chmod() them 664 so that container systemd can write to the | |
1581 | * files (which systemd in wily insists on doing). | |
ab8f5424 | 1582 | */ |
6efacf80 | 1583 | |
2202afc9 | 1584 | if (arg->hierarchies[i]->version == CGROUP_SUPER_MAGIC) { |
6efacf80 | 1585 | fullpath = must_make_path(path, "tasks", NULL); |
803e4123 CB |
1586 | ret = chowmod(fullpath, destuid, nsgid, 0664); |
1587 | if (ret < 0) | |
1588 | SYSINFO("Failed to change %s to uid %d and gid %d and mode 0664", | |
1589 | fullpath, destuid, nsgid); | |
6efacf80 | 1590 | } |
43647298 SH |
1591 | |
1592 | fullpath = must_make_path(path, "cgroup.procs", NULL); | |
803e4123 CB |
1593 | ret = chowmod(fullpath, destuid, nsgid, 0664); |
1594 | if (ret < 0) | |
1595 | SYSINFO("Failed to change %s to uid %d and gid %d and mode 0664", | |
1596 | fullpath, destuid, nsgid); | |
0e17357c | 1597 | |
2202afc9 | 1598 | if (arg->hierarchies[i]->version != CGROUP2_SUPER_MAGIC) |
0e17357c CB |
1599 | continue; |
1600 | ||
a6ca2ed8 CB |
1601 | for (char **p = arg->hierarchies[i]->cgroup2_chown; p && *p; p++) { |
1602 | fullpath = must_make_path(path, *p, NULL); | |
803e4123 CB |
1603 | ret = chowmod(fullpath, destuid, nsgid, 0664); |
1604 | if (ret < 0) | |
1605 | SYSINFO("Failed to change %s to uid %d and gid %d and mode 0664", | |
1606 | fullpath, destuid, nsgid); | |
a6ca2ed8 | 1607 | } |
ccb4cabe SH |
1608 | } |
1609 | ||
1610 | return 0; | |
1611 | } | |
1612 | ||
b857f4be | 1613 | __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, |
fb55e009 | 1614 | struct lxc_conf *conf) |
ccb4cabe | 1615 | { |
4160c3a0 | 1616 | struct generic_userns_exec_data wrap; |
ccb4cabe | 1617 | |
ccb4cabe SH |
1618 | if (lxc_list_empty(&conf->id_map)) |
1619 | return true; | |
1620 | ||
69b4a4bb CB |
1621 | if (!ops->hierarchies) |
1622 | return true; | |
1623 | ||
ccb4cabe | 1624 | wrap.origuid = geteuid(); |
4160c3a0 | 1625 | wrap.path = NULL; |
2202afc9 | 1626 | wrap.hierarchies = ops->hierarchies; |
4160c3a0 | 1627 | wrap.conf = conf; |
ccb4cabe | 1628 | |
c9b7c33e CB |
1629 | if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, |
1630 | "chown_cgroup_wrapper") < 0) { | |
f7faba6c | 1631 | ERROR("Error requesting cgroup chown in new user namespace"); |
ccb4cabe SH |
1632 | return false; |
1633 | } | |
1634 | ||
1635 | return true; | |
1636 | } | |
1637 | ||
8aa1044f SH |
1638 | /* cgroup-full:* is done, no need to create subdirs */ |
1639 | static bool cg_mount_needs_subdirs(int type) | |
1640 | { | |
1641 | if (type >= LXC_AUTO_CGROUP_FULL_RO) | |
1642 | return false; | |
a3926f6a | 1643 | |
8aa1044f SH |
1644 | return true; |
1645 | } | |
1646 | ||
886cac86 CB |
1647 | /* After $rootfs/sys/fs/container/controller/the/cg/path has been created, |
1648 | * remount controller ro if needed and bindmount the cgroupfs onto | |
25fa6f8c | 1649 | * control/the/cg/path. |
8aa1044f | 1650 | */ |
6812d833 CB |
1651 | static int cg_legacy_mount_controllers(int type, struct hierarchy *h, |
1652 | char *controllerpath, char *cgpath, | |
1653 | const char *container_cgroup) | |
8aa1044f | 1654 | { |
d97919ab | 1655 | __do_free char *sourcepath = NULL; |
5285689c | 1656 | int ret, remount_flags; |
886cac86 CB |
1657 | int flags = MS_BIND; |
1658 | ||
8aa1044f | 1659 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_MIXED) { |
886cac86 CB |
1660 | ret = mount(controllerpath, controllerpath, "cgroup", MS_BIND, NULL); |
1661 | if (ret < 0) { | |
1662 | SYSERROR("Failed to bind mount \"%s\" onto \"%s\"", | |
1663 | controllerpath, controllerpath); | |
8aa1044f SH |
1664 | return -1; |
1665 | } | |
886cac86 | 1666 | |
5285689c CB |
1667 | remount_flags = add_required_remount_flags(controllerpath, |
1668 | controllerpath, | |
1669 | flags | MS_REMOUNT); | |
886cac86 | 1670 | ret = mount(controllerpath, controllerpath, "cgroup", |
8186c5c7 CB |
1671 | remount_flags | MS_REMOUNT | MS_BIND | MS_RDONLY, |
1672 | NULL); | |
886cac86 CB |
1673 | if (ret < 0) { |
1674 | SYSERROR("Failed to remount \"%s\" ro", controllerpath); | |
8aa1044f SH |
1675 | return -1; |
1676 | } | |
886cac86 | 1677 | |
8aa1044f SH |
1678 | INFO("Remounted %s read-only", controllerpath); |
1679 | } | |
886cac86 | 1680 | |
bb221ad1 | 1681 | sourcepath = must_make_path(h->mountpoint, h->container_base_path, |
886cac86 | 1682 | container_cgroup, NULL); |
8aa1044f SH |
1683 | if (type == LXC_AUTO_CGROUP_RO) |
1684 | flags |= MS_RDONLY; | |
886cac86 CB |
1685 | |
1686 | ret = mount(sourcepath, cgpath, "cgroup", flags, NULL); | |
1687 | if (ret < 0) { | |
1688 | SYSERROR("Failed to mount \"%s\" onto \"%s\"", h->controllers[0], cgpath); | |
8aa1044f SH |
1689 | return -1; |
1690 | } | |
886cac86 | 1691 | INFO("Mounted \"%s\" onto \"%s\"", h->controllers[0], cgpath); |
f8c40ffa L |
1692 | |
1693 | if (flags & MS_RDONLY) { | |
5285689c CB |
1694 | remount_flags = add_required_remount_flags(sourcepath, cgpath, |
1695 | flags | MS_REMOUNT); | |
1696 | ret = mount(sourcepath, cgpath, "cgroup", remount_flags, NULL); | |
886cac86 CB |
1697 | if (ret < 0) { |
1698 | SYSERROR("Failed to remount \"%s\" ro", cgpath); | |
f8c40ffa L |
1699 | return -1; |
1700 | } | |
5285689c | 1701 | INFO("Remounted %s read-only", cgpath); |
f8c40ffa L |
1702 | } |
1703 | ||
886cac86 | 1704 | INFO("Completed second stage cgroup automounts for \"%s\"", cgpath); |
8aa1044f SH |
1705 | return 0; |
1706 | } | |
1707 | ||
6812d833 CB |
1708 | /* __cg_mount_direct |
1709 | * | |
1710 | * Mount cgroup hierarchies directly without using bind-mounts. The main | |
1711 | * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting | |
1712 | * cgroups for the LXC_AUTO_CGROUP_FULL option. | |
1713 | */ | |
1714 | static int __cg_mount_direct(int type, struct hierarchy *h, | |
1715 | const char *controllerpath) | |
b635e92d | 1716 | { |
d97919ab | 1717 | __do_free char *controllers = NULL; |
a760603e CB |
1718 | char *fstype = "cgroup2"; |
1719 | unsigned long flags = 0; | |
f6b54668 | 1720 | int ret; |
b635e92d | 1721 | |
a760603e CB |
1722 | flags |= MS_NOSUID; |
1723 | flags |= MS_NOEXEC; | |
1724 | flags |= MS_NODEV; | |
1725 | flags |= MS_RELATIME; | |
1726 | ||
1727 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO) | |
1728 | flags |= MS_RDONLY; | |
1729 | ||
d6337a5f | 1730 | if (h->version != CGROUP2_SUPER_MAGIC) { |
a760603e CB |
1731 | controllers = lxc_string_join(",", (const char **)h->controllers, false); |
1732 | if (!controllers) | |
1733 | return -ENOMEM; | |
1734 | fstype = "cgroup"; | |
b635e92d CB |
1735 | } |
1736 | ||
a760603e | 1737 | ret = mount("cgroup", controllerpath, fstype, flags, controllers); |
b635e92d | 1738 | if (ret < 0) { |
6812d833 | 1739 | SYSERROR("Failed to mount \"%s\" with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1740 | return -1; |
1741 | } | |
1742 | ||
6812d833 | 1743 | DEBUG("Mounted \"%s\" with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1744 | return 0; |
1745 | } | |
1746 | ||
6812d833 CB |
1747 | static inline int cg_mount_in_cgroup_namespace(int type, struct hierarchy *h, |
1748 | const char *controllerpath) | |
1749 | { | |
1750 | return __cg_mount_direct(type, h, controllerpath); | |
1751 | } | |
1752 | ||
1753 | static inline int cg_mount_cgroup_full(int type, struct hierarchy *h, | |
1754 | const char *controllerpath) | |
1755 | { | |
1756 | if (type < LXC_AUTO_CGROUP_FULL_RO || type > LXC_AUTO_CGROUP_FULL_MIXED) | |
1757 | return 0; | |
1758 | ||
1759 | return __cg_mount_direct(type, h, controllerpath); | |
1760 | } | |
1761 | ||
b857f4be | 1762 | __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, |
8d661d38 CB |
1763 | struct lxc_handler *handler, |
1764 | const char *root, int type) | |
ccb4cabe | 1765 | { |
6607d6e9 | 1766 | __do_free char *cgroup_root = NULL; |
dfa835ac | 1767 | int ret; |
affd10fa | 1768 | bool has_cgns = false, retval = false, wants_force_mount = false; |
8aa1044f | 1769 | |
69b4a4bb CB |
1770 | if (!ops->hierarchies) |
1771 | return true; | |
1772 | ||
8aa1044f SH |
1773 | if ((type & LXC_AUTO_CGROUP_MASK) == 0) |
1774 | return true; | |
1775 | ||
3f69fb12 SY |
1776 | if (type & LXC_AUTO_CGROUP_FORCE) { |
1777 | type &= ~LXC_AUTO_CGROUP_FORCE; | |
1778 | wants_force_mount = true; | |
1779 | } | |
b635e92d | 1780 | |
3f69fb12 SY |
1781 | if (!wants_force_mount){ |
1782 | if (!lxc_list_empty(&handler->conf->keepcaps)) | |
