2 * lxc: linux Container library
4 * Copyright © 2016 Canonical Ltd.
7 * Serge Hallyn <serge.hallyn@ubuntu.com>
8 * Christian Brauner <christian.brauner@ubuntu.com>
10 * This library is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public
12 * License as published by the Free Software Foundation; either
13 * version 2.1 of the License, or (at your option) any later version.
15 * This library is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public
21 * License along with this library; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
26 * cgfs-ng.c: this is a new, simplified implementation of a filesystem
27 * cgroup backend. The original cgfs.c was designed to be as flexible
28 * as possible. It would try to find cgroup filesystems no matter where
29 * or how you had them mounted, and deduce the most usable mount for
32 * This new implementation assumes that cgroup filesystems are mounted
33 * under /sys/fs/cgroup/clist where clist is either the controller, or
34 * a comman-separated list of controllers.
48 #include <linux/kdev_t.h>
49 #include <linux/types.h>
50 #include <sys/types.h>
54 #include "cgroup_utils.h"
58 #include "storage/storage.h"
62 #include "include/strlcpy.h"
66 #include "include/strlcat.h"
69 lxc_log_define(cgfsng
, cgroup
);
71 static void free_string_list(char **clist
)
78 for (i
= 0; clist
[i
]; i
++)
84 /* Allocate a pointer, do not fail. */
85 static void *must_alloc(size_t sz
)
87 return must_realloc(NULL
, sz
);
90 /* Given a pointer to a null-terminated array of pointers, realloc to add one
91 * entry, and point the new entry to NULL. Do not fail. Return the index to the
92 * second-to-last entry - that is, the one which is now available for use
93 * (keeping the list null-terminated).
95 static int append_null_to_list(void ***list
)
100 for (; (*list
)[newentry
]; newentry
++)
103 *list
= must_realloc(*list
, (newentry
+ 2) * sizeof(void **));
104 (*list
)[newentry
+ 1] = NULL
;
108 /* Given a null-terminated array of strings, check whether @entry is one of the
111 static bool string_in_list(char **list
, const char *entry
)
118 for (i
= 0; list
[i
]; i
++)
119 if (strcmp(list
[i
], entry
) == 0)
125 /* Return a copy of @entry prepending "name=", i.e. turn "systemd" into
126 * "name=systemd". Do not fail.
128 static char *cg_legacy_must_prefix_named(char *entry
)
134 prefixed
= must_alloc(len
+ 6);
136 memcpy(prefixed
, "name=", sizeof("name=") - 1);
137 memcpy(prefixed
+ sizeof("name=") - 1, entry
, len
);
138 prefixed
[len
+ 5] = '\0';
142 /* Append an entry to the clist. Do not fail. @clist must be NULL the first time
145 * We also handle named subsystems here. Any controller which is not a kernel
146 * subsystem, we prefix "name=". Any which is both a kernel and named subsystem,
147 * we refuse to use because we're not sure which we have here.
148 * (TODO: We could work around this in some cases by just remounting to be
149 * unambiguous, or by comparing mountpoint contents with current cgroup.)
151 * The last entry will always be NULL.
153 static void must_append_controller(char **klist
, char **nlist
, char ***clist
,
159 if (string_in_list(klist
, entry
) && string_in_list(nlist
, entry
)) {
160 ERROR("Refusing to use ambiguous controller \"%s\"", entry
);
161 ERROR("It is both a named and kernel subsystem");
165 newentry
= append_null_to_list((void ***)clist
);
167 if (strncmp(entry
, "name=", 5) == 0)
168 copy
= must_copy_string(entry
);
169 else if (string_in_list(klist
, entry
))
170 copy
= must_copy_string(entry
);
172 copy
= cg_legacy_must_prefix_named(entry
);
174 (*clist
)[newentry
] = copy
;
177 /* Given a handler's cgroup data, return the struct hierarchy for the controller
178 * @c, or NULL if there is none.
180 struct hierarchy
*get_hierarchy(struct cgroup_ops
*ops
, const char *c
)
184 if (!ops
->hierarchies
)
187 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
189 /* This is the empty unified hierarchy. */
190 if (ops
->hierarchies
[i
]->controllers
&&
191 !ops
->hierarchies
[i
]->controllers
[0])
192 return ops
->hierarchies
[i
];
197 if (string_in_list(ops
->hierarchies
[i
]->controllers
, c
))
198 return ops
->hierarchies
[i
];
204 #define BATCH_SIZE 50
205 static void batch_realloc(char **mem
, size_t oldlen
, size_t newlen
)
207 int newbatches
= (newlen
/ BATCH_SIZE
) + 1;
208 int oldbatches
= (oldlen
/ BATCH_SIZE
) + 1;
210 if (!*mem
|| newbatches
> oldbatches
) {
211 *mem
= must_realloc(*mem
, newbatches
* BATCH_SIZE
);
215 static void append_line(char **dest
, size_t oldlen
, char *new, size_t newlen
)
217 size_t full
= oldlen
+ newlen
;
219 batch_realloc(dest
, oldlen
, full
+ 1);
221 memcpy(*dest
+ oldlen
, new, newlen
+ 1);
224 /* Slurp in a whole file */
225 static char *read_file(const char *fnam
)
228 char *line
= NULL
, *buf
= NULL
;
229 size_t len
= 0, fulllen
= 0;
232 f
= fopen(fnam
, "r");
235 while ((linelen
= getline(&line
, &len
, f
)) != -1) {
236 append_line(&buf
, fulllen
, line
, linelen
);
244 /* Taken over modified from the kernel sources. */
245 #define NBITS 32 /* bits in uint32_t */
246 #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d))
247 #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS)
249 static void set_bit(unsigned bit
, uint32_t *bitarr
)
251 bitarr
[bit
/ NBITS
] |= (1 << (bit
% NBITS
));
254 static void clear_bit(unsigned bit
, uint32_t *bitarr
)
256 bitarr
[bit
/ NBITS
] &= ~(1 << (bit
% NBITS
));
259 static bool is_set(unsigned bit
, uint32_t *bitarr
)
261 return (bitarr
[bit
/ NBITS
] & (1 << (bit
% NBITS
))) != 0;
264 /* Create cpumask from cpulist aka turn:
272 static uint32_t *lxc_cpumask(char *buf
, size_t nbits
)
278 arrlen
= BITS_TO_LONGS(nbits
);
279 bitarr
= calloc(arrlen
, sizeof(uint32_t));
283 lxc_iterate_parts(token
, buf
, ",") {
288 start
= strtoul(token
, NULL
, 0);
290 range
= strchr(token
, '-');
292 end
= strtoul(range
+ 1, NULL
, 0);
294 if (!(start
<= end
)) {
305 set_bit(start
++, bitarr
);
311 /* Turn cpumask into simple, comma-separated cpulist. */
312 static char *lxc_cpumask_to_cpulist(uint32_t *bitarr
, size_t nbits
)
316 char **cpulist
= NULL
;
317 char numstr
[LXC_NUMSTRLEN64
] = {0};
319 for (i
= 0; i
<= nbits
; i
++) {
320 if (!is_set(i
, bitarr
))
323 ret
= snprintf(numstr
, LXC_NUMSTRLEN64
, "%zu", i
);
324 if (ret
< 0 || (size_t)ret
>= LXC_NUMSTRLEN64
) {
325 lxc_free_array((void **)cpulist
, free
);
329 ret
= lxc_append_string(&cpulist
, numstr
);
331 lxc_free_array((void **)cpulist
, free
);
339 return lxc_string_join(",", (const char **)cpulist
, false);
342 static ssize_t
get_max_cpus(char *cpulist
)
345 char *maxcpus
= cpulist
;
348 c1
= strrchr(maxcpus
, ',');
352 c2
= strrchr(maxcpus
, '-');
366 cpus
= strtoul(c1
, NULL
, 0);
373 #define __ISOL_CPUS "/sys/devices/system/cpu/isolated"
374 static bool cg_legacy_filter_and_set_cpus(char *path
, bool am_initialized
)
378 char *lastslash
, *fpath
, oldv
;
379 ssize_t maxisol
= 0, maxposs
= 0;
380 char *cpulist
= NULL
, *isolcpus
= NULL
, *posscpus
= NULL
;
381 uint32_t *isolmask
= NULL
, *possmask
= NULL
;
382 bool bret
= false, flipped_bit
= false;
384 lastslash
= strrchr(path
, '/');
386 ERROR("Failed to detect \"/\" in \"%s\"", path
);
391 fpath
= must_make_path(path
, "cpuset.cpus", NULL
);
392 posscpus
= read_file(fpath
);
394 SYSERROR("Failed to read file \"%s\"", fpath
);
398 /* Get maximum number of cpus found in possible cpuset. */
399 maxposs
= get_max_cpus(posscpus
);
400 if (maxposs
< 0 || maxposs
>= INT_MAX
- 1)
403 if (!file_exists(__ISOL_CPUS
)) {
404 /* This system doesn't expose isolated cpus. */
405 DEBUG("The path \""__ISOL_CPUS
"\" to read isolated cpus from does not exist");
407 /* No isolated cpus but we weren't already initialized by
408 * someone. We should simply copy the parents cpuset.cpus
411 if (!am_initialized
) {
412 DEBUG("Copying cpu settings of parent cgroup");
415 /* No isolated cpus but we were already initialized by someone.