1783 | wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); | |
1784 | else | |
1785 | wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps); | |
1786 | } | |
8aa1044f | 1787 | |
3f69fb12 SY |
1788 | has_cgns = cgns_supported(); |
1789 | if (has_cgns && !wants_force_mount) | |
1790 | return true; | |
8aa1044f SH |
1791 | |
1792 | if (type == LXC_AUTO_CGROUP_NOSPEC) | |
1793 | type = LXC_AUTO_CGROUP_MIXED; | |
1794 | else if (type == LXC_AUTO_CGROUP_FULL_NOSPEC) | |
1795 | type = LXC_AUTO_CGROUP_FULL_MIXED; | |
1796 | ||
dca9587a | 1797 | cgroup_root = must_make_path(root, DEFAULT_CGROUP_MOUNTPOINT, NULL); |
8d661d38 | 1798 | if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) { |
8d661d38 CB |
1799 | if (has_cgns && wants_force_mount) { |
1800 | /* If cgroup namespaces are supported but the container | |
1801 | * will not have CAP_SYS_ADMIN after it has started we | |
1802 | * need to mount the cgroups manually. | |
1803 | */ | |
1804 | return cg_mount_in_cgroup_namespace(type, ops->unified, | |
6607d6e9 | 1805 | cgroup_root) == 0; |
8d661d38 CB |
1806 | } |
1807 | ||
6607d6e9 | 1808 | return cg_mount_cgroup_full(type, ops->unified, cgroup_root) == 0; |
8d661d38 CB |
1809 | } |
1810 | ||
1811 | /* mount tmpfs */ | |
6607d6e9 | 1812 | ret = safe_mount(NULL, cgroup_root, "tmpfs", |
3f69fb12 SY |
1813 | MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, |
1814 | "size=10240k,mode=755", root); | |
1815 | if (ret < 0) | |
1816 | goto on_error; | |
8aa1044f | 1817 | |
dfa835ac | 1818 | for (int i = 0; ops->hierarchies[i]; i++) { |
d97919ab | 1819 | __do_free char *controllerpath = NULL, *path2 = NULL; |
2202afc9 | 1820 | struct hierarchy *h = ops->hierarchies[i]; |
8aa1044f | 1821 | char *controller = strrchr(h->mountpoint, '/'); |
8aa1044f SH |
1822 | |
1823 | if (!controller) | |
1824 | continue; | |
1825 | controller++; | |
affd10fa | 1826 | |
6607d6e9 | 1827 | controllerpath = must_make_path(cgroup_root, controller, NULL); |
d97919ab | 1828 | if (dir_exists(controllerpath)) |
8aa1044f | 1829 | continue; |
affd10fa | 1830 | |
3f69fb12 SY |
1831 | ret = mkdir(controllerpath, 0755); |
1832 | if (ret < 0) { | |
8aa1044f | 1833 | SYSERROR("Error creating cgroup path: %s", controllerpath); |
3f69fb12 | 1834 | goto on_error; |
8aa1044f | 1835 | } |
b635e92d | 1836 | |
3f69fb12 | 1837 | if (has_cgns && wants_force_mount) { |
b635e92d CB |
1838 | /* If cgroup namespaces are supported but the container |
1839 | * will not have CAP_SYS_ADMIN after it has started we | |
1840 | * need to mount the cgroups manually. | |
1841 | */ | |
3f69fb12 | 1842 | ret = cg_mount_in_cgroup_namespace(type, h, controllerpath); |
3f69fb12 SY |
1843 | if (ret < 0) |
1844 | goto on_error; | |
1845 | ||
b635e92d CB |
1846 | continue; |
1847 | } | |
1848 | ||
6812d833 | 1849 | ret = cg_mount_cgroup_full(type, h, controllerpath); |
d97919ab | 1850 | if (ret < 0) |
3f69fb12 | 1851 | goto on_error; |
3f69fb12 | 1852 | |
d97919ab | 1853 | if (!cg_mount_needs_subdirs(type)) |
8aa1044f | 1854 | continue; |
3f69fb12 | 1855 | |
bb221ad1 | 1856 | path2 = must_make_path(controllerpath, h->container_base_path, |
2202afc9 | 1857 | ops->container_cgroup, NULL); |
3f69fb12 | 1858 | ret = mkdir_p(path2, 0755); |
d97919ab | 1859 | if (ret < 0) |
3f69fb12 | 1860 | goto on_error; |
2f62fb00 | 1861 | |
6812d833 | 1862 | ret = cg_legacy_mount_controllers(type, h, controllerpath, |
2202afc9 | 1863 | path2, ops->container_cgroup); |
3f69fb12 SY |
1864 | if (ret < 0) |
1865 | goto on_error; | |
8aa1044f SH |
1866 | } |
1867 | retval = true; | |
1868 | ||
3f69fb12 | 1869 | on_error: |
8aa1044f | 1870 | return retval; |
ccb4cabe SH |
1871 | } |
1872 | ||
1873 | static int recursive_count_nrtasks(char *dirname) | |
1874 | { | |
d97919ab | 1875 | __do_free char *path = NULL; |
88396101 | 1876 | __do_closedir DIR *dir = NULL; |
74f96976 | 1877 | struct dirent *direntp; |
ccb4cabe | 1878 | int count = 0, ret; |
ccb4cabe SH |
1879 | |
1880 | dir = opendir(dirname); | |
1881 | if (!dir) | |
1882 | return 0; | |
1883 | ||
74f96976 | 1884 | while ((direntp = readdir(dir))) { |
ccb4cabe SH |
1885 | struct stat mystat; |
1886 | ||
ccb4cabe SH |
1887 | if (!strcmp(direntp->d_name, ".") || |
1888 | !strcmp(direntp->d_name, "..")) | |
1889 | continue; | |
1890 | ||
1891 | path = must_make_path(dirname, direntp->d_name, NULL); | |
1892 | ||
1893 | if (lstat(path, &mystat)) | |
d97919ab | 1894 | continue; |
ccb4cabe SH |
1895 | |
1896 | if (!S_ISDIR(mystat.st_mode)) | |
d97919ab | 1897 | continue; |
ccb4cabe SH |
1898 | |
1899 | count += recursive_count_nrtasks(path); | |
ccb4cabe SH |
1900 | } |
1901 | ||
1902 | path = must_make_path(dirname, "cgroup.procs", NULL); | |
1903 | ret = lxc_count_file_lines(path); | |
1904 | if (ret != -1) | |
1905 | count += ret; | |
ccb4cabe SH |
1906 | |
1907 | return count; | |
1908 | } | |
1909 | ||
b857f4be | 1910 | __cgfsng_ops static int cgfsng_nrtasks(struct cgroup_ops *ops) |
3135c5d4 | 1911 | { |
d97919ab | 1912 | __do_free char *path = NULL; |
ccb4cabe | 1913 | |
2202afc9 | 1914 | if (!ops->container_cgroup || !ops->hierarchies) |
ccb4cabe | 1915 | return -1; |
a3926f6a | 1916 | |
eb697136 | 1917 | path = must_make_path(ops->hierarchies[0]->container_full_path, NULL); |
3312a94f | 1918 | return recursive_count_nrtasks(path); |
ccb4cabe SH |
1919 | } |
1920 | ||
11c23867 | 1921 | /* Only root needs to escape to the cgroup of its init. */ |
b857f4be | 1922 | __cgfsng_ops static bool cgfsng_escape(const struct cgroup_ops *ops, |
fb55e009 | 1923 | struct lxc_conf *conf) |
ccb4cabe | 1924 | { |
69b4a4bb | 1925 | if (conf->cgroup_meta.relative || geteuid() || !ops->hierarchies) |
ccb4cabe SH |
1926 | return true; |
1927 | ||
779b3d82 | 1928 | for (int i = 0; ops->hierarchies[i]; i++) { |
11c23867 | 1929 | int ret; |
88396101 | 1930 | __do_free char *fullpath = NULL; |
11c23867 | 1931 | |
2202afc9 | 1932 | fullpath = must_make_path(ops->hierarchies[i]->mountpoint, |
bb221ad1 | 1933 | ops->hierarchies[i]->container_base_path, |
11c23867 | 1934 | "cgroup.procs", NULL); |
7cea5905 | 1935 | ret = lxc_write_to_file(fullpath, "0", 2, false, 0666); |
11c23867 CB |
1936 | if (ret != 0) { |
1937 | SYSERROR("Failed to escape to cgroup \"%s\"", fullpath); | |
6df334d1 | 1938 | return false; |
ccb4cabe | 1939 | } |
ccb4cabe SH |
1940 | } |
1941 | ||
6df334d1 | 1942 | return true; |
ccb4cabe SH |
1943 | } |
1944 | ||
b857f4be | 1945 | __cgfsng_ops static int cgfsng_num_hierarchies(struct cgroup_ops *ops) |
36662416 | 1946 | { |
69b4a4bb CB |
1947 | int i = 0; |
1948 | ||
1949 | if (!ops->hierarchies) | |
1950 | return 0; | |
36662416 | 1951 | |
69b4a4bb | 1952 | for (; ops->hierarchies[i]; i++) |
36662416 TA |
1953 | ; |
1954 | ||
1955 | return i; | |
1956 | } | |
1957 | ||
b857f4be | 1958 | __cgfsng_ops static bool cgfsng_get_hierarchies(struct cgroup_ops *ops, int n, char ***out) |
36662416 TA |
1959 | { |
1960 | int i; | |
1961 | ||
69b4a4bb CB |
1962 | if (!ops->hierarchies) |
1963 | return false; | |
1964 | ||
36662416 | 1965 | /* sanity check n */ |
6b38e644 | 1966 | for (i = 0; i < n; i++) |
2202afc9 | 1967 | if (!ops->hierarchies[i]) |
36662416 | 1968 | return false; |
36662416 | 1969 | |
2202afc9 | 1970 | *out = ops->hierarchies[i]->controllers; |
36662416 TA |
1971 | |
1972 | return true; | |
1973 | } | |
1974 | ||
942e193e | 1975 | |
ee3a7775 | 1976 | static bool cg_legacy_freeze(struct cgroup_ops *ops) |
ccb4cabe | 1977 | { |
ee3a7775 | 1978 | __do_free char *path = NULL; |
d6337a5f | 1979 | struct hierarchy *h; |
ccb4cabe | 1980 | |
ee3a7775 CB |
1981 | h = get_hierarchy(ops, "freezer"); |
1982 | if (!h) | |
d2203230 | 1983 | return ret_set_errno(-1, ENOENT); |
81468ea7 | 1984 | |
ee3a7775 | 1985 | path = must_make_path(h->container_full_path, "freezer.state", NULL); |
018051e3 | 1986 | return lxc_write_to_file(path, "FROZEN", STRLITERALLEN("FROZEN"), false, 0666); |
ee3a7775 | 1987 | } |
942e193e | 1988 | |
018051e3 CB |
1989 | static int freezer_cgroup_events_cb(int fd, uint32_t events, void *cbdata, |
1990 | struct lxc_epoll_descr *descr) | |
ee3a7775 | 1991 | { |
018051e3 CB |
1992 | __do_close_prot_errno int duped_fd = -EBADF; |
1993 | __do_free char *line = NULL; | |
ee3a7775 | 1994 | __do_fclose FILE *f = NULL; |
018051e3 CB |
1995 | int state = PTR_TO_INT(cbdata); |
1996 | size_t len; | |
1997 | const char *state_string; | |
1998 | ||
1999 | duped_fd = dup(fd); | |
2000 | if (duped_fd < 0) | |
2001 | return LXC_MAINLOOP_ERROR; | |
2002 | ||
2003 | if (lseek(duped_fd, 0, SEEK_SET) < (off_t)-1) | |
2004 | return LXC_MAINLOOP_ERROR; | |
2005 | ||
2006 | f = fdopen(duped_fd, "re"); | |
2007 | if (!f) | |
2008 | return LXC_MAINLOOP_ERROR; | |
2009 | move_fd(duped_fd); | |
2010 | ||
2011 | if (state == 1) | |
2012 | state_string = "frozen 1"; | |
2013 | else | |
2014 | state_string = "frozen 0"; | |
2015 | ||
2016 | while (getline(&line, &len, f) != -1) | |
2017 | if (strncmp(line, state_string, STRLITERALLEN("frozen") + 2) == 0) | |
2018 | return LXC_MAINLOOP_CLOSE; | |
2019 | ||
2020 | return LXC_MAINLOOP_CONTINUE; | |
2021 | } | |
2022 | ||
2023 | static int cg_unified_freeze(struct cgroup_ops *ops, int timeout) | |
2024 | { | |
2025 | __do_close_prot_errno int fd = -EBADF; | |
2026 | __do_free char *path = NULL; | |
2027 | __do_lxc_mainloop_close struct lxc_epoll_descr *descr_ptr = NULL; | |
2028 | int ret; | |
2029 | struct lxc_epoll_descr descr; | |
ee3a7775 | 2030 | struct hierarchy *h; |
942e193e CB |
2031 | |
2032 | h = ops->unified; | |
457ca9aa | 2033 | if (!h) |
d2203230 | 2034 | return ret_set_errno(-1, ENOENT); |
d6337a5f | 2035 | |
018051e3 | 2036 | if (!h->container_full_path) |
d2203230 | 2037 | return ret_set_errno(-1, EEXIST); |
d6337a5f | 2038 | |
018051e3 CB |
2039 | if (timeout != 0) { |
2040 | __do_free char *events_file = NULL; | |
942e193e | 2041 | |
018051e3 CB |
2042 | events_file = must_make_path(h->container_full_path, "cgroup.events", NULL); |
2043 | fd = open(events_file, O_RDONLY | O_CLOEXEC); | |
2044 | if (fd < 0) | |
d2203230 | 2045 | return log_error_errno(-1, errno, "Failed to open cgroup.events file"); |
942e193e | 2046 | |
018051e3 CB |
2047 | ret = lxc_mainloop_open(&descr); |
2048 | if (ret) | |
d2203230 | 2049 | return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container freeze"); |
942e193e | 2050 | |
018051e3 CB |
2051 | /* automatically cleaned up now */ |
2052 | descr_ptr = &descr; | |
942e193e | 2053 | |
018051e3 CB |
2054 | ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){1})); |
2055 | if (ret < 0) | |
d2203230 | 2056 | return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop"); |
018051e3 | 2057 | } |
942e193e | 2058 | |
018051e3 CB |
2059 | path = must_make_path(h->container_full_path, "cgroup.freeze", NULL); |
2060 | ret = lxc_write_to_file(path, "1", 1, false, 0666); | |
2061 | if (ret < 0) | |
d2203230 | 2062 | return log_error_errno(-1, errno, "Failed to open cgroup.freeze file"); |
018051e3 CB |
2063 | |
2064 | if (timeout != 0 && lxc_mainloop(&descr, timeout)) | |
d2203230 | 2065 | return log_error_errno(-1, errno, "Failed to wait for container to be frozen"); |
018051e3 CB |
2066 | |
2067 | return 0; | |
942e193e CB |
2068 | } |
2069 | ||
018051e3 | 2070 | __cgfsng_ops static int cgfsng_freeze(struct cgroup_ops *ops, int timeout) |
942e193e | 2071 | { |
81468ea7 | 2072 | if (!ops->hierarchies) |
d2203230 | 2073 | return ret_set_errno(-1, ENOENT); |
81468ea7 | 2074 | |
ee3a7775 CB |
2075 | if (ops->cgroup_layout != CGROUP_LAYOUT_UNIFIED) |
2076 | return cg_legacy_freeze(ops); | |
942e193e | 2077 | |
018051e3 | 2078 | return cg_unified_freeze(ops, timeout); |
ee3a7775 CB |
2079 | } |
2080 | ||
018051e3 | 2081 | static int cg_legacy_unfreeze(struct cgroup_ops *ops) |
ee3a7775 CB |
2082 | { |
2083 | __do_free char *path = NULL; | |
2084 | struct hierarchy *h; | |
2085 | ||
2086 | h = get_hierarchy(ops, "freezer"); | |
2087 | if (!h) | |
d2203230 | 2088 | return ret_set_errno(-1, ENOENT); |
ee3a7775 CB |
2089 | |
2090 | path = must_make_path(h->container_full_path, "freezer.state", NULL); | |
018051e3 | 2091 | return lxc_write_to_file(path, "THAWED", STRLITERALLEN("THAWED"), false, 0666); |
ee3a7775 CB |
2092 | } |
2093 | ||
018051e3 | 2094 | static int cg_unified_unfreeze(struct cgroup_ops *ops, int timeout) |
ee3a7775 | 2095 | { |
018051e3 | 2096 | __do_close_prot_errno int fd = -EBADF; |
ee3a7775 | 2097 | __do_free char *path = NULL; |
018051e3 CB |
2098 | __do_lxc_mainloop_close struct lxc_epoll_descr *descr_ptr = NULL; |
2099 | int ret; | |
2100 | struct lxc_epoll_descr descr; | |
ee3a7775 | 2101 | struct hierarchy *h; |
942e193e CB |
2102 | |
2103 | h = ops->unified; | |
2104 | if (!h) | |
d2203230 | 2105 | return ret_set_errno(-1, ENOENT); |
018051e3 CB |
2106 | |
2107 | if (!h->container_full_path) | |
d2203230 | 2108 | return ret_set_errno(-1, EEXIST); |
018051e3 CB |
2109 | |
2110 | if (timeout != 0) { | |
2111 | __do_free char *events_file = NULL; | |
2112 | ||
2113 | events_file = must_make_path(h->container_full_path, "cgroup.events", NULL); | |
2114 | fd = open(events_file, O_RDONLY | O_CLOEXEC); | |
2115 | if (fd < 0) | |
d2203230 | 2116 | return log_error_errno(-1, errno, "Failed to open cgroup.events file"); |
018051e3 CB |
2117 | |
2118 | ret = lxc_mainloop_open(&descr); | |
2119 | if (ret) | |
d2203230 | 2120 | return log_error_errno(-1, errno, "Failed to create epoll instance to wait for container unfreeze"); |
018051e3 CB |
2121 | |
2122 | /* automatically cleaned up now */ | |
2123 | descr_ptr = &descr; | |
2124 | ||
2125 | ret = lxc_mainloop_add_handler(&descr, fd, freezer_cgroup_events_cb, INT_TO_PTR((int){0})); | |
2126 | if (ret < 0) | |
d2203230 | 2127 | return log_error_errno(-1, errno, "Failed to add cgroup.events fd handler to mainloop"); |
018051e3 | 2128 | } |
942e193e | 2129 | |
ee3a7775 | 2130 | path = must_make_path(h->container_full_path, "cgroup.freeze", NULL); |
018051e3 CB |
2131 | ret = lxc_write_to_file(path, "0", 1, false, 0666); |
2132 | if (ret < 0) | |
d2203230 | 2133 | return log_error_errno(-1, errno, "Failed to open cgroup.freeze file"); |
018051e3 CB |
2134 | |
2135 | if (timeout != 0 && lxc_mainloop(&descr, timeout)) | |
d2203230 | 2136 | return log_error_errno(-1, errno, "Failed to wait for container to be unfrozen"); |
018051e3 CB |
2137 | |
2138 | return 0; | |
ee3a7775 CB |
2139 | } |
2140 | ||
018051e3 | 2141 | __cgfsng_ops static int cgfsng_unfreeze(struct cgroup_ops *ops, int timeout) |
ee3a7775 CB |
2142 | { |
2143 | if (!ops->hierarchies) | |
d2203230 | 2144 | return ret_set_errno(-1, ENOENT); |
ee3a7775 CB |
2145 | |
2146 | if (ops->cgroup_layout != CGROUP_LAYOUT_UNIFIED) | |
2147 | return cg_legacy_unfreeze(ops); | |
2148 | ||
018051e3 | 2149 | return cg_unified_unfreeze(ops, timeout); |
ccb4cabe SH |
2150 | } |
2151 | ||
b857f4be | 2152 | __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, |
fb55e009 | 2153 | const char *controller) |
ccb4cabe | 2154 | { |
d6337a5f CB |
2155 | struct hierarchy *h; |
2156 | ||
2202afc9 | 2157 | h = get_hierarchy(ops, controller); |
106f1f38 | 2158 | if (!h) { |
2202afc9 CB |
2159 | WARN("Failed to find hierarchy for controller \"%s\"", |
2160 | controller ? controller : "(null)"); | |
ccb4cabe | 2161 | return NULL; |
106f1f38 | 2162 | } |
ccb4cabe | 2163 | |
eb697136 | 2164 | return h->container_full_path ? h->container_full_path + strlen(h->mountpoint) : NULL; |
371f834d SH |
2165 | } |
2166 | ||
c40c8209 CB |
2167 | /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path, |
2168 | * which must be freed by the caller. | |
371f834d | 2169 | */ |
c40c8209 CB |
2170 | static inline char *build_full_cgpath_from_monitorpath(struct hierarchy *h, |
2171 | const char *inpath, | |
2172 | const char *filename) | |
371f834d | 2173 | { |
371f834d | 2174 | return must_make_path(h->mountpoint, inpath, filename, NULL); |
ccb4cabe SH |
2175 | } |
2176 | ||
900b6606 | 2177 | static int cgroup_attach_leaf(int unified_fd, int64_t pid) |
c2aed66d | 2178 | { |
ad275c16 | 2179 | int idx = 1; |
c2aed66d | 2180 | int ret; |
900b6606 | 2181 | char pidstr[INTTYPE_TO_STRLEN(int64_t) + 1]; |
ad275c16 | 2182 | char attach_cgroup[STRLITERALLEN("lxc-1000/cgroup.procs") + 1]; |
900b6606 | 2183 | size_t pidstr_len; |
c2aed66d | 2184 | |
ad275c16 CB |
2185 | /* Create leaf cgroup. */ |
2186 | ret = mkdirat(unified_fd, "lxc", 0755); | |
2187 | if (ret < 0 && errno != EEXIST) | |
2188 | return log_error_errno(-1, errno, "Failed to create leaf cgroup \"lxc\""); | |
2189 | ||
900b6606 | 2190 | pidstr_len = sprintf(pidstr, INT64_FMT, pid); |
ad275c16 CB |
2191 | ret = lxc_writeat(unified_fd, "lxc/cgroup.procs", pidstr, pidstr_len); |
2192 | if (ret < 0) | |
2193 | ret = lxc_writeat(unified_fd, "cgroup.procs", pidstr, pidstr_len); | |