416 * Nothing more to do for us.
421 isolcpus
= read_file(__ISOL_CPUS
);
423 SYSERROR("Failed to read file \""__ISOL_CPUS
"\"");
426 if (!isdigit(isolcpus
[0])) {
427 TRACE("No isolated cpus detected");
429 /* No isolated cpus but we weren't already initialized by
430 * someone. We should simply copy the parents cpuset.cpus
433 if (!am_initialized
) {
434 DEBUG("Copying cpu settings of parent cgroup");
437 /* No isolated cpus but we were already initialized by someone.
438 * Nothing more to do for us.
443 /* Get maximum number of cpus found in isolated cpuset. */
444 maxisol
= get_max_cpus(isolcpus
);
445 if (maxisol
< 0 || maxisol
>= INT_MAX
- 1)
448 if (maxposs
< maxisol
)
452 possmask
= lxc_cpumask(posscpus
, maxposs
);
454 ERROR("Failed to create cpumask for possible cpus");
458 isolmask
= lxc_cpumask(isolcpus
, maxposs
);
460 ERROR("Failed to create cpumask for isolated cpus");
464 for (i
= 0; i
<= maxposs
; i
++) {
465 if (!is_set(i
, isolmask
) || !is_set(i
, possmask
))
469 clear_bit(i
, possmask
);
473 DEBUG("No isolated cpus present in cpuset");
476 DEBUG("Removed isolated cpus from cpuset");
478 cpulist
= lxc_cpumask_to_cpulist(possmask
, maxposs
);
480 ERROR("Failed to create cpu list");
487 fpath
= must_make_path(path
, "cpuset.cpus", NULL
);
488 ret
= lxc_write_to_file(fpath
, cpulist
, strlen(cpulist
), false, 0666);
490 SYSERROR("Failed to write cpu list to \"%s\"", fpath
);
503 if (posscpus
!= cpulist
)
511 /* Copy contents of parent(@path)/@file to @path/@file */
512 static bool copy_parent_file(char *path
, char *file
)
515 char *fpath
, *lastslash
, oldv
;
519 lastslash
= strrchr(path
, '/');
521 ERROR("Failed to detect \"/\" in \"%s\"", path
);
526 fpath
= must_make_path(path
, file
, NULL
);
527 len
= lxc_read_from_file(fpath
, NULL
, 0);
531 value
= must_alloc(len
+ 1);
532 ret
= lxc_read_from_file(fpath
, value
, len
);
538 fpath
= must_make_path(path
, file
, NULL
);
539 ret
= lxc_write_to_file(fpath
, value
, len
, false, 0666);
541 SYSERROR("Failed to write \"%s\" to file \"%s\"", value
, fpath
);
547 SYSERROR("Failed to read file \"%s\"", fpath
);
553 /* Initialize the cpuset hierarchy in first directory of @gname and set
554 * cgroup.clone_children so that children inherit settings. Since the
555 * h->base_path is populated by init or ourselves, we know it is already
558 static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy
*h
, char *cgname
)
562 char *cgpath
, *clonechildrenpath
, *slash
;
564 if (!string_in_list(h
->controllers
, "cpuset"))
569 slash
= strchr(cgname
, '/');
573 cgpath
= must_make_path(h
->mountpoint
, h
->base_cgroup
, cgname
, NULL
);
577 ret
= mkdir(cgpath
, 0755);
579 if (errno
!= EEXIST
) {
580 SYSERROR("Failed to create directory \"%s\"", cgpath
);
587 must_make_path(cgpath
, "cgroup.clone_children", NULL
);
588 /* unified hierarchy doesn't have clone_children */
589 if (!file_exists(clonechildrenpath
)) {
590 free(clonechildrenpath
);
595 ret
= lxc_read_from_file(clonechildrenpath
, &v
, 1);
597 SYSERROR("Failed to read file \"%s\"", clonechildrenpath
);
598 free(clonechildrenpath
);
603 /* Make sure any isolated cpus are removed from cpuset.cpus. */
604 if (!cg_legacy_filter_and_set_cpus(cgpath
, v
== '1')) {
605 SYSERROR("Failed to remove isolated cpus");
606 free(clonechildrenpath
);
611 /* Already set for us by someone else. */
613 DEBUG("\"cgroup.clone_children\" was already set to \"1\"");
614 free(clonechildrenpath
);
619 /* copy parent's settings */
620 if (!copy_parent_file(cgpath
, "cpuset.mems")) {
621 SYSERROR("Failed to copy \"cpuset.mems\" settings");
623 free(clonechildrenpath
);
628 ret
= lxc_write_to_file(clonechildrenpath
, "1", 1, false, 0666);
630 /* Set clone_children so children inherit our settings */
631 SYSERROR("Failed to write 1 to \"%s\"", clonechildrenpath
);
632 free(clonechildrenpath
);
635 free(clonechildrenpath
);
639 /* Given two null-terminated lists of strings, return true if any string is in
642 static bool controller_lists_intersect(char **l1
, char **l2
)
649 for (i
= 0; l1
[i
]; i
++) {
650 if (string_in_list(l2
, l1
[i
]))
657 /* For a null-terminated list of controllers @clist, return true if any of those
658 * controllers is already listed the null-terminated list of hierarchies @hlist.
659 * Realistically, if one is present, all must be present.
661 static bool controller_list_is_dup(struct hierarchy
**hlist
, char **clist
)
668 for (i
= 0; hlist
[i
]; i
++)
669 if (controller_lists_intersect(hlist
[i
]->controllers
, clist
))
675 /* Return true if the controller @entry is found in the null-terminated list of
676 * hierarchies @hlist.
678 static bool controller_found(struct hierarchy
**hlist
, char *entry
)
685 for (i
= 0; hlist
[i
]; i
++)
686 if (string_in_list(hlist
[i
]->controllers
, entry
))
692 /* Return true if all of the controllers which we require have been found. The
693 * required list is freezer and anything in lxc.cgroup.use.