c2aed66d | 2194 | if (ret == 0) |
bad788b0 | 2195 | return 0; |
ad275c16 | 2196 | |
bad788b0 CB |
2197 | /* this is a non-leaf node */ |
2198 | if (errno != EBUSY) | |
d2203230 | 2199 | return log_error_errno(-1, errno, "Failed to attach to unified cgroup"); |
c2aed66d | 2200 | |
c2aed66d | 2201 | do { |
bad788b0 | 2202 | char *slash; |
c2aed66d | 2203 | |
ad275c16 | 2204 | sprintf(attach_cgroup, "lxc-%d/cgroup.procs", idx); |
bad788b0 CB |
2205 | slash = &attach_cgroup[ret] - STRLITERALLEN("/cgroup.procs"); |
2206 | *slash = '\0'; | |
ad275c16 | 2207 | |
bad788b0 | 2208 | ret = mkdirat(unified_fd, attach_cgroup, 0755); |
c2aed66d | 2209 | if (ret < 0 && errno != EEXIST) |
d2203230 | 2210 | return log_error_errno(-1, errno, "Failed to create cgroup %s", attach_cgroup); |
c2aed66d | 2211 | |
bad788b0 | 2212 | *slash = '/'; |
ad275c16 | 2213 | |
bad788b0 | 2214 | ret = lxc_writeat(unified_fd, attach_cgroup, pidstr, pidstr_len); |
c2aed66d | 2215 | if (ret == 0) |
bad788b0 | 2216 | return 0; |
c2aed66d CB |
2217 | |
2218 | /* this is a non-leaf node */ | |
2219 | if (errno != EBUSY) | |
d2203230 | 2220 | return log_error_errno(-1, errno, "Failed to attach to unified cgroup"); |
c2aed66d | 2221 | |
edae86e9 CB |
2222 | idx++; |
2223 | } while (idx < 1000); | |
c2aed66d | 2224 | |
ad275c16 | 2225 | return log_error_errno(-1, errno, "Failed to attach to unified cgroup"); |
c2aed66d CB |
2226 | } |
2227 | ||
900b6606 CB |
2228 | int cgroup_attach(const char *name, const char *lxcpath, int64_t pid) |
2229 | { | |
2230 | __do_close_prot_errno int unified_fd = -EBADF; | |
2231 | ||
2232 | unified_fd = lxc_cmd_get_cgroup2_fd(name, lxcpath); | |
2233 | if (unified_fd < 0) | |
2234 | return -1; | |
2235 | ||
2236 | return cgroup_attach_leaf(unified_fd, pid); | |
2237 | } | |
2238 | ||
2239 | /* Technically, we're always at a delegation boundary here (This is especially | |
2240 | * true when cgroup namespaces are available.). The reasoning is that in order | |
2241 | * for us to have been able to start a container in the first place the root | |
2242 | * cgroup must have been a leaf node. Now, either the container's init system | |
2243 | * has populated the cgroup and kept it as a leaf node or it has created | |
2244 | * subtrees. In the former case we will simply attach to the leaf node we | |
2245 | * created when we started the container in the latter case we create our own | |
2246 | * cgroup for the attaching process. | |
2247 | */ | |
2248 | static int __cg_unified_attach(const struct hierarchy *h, const char *name, | |
2249 | const char *lxcpath, pid_t pid, | |
2250 | const char *controller) | |
2251 | { | |
2252 | __do_close_prot_errno int unified_fd = -EBADF; | |
2253 | int ret; | |
2254 | ||
2255 | ret = cgroup_attach(name, lxcpath, pid); | |
2256 | if (ret < 0) { | |
2257 | __do_free char *path = NULL, *cgroup = NULL; | |
2258 | ||
2259 | cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); | |
2260 | /* not running */ | |
2261 | if (!cgroup) | |
2262 | return 0; | |
2263 | ||
2264 | path = must_make_path(h->mountpoint, cgroup, NULL); | |
2265 | unified_fd = open(path, O_DIRECTORY | O_RDONLY | O_CLOEXEC); | |
2266 | } | |
2267 | if (unified_fd < 0) | |
2268 | return -1; | |
2269 | ||
2270 | return cgroup_attach_leaf(unified_fd, pid); | |
2271 | } | |
2272 | ||
b857f4be | 2273 | __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, |
fb55e009 | 2274 | const char *lxcpath, pid_t pid) |
ccb4cabe | 2275 | { |
81b5d48a | 2276 | int len, ret; |
a3650c0c | 2277 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; |
ccb4cabe | 2278 | |
69b4a4bb CB |
2279 | if (!ops->hierarchies) |
2280 | return true; | |
2281 | ||
a3650c0c CB |
2282 | len = snprintf(pidstr, sizeof(pidstr), "%d", pid); |
2283 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
ccb4cabe SH |
2284 | return false; |
2285 | ||
81b5d48a | 2286 | for (int i = 0; ops->hierarchies[i]; i++) { |
c05b17bd | 2287 | __do_free char *fullpath = NULL, *path = NULL; |
2202afc9 | 2288 | struct hierarchy *h = ops->hierarchies[i]; |
ccb4cabe | 2289 | |
c2aed66d | 2290 | if (h->version == CGROUP2_SUPER_MAGIC) { |
900b6606 | 2291 | ret = __cg_unified_attach(h, name, lxcpath, pid, |
a3926f6a | 2292 | h->controllers[0]); |
c2aed66d CB |
2293 | if (ret < 0) |
2294 | return false; | |
2295 | ||
2296 | continue; | |
2297 | } | |
2298 | ||
ccb4cabe | 2299 | path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]); |
c2aed66d CB |
2300 | /* not running */ |
2301 | if (!path) | |
e2cb2e74 | 2302 | return false; |
ccb4cabe | 2303 | |
371f834d | 2304 | fullpath = build_full_cgpath_from_monitorpath(h, path, "cgroup.procs"); |
7cea5905 | 2305 | ret = lxc_write_to_file(fullpath, pidstr, len, false, 0666); |
c2aed66d | 2306 | if (ret < 0) { |
ccb4cabe | 2307 | SYSERROR("Failed to attach %d to %s", (int)pid, fullpath); |
ccb4cabe SH |
2308 | return false; |
2309 | } | |
ccb4cabe SH |
2310 | } |
2311 | ||
ccb4cabe SH |
2312 | return true; |
2313 | } | |
2314 | ||
e2bd2b13 CB |
2315 | /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we |
2316 | * don't have a cgroup_data set up, so we ask the running container through the | |
2317 | * commands API for the cgroup path. | |
ccb4cabe | 2318 | */ |
b857f4be | 2319 | __cgfsng_ops static int cgfsng_get(struct cgroup_ops *ops, const char *filename, |
fb55e009 CB |
2320 | char *value, size_t len, const char *name, |
2321 | const char *lxcpath) | |
ccb4cabe | 2322 | { |
d97919ab | 2323 | __do_free char *path = NULL; |
88396101 | 2324 | __do_free char *controller = NULL; |
d97919ab | 2325 | char *p; |
0069cc61 | 2326 | struct hierarchy *h; |
861cb8c2 | 2327 | int ret = -1; |
ccb4cabe | 2328 | |
861cb8c2 | 2329 | controller = must_copy_string(filename); |
0069cc61 CB |
2330 | p = strchr(controller, '.'); |
2331 | if (p) | |
ccb4cabe SH |
2332 | *p = '\0'; |
2333 | ||
0069cc61 CB |
2334 | path = lxc_cmd_get_cgroup_path(name, lxcpath, controller); |
2335 | /* not running */ | |
2336 | if (!path) | |
ccb4cabe SH |
2337 | return -1; |
2338 | ||
2202afc9 | 2339 | h = get_hierarchy(ops, controller); |
ccb4cabe | 2340 | if (h) { |
88396101 | 2341 | __do_free char *fullpath = NULL; |
0069cc61 CB |
2342 | |
2343 | fullpath = build_full_cgpath_from_monitorpath(h, path, filename); | |
ccb4cabe | 2344 | ret = lxc_read_from_file(fullpath, value, len); |
ccb4cabe | 2345 | } |
ccb4cabe SH |
2346 | |
2347 | return ret; | |
2348 | } | |
2349 | ||
2a63b5cb CB |
2350 | static int device_cgroup_rule_parse(struct device_item *device, const char *key, |
2351 | const char *val) | |
2352 | { | |
2353 | int count, ret; | |
2354 | char temp[50]; | |
2355 | ||
2356 | if (strcmp("devices.allow", key) == 0) | |
2357 | device->allow = 1; | |
2358 | else | |
2359 | device->allow = 0; | |
2360 | ||
2361 | if (strcmp(val, "a") == 0) { | |
2362 | /* global rule */ | |
2363 | device->type = 'a'; | |
2364 | device->major = -1; | |
2365 | device->minor = -1; | |
fda39d45 CB |
2366 | device->global_rule = device->allow |
2367 | ? LXC_BPF_DEVICE_CGROUP_BLACKLIST | |
2368 | : LXC_BPF_DEVICE_CGROUP_WHITELIST; | |
2a63b5cb CB |
2369 | device->allow = -1; |
2370 | return 0; | |
2371 | } else { | |
fda39d45 | 2372 | device->global_rule = LXC_BPF_DEVICE_CGROUP_LOCAL_RULE; |
2a63b5cb CB |
2373 | } |
2374 | ||
2375 | switch (*val) { | |
2376 | case 'a': | |
2377 | __fallthrough; | |
2378 | case 'b': | |
2379 | __fallthrough; | |
2380 | case 'c': | |
2381 | device->type = *val; | |
2382 | break; | |
2383 | default: | |
2384 | return -1; | |
2385 | } | |
2386 | ||
2387 | val++; | |
2388 | if (!isspace(*val)) | |
2389 | return -1; | |
2390 | val++; | |
2391 | if (*val == '*') { | |
2392 | device->major = -1; | |
2393 | val++; | |
2394 | } else if (isdigit(*val)) { | |
2395 | memset(temp, 0, sizeof(temp)); | |
2396 | for (count = 0; count < sizeof(temp) - 1; count++) { | |
2397 | temp[count] = *val; | |
2398 | val++; | |
2399 | if (!isdigit(*val)) | |
2400 | break; | |
2401 | } | |
2402 | ret = lxc_safe_int(temp, &device->major); | |
2403 | if (ret) | |
2404 | return -1; | |
2405 | } else { | |
2406 | return -1; | |
2407 | } | |
2408 | if (*val != ':') | |
2409 | return -1; | |
2410 | val++; | |
2411 | ||
2412 | /* read minor */ | |
2413 | if (*val == '*') { | |
2414 | device->minor = -1; | |
2415 | val++; | |
2416 | } else if (isdigit(*val)) { | |