695 static bool all_controllers_found(struct cgroup_ops
*ops
)
698 struct hierarchy
**hlist
= ops
->hierarchies
;
700 if (!controller_found(hlist
, "freezer")) {
701 ERROR("No freezer controller mountpoint found");
705 if (!ops
->cgroup_use
)
708 for (cur
= ops
->cgroup_use
; cur
&& *cur
; cur
++)
709 if (!controller_found(hlist
, *cur
)) {
710 ERROR("No %s controller mountpoint found", *cur
);
717 /* Get the controllers from a mountinfo line There are other ways we could get
718 * this info. For lxcfs, field 3 is /cgroup/controller-list. For cgroupfs, we
719 * could parse the mount options. But we simply assume that the mountpoint must
720 * be /sys/fs/cgroup/controller-list
722 static char **cg_hybrid_get_controllers(char **klist
, char **nlist
, char *line
,
725 /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list
726 * for legacy hierarchies.
729 char *dup
, *p2
, *tok
;
730 char *p
= line
, *sep
= ",";
733 for (i
= 0; i
< 4; i
++) {
740 /* Note, if we change how mountinfo works, then our caller will need to
741 * verify /sys/fs/cgroup/ in this field.
743 if (strncmp(p
, "/sys/fs/cgroup/", 15) != 0) {
744 ERROR("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p
);
751 ERROR("Corrupt mountinfo");
756 if (type
== CGROUP_SUPER_MAGIC
) {
757 /* strdup() here for v1 hierarchies. Otherwise
758 * lxc_iterate_parts() will destroy mountpoints such as
759 * "/sys/fs/cgroup/cpu,cpuacct".
765 lxc_iterate_parts(tok
, dup
, sep
) {
766 must_append_controller(klist
, nlist
, &aret
, tok
);
776 static char **cg_unified_make_empty_controller(void)
781 newentry
= append_null_to_list((void ***)&aret
);
782 aret
[newentry
] = NULL
;
786 static char **cg_unified_get_controllers(const char *file
)
792 buf
= read_file(file
);
796 lxc_iterate_parts(tok
, buf
, sep
) {
800 newentry
= append_null_to_list((void ***)&aret
);
801 copy
= must_copy_string(tok
);
802 aret
[newentry
] = copy
;
809 static struct hierarchy
*add_hierarchy(struct hierarchy
***h
, char **clist
, char *mountpoint
,
810 char *base_cgroup
, int type
)
812 struct hierarchy
*new;
815 new = must_alloc(sizeof(*new));
816 new->controllers
= clist
;
817 new->mountpoint
= mountpoint
;
818 new->base_cgroup
= base_cgroup
;
819 new->fullcgpath
= NULL
;
822 newentry
= append_null_to_list((void ***)h
);
823 (*h
)[newentry
] = new;
827 /* Get a copy of the mountpoint from @line, which is a line from
828 * /proc/self/mountinfo.
830 static char *cg_hybrid_get_mountpoint(char *line
)
835 char *p
= line
, *sret
= NULL
;
837 for (i
= 0; i
< 4; i
++) {
844 if (strncmp(p
, "/sys/fs/cgroup/", 15) != 0)
847 p2
= strchr(p
+ 15, ' ');
853 sret
= must_alloc(len
+ 1);
854 memcpy(sret
, p
, len
);
859 /* Given a multi-line string, return a null-terminated copy of the current line. */
860 static char *copy_to_eol(char *p
)
862 char *p2
= strchr(p
, '\n'), *sret
;
869 sret
= must_alloc(len
+ 1);
870 memcpy(sret
, p
, len
);
875 /* cgline: pointer to character after the first ':' in a line in a \n-terminated
876 * /proc/self/cgroup file. Check whether controller c is present.
878 static bool controller_in_clist(char *cgline
, char *c
)
880 char *tok
, *eol
, *tmp
;
883 eol
= strchr(cgline
, ':');
888 tmp
= alloca(len
+ 1);
889 memcpy(tmp
, cgline
, len
);
892 lxc_iterate_parts(tok
, tmp
, ",") {
893 if (strcmp(tok
, c
) == 0)
900 /* @basecginfo is a copy of /proc/$$/cgroup. Return the current cgroup for
903 static char *cg_hybrid_get_current_cgroup(char *basecginfo
, char *controller
,
906 char *p
= basecginfo
;
909 bool is_cgv2_base_cgroup
= false;
911 /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */
912 if ((type
== CGROUP2_SUPER_MAGIC
) && (*p
== '0'))
913 is_cgv2_base_cgroup
= true;
920 if (is_cgv2_base_cgroup
|| (controller
&& controller_in_clist(p
, controller
))) {
925 return copy_to_eol(p
);
935 static void must_append_string(char ***list
, char *entry
)
940 newentry
= append_null_to_list((void ***)list
);
941 copy
= must_copy_string(entry
);
942 (*list
)[newentry
] = copy
;
945 static int get_existing_subsystems(char ***klist
, char ***nlist
)
951 f
= fopen("/proc/self/cgroup", "r");
955 while (getline(&line
, &len
, f
) != -1) {
957 p
= strchr(line
, ':');
966 /* If the kernel has cgroup v2 support, then /proc/self/cgroup
967 * contains an entry of the form:
971 * In this case we use "cgroup2" as controller name.
974 must_append_string(klist
, "cgroup2");
978 lxc_iterate_parts(tok
, p
, ",") {
979 if (strncmp(tok
, "name=", 5) == 0)
980 must_append_string(nlist
, tok
);
982 must_append_string(klist
, tok
);
991 static void trim(char *s
)
996 while ((len
> 1) && (s
[len
- 1] == '\n'))
1000 static void lxc_cgfsng_print_hierarchies(struct cgroup_ops
*ops
)
1003 struct hierarchy
**it
;
1005 if (!ops
->hierarchies
) {
1006 TRACE(" No hierarchies found");
1010 TRACE(" Hierarchies:");
1011 for (i
= 0, it
= ops
->hierarchies
; it
&& *it
; it
++, i
++) {
1015 TRACE(" %d: base_cgroup: %s", i
, (*it
)->base_cgroup
? (*it
)->base_cgroup
: "(null)");
1016 TRACE(" mountpoint: %s", (*it
)->mountpoint
? (*it
)->mountpoint
: "(null)");
1017 TRACE(" controllers:");
1018 for (j
= 0, cit
= (*it
)->controllers
; cit
&& *cit
; cit
++, j
++)
1019 TRACE(" %d: %s", j
, *cit
);
1023 static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo
, char **klist
,
1029 TRACE("basecginfo is:");
1030 TRACE("%s", basecginfo
);
1032 for (k
= 0, it
= klist
; it
&& *it
; it
++, k
++)
1033 TRACE("kernel subsystem %d: %s", k
, *it
);
1035 for (k
= 0, it
= nlist
; it
&& *it
; it
++, k
++)
1036 TRACE("named subsystem %d: %s", k
, *it
);
1039 static int cgroup_rmdir(struct hierarchy
**hierarchies
,
1040 const char *container_cgroup
)
1044 if (!container_cgroup
|| !hierarchies
)
1047 for (i
= 0; hierarchies
[i
]; i
++) {
1049 struct hierarchy
*h
= hierarchies
[i
];
1054 ret
= recursive_destroy(h
->fullcgpath
);
1056 WARN("Failed to destroy \"%s\"", h
->fullcgpath
);
1058 free(h
->fullcgpath
);
1059 h
->fullcgpath
= NULL
;
1065 struct generic_userns_exec_data
{
1066 struct hierarchy
**hierarchies
;
1067 const char *container_cgroup
;
1068 struct lxc_conf
*conf
;
1069 uid_t origuid
; /* target uid in parent namespace */
1073 static int cgroup_rmdir_wrapper(void *data
)
1076 struct generic_userns_exec_data
*arg
= data
;
1077 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
1078 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
1080 ret
= setresgid(nsgid
, nsgid
, nsgid
);
1082 SYSERROR("Failed to setresgid(%d, %d, %d)", (int)nsgid
,
1083 (int)nsgid
, (int)nsgid
);
1087 ret
= setresuid(nsuid
, nsuid
, nsuid
);
1089 SYSERROR("Failed to setresuid(%d, %d, %d)", (int)nsuid
,
1090 (int)nsuid
, (int)nsuid
);
1094 ret
= setgroups(0, NULL
);
1095 if (ret
< 0 && errno
!= EPERM
) {
1096 SYSERROR("Failed to setgroups(0, NULL)");
1100 return cgroup_rmdir(arg
->hierarchies
, arg
->container_cgroup
);
1103 static void cgfsng_destroy(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
1106 struct generic_userns_exec_data wrap
;
1109 wrap
.container_cgroup
= ops
->container_cgroup
;
1110 wrap
.hierarchies
= ops
->hierarchies
;
1111 wrap
.conf
= handler
->conf
;
1113 if (handler
->conf
&& !lxc_list_empty(&handler
->conf
->id_map
))
1114 ret
= userns_exec_1(handler
->conf
, cgroup_rmdir_wrapper
, &wrap
,
1115 "cgroup_rmdir_wrapper");
1117 ret
= cgroup_rmdir(ops
->hierarchies
, ops
->container_cgroup
);
1119 WARN("Failed to destroy cgroups");
1124 static bool cg_unified_create_cgroup(struct hierarchy
*h
, char *cgname
)
1126 size_t i
, parts_len
;
1128 size_t full_len
= 0;
1129 char *add_controllers
= NULL
, *cgroup
= NULL
;
1130 char **parts
= NULL
;
1133 if (h
->version
!= CGROUP2_SUPER_MAGIC
)
1136 if (!h
->controllers
)
1139 /* For now we simply enable all controllers that we have detected by
1140 * creating a string like "+memory +pids +cpu +io".
1141 * TODO: In the near future we might want to support "-<controller>"
1142 * etc. but whether supporting semantics like this make sense will need
1145 for (it
= h
->controllers
; it
&& *it
; it
++) {
1146 full_len
+= strlen(*it
) + 2;
1147 add_controllers
= must_realloc(add_controllers
, full_len
+ 1);
1149 if (h
->controllers
[0] == *it
)
1150 add_controllers
[0] = '\0';
1152 (void)strlcat(add_controllers
, "+", full_len
+ 1);
1153 (void)strlcat(add_controllers
, *it
, full_len
+ 1);
1155 if ((it
+ 1) && *(it
+ 1))
1156 (void)strlcat(add_controllers
, " ", full_len
+ 1);
1159 parts
= lxc_string_split(cgname
, '/');
1163 parts_len
= lxc_array_len((void **)parts
);
1167 cgroup
= must_make_path(h
->mountpoint
, h
->base_cgroup
, NULL
);
1168 for (i
= 0; i
< parts_len
; i
++) {
1172 cgroup
= must_append_path(cgroup
, parts
[i
], NULL
);
1173 target
= must_make_path(cgroup
, "cgroup.subtree_control", NULL
);
1174 ret
= lxc_write_to_file(target
, add_controllers
, full_len
, false, 0666);
1177 SYSERROR("Could not enable \"%s\" controllers in the "
1178 "unified cgroup \"%s\"", add_controllers
, cgroup
);
1186 lxc_free_array((void **)parts
, free
);
1187 free(add_controllers
);
1192 static bool create_path_for_hierarchy(struct hierarchy
*h
, char *cgname
)
1196 h
->fullcgpath
= must_make_path(h
->mountpoint
, h
->base_cgroup
, cgname
, NULL
);
1197 if (dir_exists(h
->fullcgpath
)) {
1198 ERROR("The cgroup \"%s\" already existed", h
->fullcgpath
);
1202 if (!cg_legacy_handle_cpuset_hierarchy(h
, cgname
)) {
1203 ERROR("Failed to handle legacy cpuset controller");
1207 ret
= mkdir_p(h
->fullcgpath
, 0755);
1209 ERROR("Failed to create cgroup \"%s\"", h
->fullcgpath
);
1213 return cg_unified_create_cgroup(h
, cgname
);
1216 static void remove_path_for_hierarchy(struct hierarchy
*h
, char *cgname
)
1220 ret
= rmdir(h
->fullcgpath
);
1222 SYSERROR("Failed to rmdir(\"%s\") from failed creation attempt", h
->fullcgpath
);
1224 free(h
->fullcgpath
);
1225 h
->fullcgpath
= NULL
;
1228 /* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern;
1229 * next cgroup_pattern-1, -2, ..., -999.
1231 static inline bool cgfsng_create(struct cgroup_ops
*ops
,
1232 struct lxc_handler
*handler
)
1236 char *container_cgroup
, *offset
, *tmp
;
1238 struct lxc_conf
*conf
= handler
->conf
;
1240 if (ops
->container_cgroup
) {
1241 WARN("cgfsng_create called a second time: %s", ops
->container_cgroup
);
1248 if (conf
->cgroup_meta
.dir
)
1249 tmp
= lxc_string_join("/", (const char *[]){conf
->cgroup_meta
.dir
, handler
->name
, NULL
}, false);
1251 tmp
= lxc_string_replace("%n", handler
->name
, ops
->cgroup_pattern
);
1253 ERROR("Failed expanding cgroup name pattern");
1257 len
= strlen(tmp
) + 5; /* leave room for -NNN\0 */
1258 container_cgroup
= must_alloc(len
);
1259 (void)strlcpy(container_cgroup
, tmp
, len
);
1261 offset
= container_cgroup
+ len
- 5;
1265 ERROR("Too many conflicting cgroup names");
1272 ret
= snprintf(offset
, 5, "-%d", idx
);
1273 if (ret
< 0 || (size_t)ret
>= 5) {
1274 FILE *f
= fopen("/dev/null", "w");
1276 fprintf(f
, "Workaround for GCC7 bug: "
1277 "https://gcc.gnu.org/bugzilla/"
1278 "show_bug.cgi?id=78969");
1284 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1285 if (!create_path_for_hierarchy(ops
->hierarchies
[i
], container_cgroup
)) {
1287 ERROR("Failed to create cgroup \"%s\"", ops
->hierarchies
[i
]->fullcgpath
);
1288 free(ops
->hierarchies
[i
]->fullcgpath
);
1289 ops
->hierarchies
[i
]->fullcgpath
= NULL
;
1290 for (j
= 0; j
< i
; j
++)
1291 remove_path_for_hierarchy(ops
->hierarchies
[j
], container_cgroup
);
1297 ops
->container_cgroup
= container_cgroup
;
1302 free(container_cgroup
);
1307 static bool cgfsng_enter(struct cgroup_ops
*ops
, pid_t pid
)
1312 len
= snprintf(pidstr
, 25, "%d", pid
);
1313 if (len
< 0 || len
>= 25)
1316 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1320 fullpath
= must_make_path(ops
->hierarchies
[i
]->fullcgpath
,
1321 "cgroup.procs", NULL
);
1322 ret
= lxc_write_to_file(fullpath
, pidstr
, len
, false, 0666);
1324 SYSERROR("Failed to enter cgroup \"%s\"", fullpath
);
1334 static int chowmod(char *path
, uid_t chown_uid
, gid_t chown_gid
,
1339 ret
= chown(path
, chown_uid
, chown_gid
);
1341 SYSWARN("Failed to chown(%s, %d, %d)", path
, (int)chown_uid
, (int)chown_gid
);
1345 ret
= chmod(path
, chmod_mode
);
1347 SYSWARN("Failed to chmod(%s, %d)", path
, (int)chmod_mode
);
1354 /* chgrp the container cgroups to container group. We leave
1355 * the container owner as cgroup owner. So we must make the
1356 * directories 775 so that the container can create sub-cgroups.
1358 * Also chown the tasks and cgroup.procs files. Those may not
1359 * exist depending on kernel version.