2417 | memset(temp, 0, sizeof(temp)); | |
2418 | for (count = 0; count < sizeof(temp) - 1; count++) { | |
2419 | temp[count] = *val; | |
2420 | val++; | |
2421 | if (!isdigit(*val)) | |
2422 | break; | |
2423 | } | |
2424 | ret = lxc_safe_int(temp, &device->minor); | |
2425 | if (ret) | |
2426 | return -1; | |
2427 | } else { | |
2428 | return -1; | |
2429 | } | |
2430 | if (!isspace(*val)) | |
2431 | return -1; | |
2432 | for (val++, count = 0; count < 3; count++, val++) { | |
2433 | switch (*val) { | |
2434 | case 'r': | |
2435 | device->access[count] = *val; | |
2436 | break; | |
2437 | case 'w': | |
2438 | device->access[count] = *val; | |
2439 | break; | |
2440 | case 'm': | |
2441 | device->access[count] = *val; | |
2442 | break; | |
2443 | case '\n': | |
2444 | case '\0': | |
2445 | count = 3; | |
2446 | break; | |
2447 | default: | |
2448 | return -1; | |
2449 | } | |
2450 | } | |
2451 | ||
2452 | return 0; | |
2453 | } | |
2454 | ||
eec533e3 CB |
2455 | /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we |
2456 | * don't have a cgroup_data set up, so we ask the running container through the | |
2457 | * commands API for the cgroup path. | |
ccb4cabe | 2458 | */ |
b857f4be | 2459 | __cgfsng_ops static int cgfsng_set(struct cgroup_ops *ops, |
2a63b5cb | 2460 | const char *key, const char *value, |
fb55e009 | 2461 | const char *name, const char *lxcpath) |
ccb4cabe | 2462 | { |
d97919ab | 2463 | __do_free char *path = NULL; |
88396101 | 2464 | __do_free char *controller = NULL; |
d97919ab | 2465 | char *p; |
87777968 | 2466 | struct hierarchy *h; |
861cb8c2 | 2467 | int ret = -1; |
ccb4cabe | 2468 | |
2a63b5cb | 2469 | controller = must_copy_string(key); |
87777968 CB |
2470 | p = strchr(controller, '.'); |
2471 | if (p) | |
ccb4cabe SH |
2472 | *p = '\0'; |
2473 | ||
2a63b5cb CB |
2474 | if (pure_unified_layout(ops) && strcmp(controller, "devices") == 0) { |
2475 | struct device_item device = {0}; | |
2476 | ||
2477 | ret = device_cgroup_rule_parse(&device, key, value); | |
2478 | if (ret < 0) | |
d2203230 | 2479 | return log_error_errno(-1, EINVAL, "Failed to parse device string %s=%s", |
2a63b5cb CB |
2480 | key, value); |
2481 | ||
2482 | ret = lxc_cmd_add_bpf_device_cgroup(name, lxcpath, &device); | |
2483 | if (ret < 0) | |
2484 | return -1; | |
2485 | ||
2486 | return 0; | |
2487 | } | |
2488 | ||
87777968 CB |
2489 | path = lxc_cmd_get_cgroup_path(name, lxcpath, controller); |
2490 | /* not running */ | |
2491 | if (!path) | |
ccb4cabe SH |
2492 | return -1; |
2493 | ||
2202afc9 | 2494 | h = get_hierarchy(ops, controller); |
ccb4cabe | 2495 | if (h) { |
88396101 | 2496 | __do_free char *fullpath = NULL; |
87777968 | 2497 | |
2a63b5cb | 2498 | fullpath = build_full_cgpath_from_monitorpath(h, path, key); |
7cea5905 | 2499 | ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); |
ccb4cabe | 2500 | } |
ccb4cabe SH |
2501 | |
2502 | return ret; | |
2503 | } | |
2504 | ||
91d1a13a | 2505 | /* take devices cgroup line |
72add155 SH |
2506 | * /dev/foo rwx |
2507 | * and convert it to a valid | |
2508 | * type major:minor mode | |
91d1a13a CB |
2509 | * line. Return <0 on error. Dest is a preallocated buffer long enough to hold |
2510 | * the output. | |
72add155 SH |
2511 | */ |
2512 | static int convert_devpath(const char *invalue, char *dest) | |
2513 | { | |
88396101 | 2514 | __do_free char *path = NULL; |
2a06d041 | 2515 | int n_parts; |
d97919ab | 2516 | char *p, type; |
72add155 | 2517 | unsigned long minor, major; |
91d1a13a | 2518 | struct stat sb; |
2a06d041 CB |
2519 | int ret = -EINVAL; |
2520 | char *mode = NULL; | |
72add155 SH |
2521 | |
2522 | path = must_copy_string(invalue); | |
2523 | ||
91d1a13a CB |
2524 | /* Read path followed by mode. Ignore any trailing text. |
2525 | * A ' # comment' would be legal. Technically other text is not | |
2526 | * legal, we could check for that if we cared to. | |
72add155 | 2527 | */ |
0dbdb99e | 2528 | for (n_parts = 1, p = path; *p; p++) { |
2c2d6c49 SH |
2529 | if (*p != ' ') |
2530 | continue; | |
2531 | *p = '\0'; | |
91d1a13a | 2532 | |
2c2d6c49 SH |
2533 | if (n_parts != 1) |
2534 | break; | |
2535 | p++; | |
2536 | n_parts++; | |
91d1a13a | 2537 | |
2c2d6c49 SH |
2538 | while (*p == ' ') |
2539 | p++; | |
91d1a13a | 2540 | |
2c2d6c49 | 2541 | mode = p; |
91d1a13a | 2542 | |
2c2d6c49 SH |
2543 | if (*p == '\0') |
2544 | goto out; | |
72add155 | 2545 | } |
2c2d6c49 SH |
2546 | |
2547 | if (n_parts == 1) | |
72add155 | 2548 | goto out; |
72add155 SH |
2549 | |
2550 | ret = stat(path, &sb); | |
2551 | if (ret < 0) | |
2552 | goto out; | |
2553 | ||
72add155 SH |
2554 | mode_t m = sb.st_mode & S_IFMT; |
2555 | switch (m) { | |
2556 | case S_IFBLK: | |
2557 | type = 'b'; | |
2558 | break; | |
2559 | case S_IFCHR: | |
2560 | type = 'c'; | |
2561 | break; | |
2c2d6c49 | 2562 | default: |
91d1a13a | 2563 | ERROR("Unsupported device type %i for \"%s\"", m, path); |
72add155 SH |
2564 | ret = -EINVAL; |
2565 | goto out; | |
2566 | } | |
2c2d6c49 SH |
2567 | |
2568 | major = MAJOR(sb.st_rdev); | |
2569 | minor = MINOR(sb.st_rdev); | |
2570 | ret = snprintf(dest, 50, "%c %lu:%lu %s", type, major, minor, mode); | |
72add155 | 2571 | if (ret < 0 || ret >= 50) { |
2a06d041 CB |
2572 | ERROR("Error on configuration value \"%c %lu:%lu %s\" (max 50 " |
2573 | "chars)", type, major, minor, mode); | |
72add155 SH |
2574 | ret = -ENAMETOOLONG; |
2575 | goto out; | |
2576 | } | |
2577 | ret = 0; | |
2578 | ||
2579 | out: | |
72add155 SH |
2580 | return ret; |
2581 | } | |
2582 | ||
90e97284 CB |
2583 | /* Called from setup_limits - here we have the container's cgroup_data because |
2584 | * we created the cgroups. | |
ccb4cabe | 2585 | */ |
2202afc9 CB |
2586 | static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, |
2587 | const char *value) | |
ccb4cabe | 2588 | { |
88396101 | 2589 | __do_free char *controller = NULL; |
d97919ab CB |
2590 | __do_free char *fullpath = NULL; |
2591 | char *p; | |
1a0e70ac CB |
2592 | /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */ |
2593 | char converted_value[50]; | |
b3646d7e CB |
2594 | struct hierarchy *h; |
2595 | int ret = 0; | |
64e82f8b | 2596 | |
861cb8c2 | 2597 | controller = must_copy_string(filename); |
ab1a6cac CB |
2598 | p = strchr(controller, '.'); |
2599 | if (p) | |
ccb4cabe SH |
2600 | *p = '\0'; |
2601 | ||
c8bf519d | 2602 | if (strcmp("devices.allow", filename) == 0 && value[0] == '/') { |
72add155 SH |
2603 | ret = convert_devpath(value, converted_value); |
2604 | if (ret < 0) | |
c8bf519d | 2605 | return ret; |
72add155 | 2606 | value = converted_value; |
c8bf519d | 2607 | } |
2608 | ||
2202afc9 | 2609 | h = get_hierarchy(ops, controller); |
b3646d7e CB |
2610 | if (!h) { |
2611 | ERROR("Failed to setup limits for the \"%s\" controller. " | |
2612 | "The controller seems to be unused by \"cgfsng\" cgroup " | |
2613 | "driver or not enabled on the cgroup hierarchy", | |
2614 | controller); | |
d1953b26 | 2615 | errno = ENOENT; |
ab1a6cac | 2616 | return -ENOENT; |
ccb4cabe | 2617 | } |
b3646d7e | 2618 | |
eb697136 | 2619 | fullpath = must_make_path(h->container_full_path, filename, NULL); |
7cea5905 | 2620 | ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); |
ccb4cabe SH |
2621 | return ret; |
2622 | } | |
2623 | ||
c581d2a6 CB |
2624 | __cgfsng_ops static bool cgfsng_setup_limits_legacy(struct cgroup_ops *ops, |
2625 | struct lxc_conf *conf, | |
2626 | bool do_devices) | |
ccb4cabe | 2627 | { |
d97919ab | 2628 | __do_free struct lxc_list *sorted_cgroup_settings = NULL; |
c581d2a6 | 2629 | struct lxc_list *cgroup_settings = &conf->cgroup; |
d97919ab | 2630 | struct lxc_list *iterator, *next; |
ccb4cabe | 2631 | struct lxc_cgroup *cg; |
ccb4cabe SH |
2632 | bool ret = false; |
2633 | ||
2634 | if (lxc_list_empty(cgroup_settings)) | |
2635 | return true; | |
2636 | ||
69b4a4bb CB |
2637 | if (!ops->hierarchies) |
2638 | return false; | |
2639 | ||
ccb4cabe | 2640 | sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); |
6b38e644 | 2641 | if (!sorted_cgroup_settings) |
ccb4cabe | 2642 | return false; |
ccb4cabe | 2643 | |
ccb4cabe SH |
2644 | lxc_list_for_each(iterator, sorted_cgroup_settings) { |
2645 | cg = iterator->elem; | |
2646 | ||
2647 | if (do_devices == !strncmp("devices", cg->subsystem, 7)) { | |
2202afc9 | 2648 | if (cg_legacy_set_data(ops, cg->subsystem, cg->value)) { |