1361 static int chown_cgroup_wrapper(void *data
)
1365 struct generic_userns_exec_data
*arg
= data
;
1366 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
1367 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
1369 ret
= setresgid(nsgid
, nsgid
, nsgid
);
1371 SYSERROR("Failed to setresgid(%d, %d, %d)",
1372 (int)nsgid
, (int)nsgid
, (int)nsgid
);
1376 ret
= setresuid(nsuid
, nsuid
, nsuid
);
1378 SYSERROR("Failed to setresuid(%d, %d, %d)",
1379 (int)nsuid
, (int)nsuid
, (int)nsuid
);
1383 ret
= setgroups(0, NULL
);
1384 if (ret
< 0 && errno
!= EPERM
) {
1385 SYSERROR("Failed to setgroups(0, NULL)");
1389 destuid
= get_ns_uid(arg
->origuid
);
1391 for (i
= 0; arg
->hierarchies
[i
]; i
++) {
1393 char *path
= arg
->hierarchies
[i
]->fullcgpath
;
1395 ret
= chowmod(path
, destuid
, nsgid
, 0775);
1399 /* Failures to chown() these are inconvenient but not
1400 * detrimental We leave these owned by the container launcher,
1401 * so that container root can write to the files to attach. We
1402 * chmod() them 664 so that container systemd can write to the
1403 * files (which systemd in wily insists on doing).
1406 if (arg
->hierarchies
[i
]->version
== CGROUP_SUPER_MAGIC
) {
1407 fullpath
= must_make_path(path
, "tasks", NULL
);
1408 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1412 fullpath
= must_make_path(path
, "cgroup.procs", NULL
);
1413 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1416 if (arg
->hierarchies
[i
]->version
!= CGROUP2_SUPER_MAGIC
)
1419 fullpath
= must_make_path(path
, "cgroup.subtree_control", NULL
);
1420 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1423 fullpath
= must_make_path(path
, "cgroup.threads", NULL
);
1424 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1431 static bool cgfsng_chown(struct cgroup_ops
*ops
, struct lxc_conf
*conf
)
1433 struct generic_userns_exec_data wrap
;
1435 if (lxc_list_empty(&conf
->id_map
))
1438 wrap
.origuid
= geteuid();
1440 wrap
.hierarchies
= ops
->hierarchies
;
1443 if (userns_exec_1(conf
, chown_cgroup_wrapper
, &wrap
,
1444 "chown_cgroup_wrapper") < 0) {
1445 ERROR("Error requesting cgroup chown in new user namespace");
1452 /* cgroup-full:* is done, no need to create subdirs */
1453 static bool cg_mount_needs_subdirs(int type
)
1455 if (type
>= LXC_AUTO_CGROUP_FULL_RO
)
1461 /* After $rootfs/sys/fs/container/controller/the/cg/path has been created,
1462 * remount controller ro if needed and bindmount the cgroupfs onto
1463 * controll/the/cg/path.
1465 static int cg_legacy_mount_controllers(int type
, struct hierarchy
*h
,
1466 char *controllerpath
, char *cgpath
,
1467 const char *container_cgroup
)
1469 int ret
, remount_flags
;
1471 int flags
= MS_BIND
;
1473 if (type
== LXC_AUTO_CGROUP_RO
|| type
== LXC_AUTO_CGROUP_MIXED
) {
1474 ret
= mount(controllerpath
, controllerpath
, "cgroup", MS_BIND
, NULL
);
1476 SYSERROR("Failed to bind mount \"%s\" onto \"%s\"",
1477 controllerpath
, controllerpath
);
1481 remount_flags
= add_required_remount_flags(controllerpath
,
1483 flags
| MS_REMOUNT
);
1484 ret
= mount(controllerpath
, controllerpath
, "cgroup",
1485 remount_flags
| MS_REMOUNT
| MS_BIND
| MS_RDONLY
,
1488 SYSERROR("Failed to remount \"%s\" ro", controllerpath
);
1492 INFO("Remounted %s read-only", controllerpath
);
1495 sourcepath
= must_make_path(h
->mountpoint
, h
->base_cgroup
,
1496 container_cgroup
, NULL
);
1497 if (type
== LXC_AUTO_CGROUP_RO
)
1500 ret
= mount(sourcepath
, cgpath
, "cgroup", flags
, NULL
);
1502 SYSERROR("Failed to mount \"%s\" onto \"%s\"", h
->controllers
[0], cgpath
);
1506 INFO("Mounted \"%s\" onto \"%s\"", h
->controllers
[0], cgpath
);
1508 if (flags
& MS_RDONLY
) {
1509 remount_flags
= add_required_remount_flags(sourcepath
, cgpath
,
1510 flags
| MS_REMOUNT
);
1511 ret
= mount(sourcepath
, cgpath
, "cgroup", remount_flags
, NULL
);
1513 SYSERROR("Failed to remount \"%s\" ro", cgpath
);
1517 INFO("Remounted %s read-only", cgpath
);
1521 INFO("Completed second stage cgroup automounts for \"%s\"", cgpath
);
1525 /* __cg_mount_direct
1527 * Mount cgroup hierarchies directly without using bind-mounts. The main
1528 * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting
1529 * cgroups for the LXC_AUTO_CGROUP_FULL option.
1531 static int __cg_mount_direct(int type
, struct hierarchy
*h
,
1532 const char *controllerpath
)
1535 char *controllers
= NULL
;
1536 char *fstype
= "cgroup2";
1537 unsigned long flags
= 0;
1542 flags
|= MS_RELATIME
;
1544 if (type
== LXC_AUTO_CGROUP_RO
|| type
== LXC_AUTO_CGROUP_FULL_RO
)
1547 if (h
->version
!= CGROUP2_SUPER_MAGIC
) {
1548 controllers
= lxc_string_join(",", (const char **)h
->controllers
, false);
1554 ret
= mount("cgroup", controllerpath
, fstype
, flags
, controllers
);
1557 SYSERROR("Failed to mount \"%s\" with cgroup filesystem type %s", controllerpath
, fstype
);
1561 DEBUG("Mounted \"%s\" with cgroup filesystem type %s", controllerpath
, fstype
);
1565 static inline int cg_mount_in_cgroup_namespace(int type
, struct hierarchy
*h
,
1566 const char *controllerpath
)
1568 return __cg_mount_direct(type
, h
, controllerpath
);
1571 static inline int cg_mount_cgroup_full(int type
, struct hierarchy
*h
,
1572 const char *controllerpath
)
1574 if (type
< LXC_AUTO_CGROUP_FULL_RO
|| type
> LXC_AUTO_CGROUP_FULL_MIXED
)
1577 return __cg_mount_direct(type
, h
, controllerpath
);
1580 static bool cgfsng_mount(struct cgroup_ops
*ops
, struct lxc_handler
*handler
,
1581 const char *root
, int type
)
1584 char *tmpfspath
= NULL
;
1585 bool has_cgns
= false, retval
= false, wants_force_mount
= false;
1587 if ((type
& LXC_AUTO_CGROUP_MASK
) == 0)
1590 if (type
& LXC_AUTO_CGROUP_FORCE
) {
1591 type
&= ~LXC_AUTO_CGROUP_FORCE
;
1592 wants_force_mount
= true;
1595 if (!wants_force_mount
){
1596 if (!lxc_list_empty(&handler
->conf
->keepcaps
))
1597 wants_force_mount
= !in_caplist(CAP_SYS_ADMIN
, &handler
->conf
->keepcaps
);
1599 wants_force_mount
= in_caplist(CAP_SYS_ADMIN
, &handler
->conf
->caps
);
1602 has_cgns
= cgns_supported();
1603 if (has_cgns
&& !wants_force_mount
)
1606 if (type
== LXC_AUTO_CGROUP_NOSPEC
)
1607 type
= LXC_AUTO_CGROUP_MIXED
;
1608 else if (type
== LXC_AUTO_CGROUP_FULL_NOSPEC
)
1609 type
= LXC_AUTO_CGROUP_FULL_MIXED
;
1612 tmpfspath
= must_make_path(root
, "/sys/fs/cgroup", NULL
);
1613 ret
= safe_mount(NULL
, tmpfspath
, "tmpfs",
1614 MS_NOSUID
| MS_NODEV
| MS_NOEXEC
| MS_RELATIME
,
1615 "size=10240k,mode=755", root
);
1619 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1620 char *controllerpath
, *path2
;
1621 struct hierarchy
*h
= ops
->hierarchies
[i
];
1622 char *controller
= strrchr(h
->mountpoint
, '/');
1628 controllerpath
= must_make_path(tmpfspath
, controller
, NULL
);
1629 if (dir_exists(controllerpath
)) {
1630 free(controllerpath
);
1634 ret
= mkdir(controllerpath
, 0755);
1636 SYSERROR("Error creating cgroup path: %s", controllerpath
);
1637 free(controllerpath
);
1641 if (has_cgns
&& wants_force_mount
) {
1642 /* If cgroup namespaces are supported but the container
1643 * will not have CAP_SYS_ADMIN after it has started we
1644 * need to mount the cgroups manually.
1646 ret
= cg_mount_in_cgroup_namespace(type
, h
, controllerpath
);
1647 free(controllerpath
);
1654 ret
= cg_mount_cgroup_full(type
, h
, controllerpath
);
1656 free(controllerpath
);
1660 if (!cg_mount_needs_subdirs(type
)) {
1661 free(controllerpath
);
1665 path2
= must_make_path(controllerpath
, h
->base_cgroup
,
1666 ops
->container_cgroup
, NULL
);
1667 ret
= mkdir_p(path2
, 0755);
1669 free(controllerpath
);
1674 ret
= cg_legacy_mount_controllers(type
, h
, controllerpath
,
1675 path2
, ops
->container_cgroup
);
1676 free(controllerpath
);
1688 static int recursive_count_nrtasks(char *dirname
)
1690 struct dirent
*direntp
;
1695 dir
= opendir(dirname
);
1699 while ((direntp
= readdir(dir
))) {
1702 if (!strcmp(direntp
->d_name
, ".") ||
1703 !strcmp(direntp
->d_name
, ".."))
1706 path
= must_make_path(dirname
, direntp
->d_name
, NULL
);
1708 if (lstat(path
, &mystat
))
1711 if (!S_ISDIR(mystat
.st_mode
))
1714 count
+= recursive_count_nrtasks(path
);
1719 path
= must_make_path(dirname
, "cgroup.procs", NULL
);
1720 ret
= lxc_count_file_lines(path
);
1725 (void)closedir(dir
);
1730 static int cgfsng_nrtasks(struct cgroup_ops
*ops
)
1735 if (!ops
->container_cgroup
|| !ops
->hierarchies
)
1738 path
= must_make_path(ops
->hierarchies
[0]->fullcgpath
, NULL
);
1739 count
= recursive_count_nrtasks(path
);
1744 /* Only root needs to escape to the cgroup of its init. */
1745 static bool cgfsng_escape(const struct cgroup_ops
*ops
)
1752 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1756 fullpath
= must_make_path(ops
->hierarchies
[i
]->mountpoint
,
1757 ops
->hierarchies
[i
]->base_cgroup
,
1758 "cgroup.procs", NULL
);
1759 ret
= lxc_write_to_file(fullpath
, "0", 2, false, 0666);
1761 SYSERROR("Failed to escape to cgroup \"%s\"", fullpath
);
1771 static int cgfsng_num_hierarchies(struct cgroup_ops
*ops
)
1775 for (i
= 0; ops
->hierarchies
[i
]; i
++)
1781 static bool cgfsng_get_hierarchies(struct cgroup_ops
*ops
, int n
, char ***out
)
1785 /* sanity check n */
1786 for (i
= 0; i
< n
; i
++)
1787 if (!ops
->hierarchies
[i
])
1790 *out
= ops
->hierarchies
[i
]->controllers
;
1795 #define THAWED "THAWED"
1796 #define THAWED_LEN (strlen(THAWED))
1798 /* TODO: If the unified cgroup hierarchy grows a freezer controller this needs
1801 static bool cgfsng_unfreeze(struct cgroup_ops
*ops
)
1805 struct hierarchy
*h
;
1807 h
= get_hierarchy(ops
, "freezer");
1811 fullpath
= must_make_path(h
->fullcgpath
, "freezer.state", NULL
);
1812 ret
= lxc_write_to_file(fullpath
, THAWED
, THAWED_LEN
, false, 0666);
1820 static const char *cgfsng_get_cgroup(struct cgroup_ops
*ops
,
1821 const char *controller
)
1823 struct hierarchy
*h
;
1825 h
= get_hierarchy(ops
, controller
);
1827 WARN("Failed to find hierarchy for controller \"%s\"",
1828 controller
? controller
: "(null)");
1832 return h
->fullcgpath
? h
->fullcgpath
+ strlen(h
->mountpoint
) : NULL
;
1835 /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path,
1836 * which must be freed by the caller.
1838 static inline char *build_full_cgpath_from_monitorpath(struct hierarchy
*h
,
1840 const char *filename
)
1842 return must_make_path(h
->mountpoint
, inpath
, filename
, NULL
);
1845 /* Technically, we're always at a delegation boundary here (This is especially
1846 * true when cgroup namespaces are available.). The reasoning is that in order
1847 * for us to have been able to start a container in the first place the root
1848 * cgroup must have been a leaf node. Now, either the container's init system
1849 * has populated the cgroup and kept it as a leaf node or it has created
1850 * subtrees. In the former case we will simply attach to the leaf node we
1851 * created when we started the container in the latter case we create our own
1852 * cgroup for the attaching process.
1854 static int __cg_unified_attach(const struct hierarchy
*h
, const char *name
,
1855 const char *lxcpath
, const char *pidstr
,
1856 size_t pidstr_len
, const char *controller
)
1860 int fret
= -1, idx
= 0;
1861 char *base_path
= NULL
, *container_cgroup
= NULL
, *full_path
= NULL
;
1863 container_cgroup
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
1865 if (!container_cgroup
)
1868 base_path
= must_make_path(h
->mountpoint
, container_cgroup
, NULL
);
1869 full_path
= must_make_path(base_path
, "cgroup.procs", NULL
);
1870 /* cgroup is populated */
1871 ret
= lxc_write_to_file(full_path
, pidstr
, pidstr_len
, false, 0666);
1872 if (ret
< 0 && errno
!= EBUSY
)
1880 len
= strlen(base_path
) + sizeof("/lxc-1000") - 1 +
1881 sizeof("/cgroup-procs") - 1;
1882 full_path
= must_alloc(len
+ 1);
1885 ret
= snprintf(full_path
, len
+ 1, "%s/lxc-%d",
1888 ret
= snprintf(full_path
, len
+ 1, "%s/lxc", base_path
);
1889 if (ret
< 0 || (size_t)ret
>= len
+ 1)
1892 ret
= mkdir_p(full_path
, 0755);
1893 if (ret
< 0 && errno
!= EEXIST
)
1896 (void)strlcat(full_path
, "/cgroup.procs", len
+ 1);
1897 ret
= lxc_write_to_file(full_path
, pidstr
, len
, false, 0666);
1901 /* this is a non-leaf node */
1905 } while (++idx
> 0 && idx
< 1000);
1913 free(container_cgroup
);
1919 static bool cgfsng_attach(struct cgroup_ops
*ops
, const char *name
,
1920 const char *lxcpath
, pid_t pid
)
1925 len
= snprintf(pidstr
, 25, "%d", pid
);
1926 if (len
< 0 || len
>= 25)
1929 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1931 char *fullpath
= NULL
;
1932 struct hierarchy
*h
= ops
->hierarchies
[i
];
1934 if (h
->version
== CGROUP2_SUPER_MAGIC
) {
1935 ret
= __cg_unified_attach(h
, name
, lxcpath
, pidstr
, len
,
1943 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, h
->controllers
[0]);
1948 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, "cgroup.procs");
1950 ret
= lxc_write_to_file(fullpath
, pidstr
, len
, false, 0666);
1952 SYSERROR("Failed to attach %d to %s", (int)pid
, fullpath
);
1962 /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we
1963 * don't have a cgroup_data set up, so we ask the running container through the
1964 * commands API for the cgroup path.