ccb4cabe | 2649 | if (do_devices && (errno == EACCES || errno == EPERM)) { |
c347df58 CB |
2650 | WARN("Failed to set \"%s\" to \"%s\"", |
2651 | cg->subsystem, cg->value); | |
ccb4cabe SH |
2652 | continue; |
2653 | } | |
c347df58 CB |
2654 | WARN("Failed to set \"%s\" to \"%s\"", |
2655 | cg->subsystem, cg->value); | |
ccb4cabe SH |
2656 | goto out; |
2657 | } | |
c347df58 CB |
2658 | DEBUG("Set controller \"%s\" set to \"%s\"", |
2659 | cg->subsystem, cg->value); | |
ccb4cabe | 2660 | } |
ccb4cabe SH |
2661 | } |
2662 | ||
2663 | ret = true; | |
6b38e644 | 2664 | INFO("Limits for the legacy cgroup hierarchies have been setup"); |
ccb4cabe | 2665 | out: |
ccb4cabe SH |
2666 | lxc_list_for_each_safe(iterator, sorted_cgroup_settings, next) { |
2667 | lxc_list_del(iterator); | |
2668 | free(iterator); | |
2669 | } | |
d97919ab | 2670 | |
ccb4cabe SH |
2671 | return ret; |
2672 | } | |
2673 | ||
bf651989 CB |
2674 | /* |
2675 | * Some of the parsing logic comes from the original cgroup device v1 | |
2676 | * implementation in the kernel. | |
2677 | */ | |
4bfb655e CB |
2678 | static int bpf_device_cgroup_prepare(struct cgroup_ops *ops, |
2679 | struct lxc_conf *conf, const char *key, | |
bf651989 CB |
2680 | const char *val) |
2681 | { | |
2682 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX | |
4bfb655e | 2683 | struct device_item device_item = {0}; |
2a63b5cb | 2684 | int ret; |
bf651989 | 2685 | |
2a63b5cb CB |
2686 | ret = device_cgroup_rule_parse(&device_item, key, val); |
2687 | if (ret < 0) | |
d2203230 | 2688 | return log_error_errno(-1, EINVAL, |
2a63b5cb CB |
2689 | "Failed to parse device string %s=%s", |
2690 | key, val); | |
4bfb655e CB |
2691 | |
2692 | ret = bpf_list_add_device(conf, &device_item); | |
2a63b5cb | 2693 | if (ret < 0) |
4bfb655e | 2694 | return -1; |
bf651989 CB |
2695 | #endif |
2696 | return 0; | |
2697 | } | |
2698 | ||
c581d2a6 CB |
2699 | __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops, |
2700 | struct lxc_handler *handler) | |
6b38e644 CB |
2701 | { |
2702 | struct lxc_list *iterator; | |
2202afc9 | 2703 | struct hierarchy *h = ops->unified; |
c581d2a6 CB |
2704 | struct lxc_conf *conf = handler->conf; |
2705 | struct lxc_list *cgroup_settings = &conf->cgroup2; | |
6b38e644 CB |
2706 | |
2707 | if (lxc_list_empty(cgroup_settings)) | |
2708 | return true; | |
2709 | ||
2710 | if (!h) | |
2711 | return false; | |
2712 | ||
bf651989 | 2713 | lxc_list_for_each (iterator, cgroup_settings) { |
88396101 | 2714 | __do_free char *fullpath = NULL; |
6b38e644 | 2715 | int ret; |
6b38e644 CB |
2716 | struct lxc_cgroup *cg = iterator->elem; |
2717 | ||
bf651989 | 2718 | if (strncmp("devices", cg->subsystem, 7) == 0) { |
4bfb655e | 2719 | ret = bpf_device_cgroup_prepare(ops, conf, cg->subsystem, |
bf651989 CB |
2720 | cg->value); |
2721 | } else { | |
2722 | fullpath = must_make_path(h->container_full_path, | |
2723 | cg->subsystem, NULL); | |
2724 | ret = lxc_write_to_file(fullpath, cg->value, | |
2725 | strlen(cg->value), false, 0666); | |
2726 | if (ret < 0) { | |
2727 | SYSERROR("Failed to set \"%s\" to \"%s\"", | |
2728 | cg->subsystem, cg->value); | |
2729 | return false; | |
2730 | } | |
6b38e644 CB |
2731 | } |
2732 | TRACE("Set \"%s\" to \"%s\"", cg->subsystem, cg->value); | |
2733 | } | |
2734 | ||
2735 | INFO("Limits for the unified cgroup hierarchy have been setup"); | |
2736 | return true; | |
2737 | } | |
2738 | ||
bf651989 CB |
2739 | __cgfsng_ops bool cgfsng_devices_activate(struct cgroup_ops *ops, |
2740 | struct lxc_handler *handler) | |
2741 | { | |
2742 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX | |
2a63b5cb CB |
2743 | __do_bpf_program_free struct bpf_program *devices = NULL; |
2744 | struct lxc_conf *conf = handler->conf; | |
2745 | struct hierarchy *unified = ops->unified; | |
bf651989 | 2746 | int ret; |
2a63b5cb CB |
2747 | struct lxc_list *it; |
2748 | struct bpf_program *devices_old; | |
bf651989 | 2749 | |
9994db51 CB |
2750 | if (!unified || !unified->bpf_device_controller || |
2751 | !unified->container_full_path || lxc_list_empty(&conf->devices)) | |
bf651989 CB |
2752 | return true; |
2753 | ||
2a63b5cb CB |
2754 | devices = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE); |
2755 | if (!devices) | |
d47ff01b CB |
2756 | return log_error_errno(false, ENOMEM, |
2757 | "Failed to create new bpf program"); | |
2a63b5cb CB |
2758 | |
2759 | ret = bpf_program_init(devices); | |
bf651989 | 2760 | if (ret) |
d47ff01b CB |
2761 | return log_error_errno(false, ENOMEM, |
2762 | "Failed to initialize bpf program"); | |
2a63b5cb CB |
2763 | |
2764 | lxc_list_for_each(it, &conf->devices) { | |
2765 | struct device_item *cur = it->elem; | |
2766 | ||
2767 | ret = bpf_program_append_device(devices, cur); | |
2768 | if (ret) | |
d47ff01b CB |
2769 | return log_error_errno(false, |
2770 | ENOMEM, "Failed to add new rule to bpf device program: type %c, major %d, minor %d, access %s, allow %d, global_rule %d", | |
2771 | cur->type, cur->major, | |
2772 | cur->minor, cur->access, | |
2773 | cur->allow, cur->global_rule); | |
2a63b5cb CB |
2774 | TRACE("Added rule to bpf device program: type %c, major %d, minor %d, access %s, allow %d, global_rule %d", |
2775 | cur->type, cur->major, cur->minor, cur->access, | |
2776 | cur->allow, cur->global_rule); | |
2777 | } | |
2778 | ||
2779 | ret = bpf_program_finalize(devices); | |
2780 | if (ret) | |
d47ff01b CB |
2781 | return log_error_errno(false, ENOMEM, |
2782 | "Failed to finalize bpf program"); | |
bf651989 | 2783 | |
2a63b5cb CB |
2784 | ret = bpf_program_cgroup_attach(devices, BPF_CGROUP_DEVICE, |
2785 | unified->container_full_path, | |
cce5a3d7 CB |
2786 | BPF_F_ALLOW_MULTI); |
2787 | if (ret) | |
d47ff01b CB |
2788 | return log_error_errno(false, ENOMEM, |
2789 | "Failed to attach bpf program"); | |
cce5a3d7 CB |
2790 | |
2791 | /* Replace old bpf program. */ | |
2a63b5cb CB |
2792 | devices_old = move_ptr(conf->cgroup2_devices); |
2793 | conf->cgroup2_devices = move_ptr(devices); | |
2794 | devices = move_ptr(devices_old); | |
bf651989 | 2795 | #endif |
cce5a3d7 | 2796 | return true; |
bf651989 CB |
2797 | } |
2798 | ||
c581d2a6 | 2799 | bool __cgfsng_delegate_controllers(struct cgroup_ops *ops, const char *cgroup) |
6b38e644 | 2800 | { |
c581d2a6 CB |
2801 | __do_free char *add_controllers = NULL, *base_path = NULL; |
2802 | struct hierarchy *unified = ops->unified; | |
2803 | ssize_t parts_len; | |
2804 | char **it; | |
2805 | size_t full_len = 0; | |
2806 | char **parts = NULL; | |
2807 | bool bret = false; | |
6b38e644 | 2808 | |
c581d2a6 CB |
2809 | if (!ops->hierarchies || !pure_unified_layout(ops) || |
2810 | !unified->controllers[0]) | |
bf651989 CB |
2811 | return true; |
2812 | ||
c581d2a6 CB |
2813 | /* For now we simply enable all controllers that we have detected by |
2814 | * creating a string like "+memory +pids +cpu +io". | |
2815 | * TODO: In the near future we might want to support "-<controller>" | |
2816 | * etc. but whether supporting semantics like this make sense will need | |
2817 | * some thinking. | |
2818 | */ | |
2819 | for (it = unified->controllers; it && *it; it++) { | |
2820 | full_len += strlen(*it) + 2; | |
2821 | add_controllers = must_realloc(add_controllers, full_len + 1); | |
2822 | ||
2823 | if (unified->controllers[0] == *it) | |
2824 | add_controllers[0] = '\0'; | |
2825 | ||
2826 | (void)strlcat(add_controllers, "+", full_len + 1); | |
2827 | (void)strlcat(add_controllers, *it, full_len + 1); | |
2828 | ||
2829 | if ((it + 1) && *(it + 1)) | |
2830 | (void)strlcat(add_controllers, " ", full_len + 1); | |
2831 | } | |
2832 | ||
2833 | parts = lxc_string_split(cgroup, '/'); | |
2834 | if (!parts) | |
2835 | goto on_error; | |
2836 | ||
2837 | parts_len = lxc_array_len((void **)parts); | |
2838 | if (parts_len > 0) | |
2839 | parts_len--; | |
2840 | ||
2841 | base_path = must_make_path(unified->mountpoint, unified->container_base_path, NULL); | |
2842 | for (ssize_t i = -1; i < parts_len; i++) { | |
2843 | int ret; | |
2844 | __do_free char *target = NULL; | |
2845 | ||
2846 | if (i >= 0) | |
2847 | base_path = must_append_path(base_path, parts[i], NULL); | |
2848 | target = must_make_path(base_path, "cgroup.subtree_control", NULL); | |
2849 | ret = lxc_writeat(-1, target, add_controllers, full_len); | |
61fbc369 CB |
2850 | if (ret < 0) |