1966 static int cgfsng_get(struct cgroup_ops
*ops
, const char *filename
, char *value
,
1967 size_t len
, const char *name
, const char *lxcpath
)
1970 size_t controller_len
;
1971 char *controller
, *p
, *path
;
1972 struct hierarchy
*h
;
1974 controller_len
= strlen(filename
);
1975 controller
= alloca(controller_len
+ 1);
1976 (void)strlcpy(controller
, filename
, controller_len
+ 1);
1978 p
= strchr(controller
, '.');
1982 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
1987 h
= get_hierarchy(ops
, controller
);
1991 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, filename
);
1992 ret
= lxc_read_from_file(fullpath
, value
, len
);
2000 /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we
2001 * don't have a cgroup_data set up, so we ask the running container through the
2002 * commands API for the cgroup path.
2004 static int cgfsng_set(struct cgroup_ops
*ops
, const char *filename
,
2005 const char *value
, const char *name
, const char *lxcpath
)
2008 size_t controller_len
;
2009 char *controller
, *p
, *path
;
2010 struct hierarchy
*h
;
2012 controller_len
= strlen(filename
);
2013 controller
= alloca(controller_len
+ 1);
2014 (void)strlcpy(controller
, filename
, controller_len
+ 1);
2016 p
= strchr(controller
, '.');
2020 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
2025 h
= get_hierarchy(ops
, controller
);
2029 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, filename
);
2030 ret
= lxc_write_to_file(fullpath
, value
, strlen(value
), false, 0666);
2038 /* take devices cgroup line
2040 * and convert it to a valid
2041 * type major:minor mode
2042 * line. Return <0 on error. Dest is a preallocated buffer long enough to hold
2045 static int convert_devpath(const char *invalue
, char *dest
)
2048 char *p
, *path
, type
;
2049 unsigned long minor
, major
;
2054 path
= must_copy_string(invalue
);
2056 /* Read path followed by mode. Ignore any trailing text.
2057 * A ' # comment' would be legal. Technically other text is not
2058 * legal, we could check for that if we cared to.
2060 for (n_parts
= 1, p
= path
; *p
&& n_parts
< 3; p
++) {
2082 ret
= stat(path
, &sb
);
2086 mode_t m
= sb
.st_mode
& S_IFMT
;
2095 ERROR("Unsupported device type %i for \"%s\"", m
, path
);
2100 major
= MAJOR(sb
.st_rdev
);
2101 minor
= MINOR(sb
.st_rdev
);
2102 ret
= snprintf(dest
, 50, "%c %lu:%lu %s", type
, major
, minor
, mode
);
2103 if (ret
< 0 || ret
>= 50) {
2104 ERROR("Error on configuration value \"%c %lu:%lu %s\" (max 50 "
2105 "chars)", type
, major
, minor
, mode
);
2106 ret
= -ENAMETOOLONG
;
2116 /* Called from setup_limits - here we have the container's cgroup_data because
2117 * we created the cgroups.
2119 static int cg_legacy_set_data(struct cgroup_ops
*ops
, const char *filename
,
2124 /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */
2125 char converted_value
[50];
2126 struct hierarchy
*h
;
2128 char *controller
= NULL
;
2130 len
= strlen(filename
);
2131 controller
= alloca(len
+ 1);
2132 (void)strlcpy(controller
, filename
, len
+ 1);
2134 p
= strchr(controller
, '.');
2138 if (strcmp("devices.allow", filename
) == 0 && value
[0] == '/') {
2139 ret
= convert_devpath(value
, converted_value
);
2142 value
= converted_value
;
2145 h
= get_hierarchy(ops
, controller
);
2147 ERROR("Failed to setup limits for the \"%s\" controller. "
2148 "The controller seems to be unused by \"cgfsng\" cgroup "
2149 "driver or not enabled on the cgroup hierarchy",
2155 fullpath
= must_make_path(h
->fullcgpath
, filename
, NULL
);
2156 ret
= lxc_write_to_file(fullpath
, value
, strlen(value
), false, 0666);
2161 static bool __cg_legacy_setup_limits(struct cgroup_ops
*ops
,
2162 struct lxc_list
*cgroup_settings
,
2165 struct lxc_list
*iterator
, *next
, *sorted_cgroup_settings
;
2166 struct lxc_cgroup
*cg
;
2169 if (lxc_list_empty(cgroup_settings
))
2172 sorted_cgroup_settings
= sort_cgroup_settings(cgroup_settings
);
2173 if (!sorted_cgroup_settings
)
2176 lxc_list_for_each(iterator
, sorted_cgroup_settings
) {
2177 cg
= iterator
->elem
;
2179 if (do_devices
== !strncmp("devices", cg
->subsystem
, 7)) {
2180 if (cg_legacy_set_data(ops
, cg
->subsystem
, cg
->value
)) {
2181 if (do_devices
&& (errno
== EACCES
|| errno
== EPERM
)) {
2182 WARN("Failed to set \"%s\" to \"%s\"",
2183 cg
->subsystem
, cg
->value
);
2186 WARN("Failed to set \"%s\" to \"%s\"",
2187 cg
->subsystem
, cg
->value
);
2190 DEBUG("Set controller \"%s\" set to \"%s\"",
2191 cg
->subsystem
, cg
->value
);
2196 INFO("Limits for the legacy cgroup hierarchies have been setup");
2198 lxc_list_for_each_safe(iterator
, sorted_cgroup_settings
, next
) {
2199 lxc_list_del(iterator
);
2202 free(sorted_cgroup_settings
);
2206 static bool __cg_unified_setup_limits(struct cgroup_ops
*ops
,
2207 struct lxc_list
*cgroup_settings
)
2209 struct lxc_list
*iterator
;
2210 struct hierarchy
*h
= ops
->unified
;
2212 if (lxc_list_empty(cgroup_settings
))
2218 lxc_list_for_each(iterator
, cgroup_settings
) {
2221 struct lxc_cgroup
*cg
= iterator
->elem
;
2223 fullpath
= must_make_path(h
->fullcgpath
, cg
->subsystem
, NULL
);
2224 ret
= lxc_write_to_file(fullpath
, cg
->value
, strlen(cg
->value
), false, 0666);
2227 SYSERROR("Failed to set \"%s\" to \"%s\"",
2228 cg
->subsystem
, cg
->value
);
2231 TRACE("Set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
2234 INFO("Limits for the unified cgroup hierarchy have been setup");
2238 static bool cgfsng_setup_limits(struct cgroup_ops
*ops
, struct lxc_conf
*conf
,
2243 bret
= __cg_legacy_setup_limits(ops
, &conf
->cgroup
, do_devices
);
2247 return __cg_unified_setup_limits(ops
, &conf
->cgroup2
);
2250 static bool cgroup_use_wants_controllers(const struct cgroup_ops
*ops
,
2253 char **cur_ctrl
, **cur_use
;
2255 if (!ops
->cgroup_use
)
2258 for (cur_ctrl
= controllers
; cur_ctrl
&& *cur_ctrl
; cur_ctrl
++) {
2261 for (cur_use
= ops
->cgroup_use
; cur_use
&& *cur_use
; cur_use
++) {
2262 if (strcmp(*cur_use
, *cur_ctrl
) != 0)
2278 /* At startup, parse_hierarchies finds all the info we need about cgroup
2279 * mountpoints and current cgroups, and stores it in @d.