2851 | log_error_errno(goto on_error, | |
2852 | errno, "Could not enable \"%s\" controllers in the unified cgroup \"%s\"", | |
2853 | add_controllers, target); | |
c581d2a6 CB |
2854 | TRACE("Enable \"%s\" controllers in the unified cgroup \"%s\"", add_controllers, target); |
2855 | } | |
2856 | ||
2857 | bret = true; | |
2858 | ||
2859 | on_error: | |
2860 | lxc_free_array((void **)parts, free); | |
2861 | return bret; | |
2862 | } | |
2863 | ||
2864 | __cgfsng_ops bool cgfsng_monitor_delegate_controllers(struct cgroup_ops *ops) | |
2865 | { | |
61fbc369 CB |
2866 | if (!ops) |
2867 | return ret_set_errno(false, ENOENT); | |
2868 | ||
c581d2a6 CB |
2869 | return __cgfsng_delegate_controllers(ops, ops->monitor_cgroup); |
2870 | } | |
2871 | ||
2872 | __cgfsng_ops bool cgfsng_payload_delegate_controllers(struct cgroup_ops *ops) | |
2873 | { | |
61fbc369 CB |
2874 | if (!ops) |
2875 | return ret_set_errno(false, ENOENT); | |
2876 | ||
c581d2a6 | 2877 | return __cgfsng_delegate_controllers(ops, ops->container_cgroup); |
2202afc9 CB |
2878 | } |
2879 | ||
b7b18fc5 CB |
2880 | static bool cgroup_use_wants_controllers(const struct cgroup_ops *ops, |
2881 | char **controllers) | |
2882 | { | |
b7b18fc5 CB |
2883 | if (!ops->cgroup_use) |
2884 | return true; | |
2885 | ||
431e2c54 | 2886 | for (char **cur_ctrl = controllers; cur_ctrl && *cur_ctrl; cur_ctrl++) { |
b7b18fc5 CB |
2887 | bool found = false; |
2888 | ||
431e2c54 | 2889 | for (char **cur_use = ops->cgroup_use; cur_use && *cur_use; cur_use++) { |
b7b18fc5 CB |
2890 | if (strcmp(*cur_use, *cur_ctrl) != 0) |
2891 | continue; | |
2892 | ||
2893 | found = true; | |
2894 | break; | |
2895 | } | |
2896 | ||
2897 | if (found) | |
2898 | continue; | |
2899 | ||
2900 | return false; | |
2901 | } | |
2902 | ||
2903 | return true; | |
2904 | } | |
2905 | ||
a6ca2ed8 CB |
2906 | static void cg_unified_delegate(char ***delegate) |
2907 | { | |
d606c4e9 | 2908 | __do_free char *buf = NULL; |
a6ca2ed8 | 2909 | char *standard[] = {"cgroup.subtree_control", "cgroup.threads", NULL}; |
d606c4e9 CB |
2910 | char *token; |
2911 | int idx; | |
a6ca2ed8 | 2912 | |
d606c4e9 CB |
2913 | buf = read_file("/sys/kernel/cgroup/delegate"); |
2914 | if (!buf) { | |
a6ca2ed8 CB |
2915 | for (char **p = standard; p && *p; p++) { |
2916 | idx = append_null_to_list((void ***)delegate); | |
2917 | (*delegate)[idx] = must_copy_string(*p); | |
2918 | } | |
d606c4e9 CB |
2919 | log_warn_errno(return, errno, "Failed to read /sys/kernel/cgroup/delegate"); |
2920 | } | |
a6ca2ed8 | 2921 | |
d606c4e9 CB |
2922 | lxc_iterate_parts (token, buf, " \t\n") { |
2923 | /* | |
2924 | * We always need to chown this for both cgroup and | |
2925 | * cgroup2. | |
2926 | */ | |
2927 | if (strcmp(token, "cgroup.procs") == 0) | |
2928 | continue; | |
2929 | ||
2930 | idx = append_null_to_list((void ***)delegate); | |
2931 | (*delegate)[idx] = must_copy_string(token); | |
a6ca2ed8 CB |
2932 | } |
2933 | } | |
2934 | ||
2202afc9 CB |
2935 | /* At startup, parse_hierarchies finds all the info we need about cgroup |
2936 | * mountpoints and current cgroups, and stores it in @d. | |
2937 | */ | |
341e6516 | 2938 | static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileged) |
2202afc9 | 2939 | { |
88396101 | 2940 | __do_free char *basecginfo = NULL; |
d97919ab CB |
2941 | __do_free char *line = NULL; |
2942 | __do_fclose FILE *f = NULL; | |
2202afc9 | 2943 | int ret; |
2202afc9 | 2944 | size_t len = 0; |
2202afc9 CB |
2945 | char **klist = NULL, **nlist = NULL; |
2946 | ||
2947 | /* Root spawned containers escape the current cgroup, so use init's | |
2948 | * cgroups as our base in that case. | |
2949 | */ | |
9caee129 | 2950 | if (!relative && (geteuid() == 0)) |
2202afc9 CB |
2951 | basecginfo = read_file("/proc/1/cgroup"); |
2952 | else | |
2953 | basecginfo = read_file("/proc/self/cgroup"); | |
2954 | if (!basecginfo) | |
341e6516 | 2955 | return ret_set_errno(-1, ENOMEM); |
2202afc9 CB |
2956 | |
2957 | ret = get_existing_subsystems(&klist, &nlist); | |
341e6516 CB |
2958 | if (ret < 0) |
2959 | return log_error_errno(-1, errno, "Failed to retrieve available legacy cgroup controllers"); | |
2202afc9 CB |
2960 | |
2961 | f = fopen("/proc/self/mountinfo", "r"); | |
341e6516 CB |
2962 | if (!f) |
2963 | return log_error_errno(-1, errno, "Failed to open \"/proc/self/mountinfo\""); | |
2202afc9 CB |
2964 | |
2965 | lxc_cgfsng_print_basecg_debuginfo(basecginfo, klist, nlist); | |
2966 | ||
2967 | while (getline(&line, &len, f) != -1) { | |
2968 | int type; | |
2969 | bool writeable; | |
2970 | struct hierarchy *new; | |
2971 | char *base_cgroup = NULL, *mountpoint = NULL; | |
2972 | char **controller_list = NULL; | |
2973 | ||
2974 | type = get_cgroup_version(line); | |
2975 | if (type == 0) | |
2976 | continue; | |
2977 | ||
2978 | if (type == CGROUP2_SUPER_MAGIC && ops->unified) | |
2979 | continue; | |
2980 | ||
2981 | if (ops->cgroup_layout == CGROUP_LAYOUT_UNKNOWN) { | |
2982 | if (type == CGROUP2_SUPER_MAGIC) | |
2983 | ops->cgroup_layout = CGROUP_LAYOUT_UNIFIED; | |
2984 | else if (type == CGROUP_SUPER_MAGIC) | |
2985 | ops->cgroup_layout = CGROUP_LAYOUT_LEGACY; | |
2986 | } else if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) { | |
2987 | if (type == CGROUP_SUPER_MAGIC) | |
2988 | ops->cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
2989 | } else if (ops->cgroup_layout == CGROUP_LAYOUT_LEGACY) { | |
2990 | if (type == CGROUP2_SUPER_MAGIC) | |
2991 | ops->cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
2992 | } | |
2993 | ||
2994 | controller_list = cg_hybrid_get_controllers(klist, nlist, line, type); | |
2995 | if (!controller_list && type == CGROUP_SUPER_MAGIC) | |
2996 | continue; | |
2997 | ||
2998 | if (type == CGROUP_SUPER_MAGIC) | |
2999 | if (controller_list_is_dup(ops->hierarchies, controller_list)) | |
341e6516 | 3000 | log_trace_errno(goto next, EEXIST, "Skipping duplicating controller"); |
2202afc9 CB |
3001 | |
3002 | mountpoint = cg_hybrid_get_mountpoint(line); | |
341e6516 CB |
3003 | if (!mountpoint) |
3004 | log_error_errno(goto next, EINVAL, "Failed parsing mountpoint from \"%s\"", line); | |
2202afc9 CB |
3005 | |
3006 | if (type == CGROUP_SUPER_MAGIC) | |
3007 | base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, controller_list[0], CGROUP_SUPER_MAGIC); | |
3008 | else | |
3009 | base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, NULL, CGROUP2_SUPER_MAGIC); | |
341e6516 CB |
3010 | if (!base_cgroup) |
3011 | log_error_errno(goto next, EINVAL, "Failed to find current cgroup"); | |
2202afc9 CB |
3012 | |
3013 | trim(base_cgroup); | |
3014 | prune_init_scope(base_cgroup); | |
3015 | if (type == CGROUP2_SUPER_MAGIC) | |
3016 | writeable = test_writeable_v2(mountpoint, base_cgroup); | |
3017 | else | |
3018 | writeable = test_writeable_v1(mountpoint, base_cgroup); | |
3019 | if (!writeable) | |
341e6516 | 3020 | log_trace_errno(goto next, EROFS, "The %s group is not writeable", base_cgroup); |
2202afc9 CB |
3021 | |
3022 | if (type == CGROUP2_SUPER_MAGIC) { | |
3023 | char *cgv2_ctrl_path; | |
3024 | ||
3025 | cgv2_ctrl_path = must_make_path(mountpoint, base_cgroup, | |
3026 | "cgroup.controllers", | |
3027 | NULL); | |
3028 | ||
3029 | controller_list = cg_unified_get_controllers(cgv2_ctrl_path); | |
3030 | free(cgv2_ctrl_path); | |
3031 | if (!controller_list) { | |
3032 | controller_list = cg_unified_make_empty_controller(); | |
3033 | TRACE("No controllers are enabled for " | |
3034 | "delegation in the unified hierarchy"); | |
3035 | } | |
3036 | } | |
3037 | ||
b7b18fc5 CB |
3038 | /* Exclude all controllers that cgroup use does not want. */ |
3039 | if (!cgroup_use_wants_controllers(ops, controller_list)) | |
341e6516 | 3040 | log_trace_errno(goto next, EINVAL, "Skipping controller"); |
b7b18fc5 | 3041 | |
2202afc9 | 3042 | new = add_hierarchy(&ops->hierarchies, controller_list, mountpoint, base_cgroup, type); |
a6ca2ed8 CB |
3043 | if (type == CGROUP2_SUPER_MAGIC && !ops->unified) { |
3044 | if (unprivileged) | |
3045 | cg_unified_delegate(&new->cgroup2_chown); | |
2202afc9 | 3046 | ops->unified = new; |
a6ca2ed8 | 3047 | } |
2202afc9 CB |
3048 | |
3049 | continue; | |
3050 | ||
3051 | next: | |
3052 | free_string_list(controller_list); | |
3053 | free(mountpoint); | |
3054 | free(base_cgroup); | |
3055 | } | |
3056 | ||
3057 | free_string_list(klist); | |
3058 | free_string_list(nlist); | |
3059 | ||
2202afc9 CB |
3060 | TRACE("Writable cgroup hierarchies:"); |
3061 | lxc_cgfsng_print_hierarchies(ops); | |
3062 | ||
3063 | /* verify that all controllers in cgroup.use and all crucial | |
3064 | * controllers are accounted for | |
3065 | */ | |
3066 | if (!all_controllers_found(ops)) | |
341e6516 | 3067 | return log_error_errno(-1, ENOENT, "Failed to find all required controllers"); |
2202afc9 | 3068 | |
341e6516 | 3069 | return 0; |
2202afc9 CB |
3070 | } |
3071 | ||
2202afc9 | 3072 | /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */ |
9caee129 | 3073 | static char *cg_unified_get_current_cgroup(bool relative) |
2202afc9 | 3074 | { |
88396101 | 3075 | __do_free char *basecginfo = NULL; |
d97919ab | 3076 | char *base_cgroup; |
2202afc9 CB |
3077 | char *copy = NULL; |
3078 | ||
9caee129 | 3079 | if (!relative && (geteuid() == 0)) |
2202afc9 CB |
3080 | basecginfo = read_file("/proc/1/cgroup"); |
3081 | else | |
3082 | basecginfo = read_file("/proc/self/cgroup"); | |
3083 | if (!basecginfo) | |
3084 | return NULL; | |
3085 | ||
3086 | base_cgroup = strstr(basecginfo, "0::/"); | |
3087 | if (!base_cgroup) | |
3088 | goto cleanup_on_err; | |
3089 | ||
3090 | base_cgroup = base_cgroup + 3; | |
3091 | copy = copy_to_eol(base_cgroup); | |
3092 | if (!copy) | |
3093 | goto cleanup_on_err; | |
3094 | ||
3095 | cleanup_on_err: | |
2202afc9 CB |
3096 | if (copy) |
3097 | trim(copy); | |
3098 | ||
3099 | return copy; | |
3100 | } | |
3101 | ||
a6ca2ed8 CB |
3102 | static int cg_unified_init(struct cgroup_ops *ops, bool relative, |
3103 | bool unprivileged) | |
2202afc9 | 3104 | { |
d97919ab | 3105 | __do_free char *subtree_path = NULL; |
2202afc9 | 3106 | int ret; |
7717e175 | 3107 | char *mountpoint; |
2202afc9 | 3108 | char **delegatable; |
a6ca2ed8 | 3109 | struct hierarchy *new; |
2202afc9 CB |
3110 | char *base_cgroup = NULL; |
3111 | ||
d47ff01b | 3112 | ret = unified_cgroup_hierarchy(); |
2202afc9 | 3113 | if (ret == -ENOMEDIUM) |
d2203230 | 3114 | return ret_errno(ENOMEDIUM); |
2202afc9 CB |
3115 | |
3116 | if (ret != CGROUP2_SUPER_MAGIC) | |
3117 | return 0; | |
3118 | ||
9caee129 | 3119 | base_cgroup = cg_unified_get_current_cgroup(relative); |
2202afc9 | 3120 | if (!base_cgroup) |
d2203230 | 3121 | return ret_errno(EINVAL); |
c581d2a6 CB |
3122 | if (!relative) |
3123 | prune_init_scope(base_cgroup); | |
2202afc9 | 3124 | |
d606c4e9 CB |
3125 | /* |
3126 | * We assume that the cgroup we're currently in has been delegated to | |
3127 | * us and we are free to further delege all of the controllers listed | |
3128 | * in cgroup.controllers further down the hierarchy. | |
2202afc9 | 3129 | */ |
dca9587a | 3130 | mountpoint = must_copy_string(DEFAULT_CGROUP_MOUNTPOINT); |
c581d2a6 | 3131 | subtree_path = must_make_path(mountpoint, base_cgroup, "cgroup.controllers", NULL); |
2202afc9 | 3132 | delegatable = cg_unified_get_controllers(subtree_path); |
2202afc9 CB |
3133 | if (!delegatable) |
3134 | delegatable = cg_unified_make_empty_controller(); | |
3135 | if (!delegatable[0]) | |
3136 | TRACE("No controllers are enabled for delegation"); | |
3137 | ||
3138 | /* TODO: If the user requested specific controllers via lxc.cgroup.use | |
3139 | * we should verify here. The reason I'm not doing it right is that I'm | |
3140 | * not convinced that lxc.cgroup.use will be the future since it is a | |
3141 | * global property. I much rather have an option that lets you request | |
3142 | * controllers per container. | |
3143 | */ | |
3144 | ||
a6ca2ed8 | 3145 | new = add_hierarchy(&ops->hierarchies, delegatable, mountpoint, base_cgroup, CGROUP2_SUPER_MAGIC); |
d606c4e9 | 3146 | if (unprivileged) |
a6ca2ed8 | 3147 | cg_unified_delegate(&new->cgroup2_chown); |
2202afc9 | 3148 | |
2a63b5cb CB |
3149 | if (bpf_devices_cgroup_supported()) |
3150 | new->bpf_device_controller = 1; | |
3151 | ||
2202afc9 | 3152 | ops->cgroup_layout = CGROUP_LAYOUT_UNIFIED; |
908e0ee5 | 3153 | ops->unified = new; |
2202afc9 CB |
3154 | return CGROUP2_SUPER_MAGIC; |
3155 | } | |
3156 | ||
341e6516 | 3157 | static int cg_init(struct cgroup_ops *ops, struct lxc_conf *conf) |
2202afc9 CB |
3158 | { |
3159 | int ret; | |
3160 | const char *tmp; | |
9caee129 | 3161 | bool relative = conf->cgroup_meta.relative; |
2202afc9 CB |
3162 | |
3163 | tmp = lxc_global_config_value("lxc.cgroup.use"); | |
b7b18fc5 | 3164 | if (tmp) { |
88396101 | 3165 | __do_free char *pin = NULL; |
d97919ab | 3166 | char *chop, *cur; |
b7b18fc5 CB |
3167 | |
3168 | pin = must_copy_string(tmp); | |
3169 | chop = pin; | |
3170 | ||
d97919ab | 3171 | lxc_iterate_parts(cur, chop, ",") |
b7b18fc5 | 3172 | must_append_string(&ops->cgroup_use, cur); |
b7b18fc5 | 3173 | } |
2202afc9 | 3174 | |
a6ca2ed8 | 3175 | ret = cg_unified_init(ops, relative, !lxc_list_empty(&conf->id_map)); |
2202afc9 | 3176 | if (ret < 0) |
341e6516 | 3177 | return -1; |
2202afc9 CB |
3178 | |
3179 | if (ret == CGROUP2_SUPER_MAGIC) | |
341e6516 | 3180 | return 0; |
2202afc9 | 3181 | |
a6ca2ed8 | 3182 | return cg_hybrid_init(ops, relative, !lxc_list_empty(&conf->id_map)); |
2202afc9 CB |
3183 | } |
3184 | ||
341e6516 | 3185 | __cgfsng_ops static int cgfsng_data_init(struct cgroup_ops *ops) |
2202afc9 CB |
3186 | { |
3187 | const char *cgroup_pattern; | |
3188 | ||
341e6516 CB |
3189 | if (!ops) |
3190 | return ret_set_errno(-1, ENOENT); | |
3191 | ||
2202afc9 CB |
3192 | /* copy system-wide cgroup information */ |
3193 | cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); | |
3194 | if (!cgroup_pattern) { | |
3195 | /* lxc.cgroup.pattern is only NULL on error. */ | |
3196 | ERROR("Failed to retrieve cgroup pattern"); | |
341e6516 | 3197 | return ret_set_errno(-1, ENOMEM); |
2202afc9 CB |
3198 | } |
3199 | ops->cgroup_pattern = must_copy_string(cgroup_pattern); | |
625ad37b | 3200 | ops->monitor_pattern = MONITOR_CGROUP; |
2202afc9 | 3201 | |
341e6516 | 3202 | return 0; |
2202afc9 CB |
3203 | } |
3204 | ||
5a087e05 | 3205 | struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf) |
2202afc9 | 3206 | { |
a64edc1c | 3207 | __do_free struct cgroup_ops *cgfsng_ops = NULL; |
2202afc9 CB |
3208 | |
3209 | cgfsng_ops = malloc(sizeof(struct cgroup_ops)); | |
3210 | if (!cgfsng_ops) | |
341e6516 | 3211 | return ret_set_errno(NULL, ENOMEM); |
2202afc9 CB |
3212 | |
3213 | memset(cgfsng_ops, 0, sizeof(struct cgroup_ops)); | |
3214 | cgfsng_ops->cgroup_layout = CGROUP_LAYOUT_UNKNOWN; | |
3215 | ||
341e6516 | 3216 | if (cg_init(cgfsng_ops, conf)) |
2202afc9 | 3217 | return NULL; |
2202afc9 | 3218 | |
bad788b0 CB |
3219 | cgfsng_ops->unified_fd = -EBADF; |
3220 | ||
2202afc9 | 3221 | cgfsng_ops->data_init = cgfsng_data_init; |
434c8e15 CB |
3222 | cgfsng_ops->payload_destroy = cgfsng_payload_destroy; |
3223 | cgfsng_ops->monitor_destroy = cgfsng_monitor_destroy; | |
72068e74 | 3224 | cgfsng_ops->monitor_create = cgfsng_monitor_create; |
eeef32bb | 3225 | cgfsng_ops->monitor_enter = cgfsng_monitor_enter; |
c581d2a6 CB |
3226 | cgfsng_ops->monitor_delegate_controllers = cgfsng_monitor_delegate_controllers; |
3227 | cgfsng_ops->payload_delegate_controllers = cgfsng_payload_delegate_controllers; | |
e8b181f5 CB |
3228 | cgfsng_ops->payload_create = cgfsng_payload_create; |
3229 | cgfsng_ops->payload_enter = cgfsng_payload_enter; | |
2202afc9 CB |
3230 | cgfsng_ops->escape = cgfsng_escape; |
3231 | cgfsng_ops->num_hierarchies = cgfsng_num_hierarchies; | |
3232 | cgfsng_ops->get_hierarchies = cgfsng_get_hierarchies; | |
3233 | cgfsng_ops->get_cgroup = cgfsng_get_cgroup; | |
3234 | cgfsng_ops->get = cgfsng_get; | |
3235 | cgfsng_ops->set = cgfsng_set; | |
942e193e | 3236 | cgfsng_ops->freeze = cgfsng_freeze; |
2202afc9 | 3237 | cgfsng_ops->unfreeze = cgfsng_unfreeze; |
c581d2a6 | 3238 | cgfsng_ops->setup_limits_legacy = cgfsng_setup_limits_legacy; |
2202afc9 CB |
3239 | cgfsng_ops->setup_limits = cgfsng_setup_limits; |
3240 | cgfsng_ops->driver = "cgfsng"; | |
3241 | cgfsng_ops->version = "1.0.0"; | |
3242 | cgfsng_ops->attach = cgfsng_attach; | |
3243 | cgfsng_ops->chown = cgfsng_chown; | |
3244 | cgfsng_ops->mount = cgfsng_mount; | |
3245 | cgfsng_ops->nrtasks = cgfsng_nrtasks; | |
bf651989 | 3246 | cgfsng_ops->devices_activate = cgfsng_devices_activate; |
2202afc9 | 3247 | |
a64edc1c | 3248 | return move_ptr(cgfsng_ops); |
2202afc9 | 3249 | } |