2281 static bool cg_hybrid_init(struct cgroup_ops
*ops
)
2289 char **klist
= NULL
, **nlist
= NULL
;
2291 /* Root spawned containers escape the current cgroup, so use init's
2292 * cgroups as our base in that case.
2294 will_escape
= (geteuid() == 0);
2296 basecginfo
= read_file("/proc/1/cgroup");
2298 basecginfo
= read_file("/proc/self/cgroup");
2302 ret
= get_existing_subsystems(&klist
, &nlist
);
2304 ERROR("Failed to retrieve available legacy cgroup controllers");
2309 f
= fopen("/proc/self/mountinfo", "r");
2311 ERROR("Failed to open \"/proc/self/mountinfo\"");
2316 lxc_cgfsng_print_basecg_debuginfo(basecginfo
, klist
, nlist
);
2318 while (getline(&line
, &len
, f
) != -1) {
2321 struct hierarchy
*new;
2322 char *base_cgroup
= NULL
, *mountpoint
= NULL
;
2323 char **controller_list
= NULL
;
2325 type
= get_cgroup_version(line
);
2329 if (type
== CGROUP2_SUPER_MAGIC
&& ops
->unified
)
2332 if (ops
->cgroup_layout
== CGROUP_LAYOUT_UNKNOWN
) {
2333 if (type
== CGROUP2_SUPER_MAGIC
)
2334 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
2335 else if (type
== CGROUP_SUPER_MAGIC
)
2336 ops
->cgroup_layout
= CGROUP_LAYOUT_LEGACY
;
2337 } else if (ops
->cgroup_layout
== CGROUP_LAYOUT_UNIFIED
) {
2338 if (type
== CGROUP_SUPER_MAGIC
)
2339 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
2340 } else if (ops
->cgroup_layout
== CGROUP_LAYOUT_LEGACY
) {
2341 if (type
== CGROUP2_SUPER_MAGIC
)
2342 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
2345 controller_list
= cg_hybrid_get_controllers(klist
, nlist
, line
, type
);
2346 if (!controller_list
&& type
== CGROUP_SUPER_MAGIC
)
2349 if (type
== CGROUP_SUPER_MAGIC
)
2350 if (controller_list_is_dup(ops
->hierarchies
, controller_list
))
2353 mountpoint
= cg_hybrid_get_mountpoint(line
);
2355 ERROR("Failed parsing mountpoint from \"%s\"", line
);
2359 if (type
== CGROUP_SUPER_MAGIC
)
2360 base_cgroup
= cg_hybrid_get_current_cgroup(basecginfo
, controller_list
[0], CGROUP_SUPER_MAGIC
);
2362 base_cgroup
= cg_hybrid_get_current_cgroup(basecginfo
, NULL
, CGROUP2_SUPER_MAGIC
);
2364 ERROR("Failed to find current cgroup");
2369 prune_init_scope(base_cgroup
);
2370 if (type
== CGROUP2_SUPER_MAGIC
)
2371 writeable
= test_writeable_v2(mountpoint
, base_cgroup
);
2373 writeable
= test_writeable_v1(mountpoint
, base_cgroup
);
2377 if (type
== CGROUP2_SUPER_MAGIC
) {
2378 char *cgv2_ctrl_path
;
2380 cgv2_ctrl_path
= must_make_path(mountpoint
, base_cgroup
,
2381 "cgroup.controllers",
2384 controller_list
= cg_unified_get_controllers(cgv2_ctrl_path
);
2385 free(cgv2_ctrl_path
);
2386 if (!controller_list
) {
2387 controller_list
= cg_unified_make_empty_controller();
2388 TRACE("No controllers are enabled for "
2389 "delegation in the unified hierarchy");
2393 /* Exclude all controllers that cgroup use does not want. */
2394 if (!cgroup_use_wants_controllers(ops
, controller_list
))
2397 new = add_hierarchy(&ops
->hierarchies
, controller_list
, mountpoint
, base_cgroup
, type
);
2398 if (type
== CGROUP2_SUPER_MAGIC
&& !ops
->unified
)
2404 free_string_list(controller_list
);
2409 free_string_list(klist
);
2410 free_string_list(nlist
);
2417 TRACE("Writable cgroup hierarchies:");
2418 lxc_cgfsng_print_hierarchies(ops
);
2420 /* verify that all controllers in cgroup.use and all crucial
2421 * controllers are accounted for
2423 if (!all_controllers_found(ops
))
2429 static int cg_is_pure_unified(void)
2435 ret
= statfs("/sys/fs/cgroup", &fs
);
2439 if (is_fs_type(&fs
, CGROUP2_SUPER_MAGIC
))
2440 return CGROUP2_SUPER_MAGIC
;
2445 /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */
2446 static char *cg_unified_get_current_cgroup(void)
2448 char *basecginfo
, *base_cgroup
;
2452 will_escape
= (geteuid() == 0);
2454 basecginfo
= read_file("/proc/1/cgroup");
2456 basecginfo
= read_file("/proc/self/cgroup");
2460 base_cgroup
= strstr(basecginfo
, "0::/");
2462 goto cleanup_on_err
;
2464 base_cgroup
= base_cgroup
+ 3;
2465 copy
= copy_to_eol(base_cgroup
);
2467 goto cleanup_on_err
;
2477 static int cg_unified_init(struct cgroup_ops
*ops
)
2480 char *mountpoint
, *subtree_path
;
2482 char *base_cgroup
= NULL
;
2484 ret
= cg_is_pure_unified();
2485 if (ret
== -ENOMEDIUM
)
2488 if (ret
!= CGROUP2_SUPER_MAGIC
)
2491 base_cgroup
= cg_unified_get_current_cgroup();
2494 prune_init_scope(base_cgroup
);
2496 /* We assume that we have already been given controllers to delegate
2497 * further down the hierarchy. If not it is up to the user to delegate
2500 mountpoint
= must_copy_string("/sys/fs/cgroup");
2501 subtree_path
= must_make_path(mountpoint
, base_cgroup
,
2502 "cgroup.subtree_control", NULL
);
2503 delegatable
= cg_unified_get_controllers(subtree_path
);
2506 delegatable
= cg_unified_make_empty_controller();
2507 if (!delegatable
[0])
2508 TRACE("No controllers are enabled for delegation");
2510 /* TODO: If the user requested specific controllers via lxc.cgroup.use
2511 * we should verify here. The reason I'm not doing it right is that I'm
2512 * not convinced that lxc.cgroup.use will be the future since it is a
2513 * global property. I much rather have an option that lets you request
2514 * controllers per container.
2517 add_hierarchy(&ops
->hierarchies
, delegatable
, mountpoint
, base_cgroup
, CGROUP2_SUPER_MAGIC
);
2519 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
2520 return CGROUP2_SUPER_MAGIC
;
2523 static bool cg_init(struct cgroup_ops
*ops
)
2528 tmp
= lxc_global_config_value("lxc.cgroup.use");
2530 char *chop
, *cur
, *pin
;
2532 pin
= must_copy_string(tmp
);
2535 lxc_iterate_parts(cur
, chop
, ",") {
2536 must_append_string(&ops
->cgroup_use
, cur
);
2542 ret
= cg_unified_init(ops
);
2546 if (ret
== CGROUP2_SUPER_MAGIC
)
2549 return cg_hybrid_init(ops
);
2552 static bool cgfsng_data_init(struct cgroup_ops
*ops
)
2554 const char *cgroup_pattern
;
2556 /* copy system-wide cgroup information */
2557 cgroup_pattern
= lxc_global_config_value("lxc.cgroup.pattern");
2558 if (!cgroup_pattern
) {
2559 /* lxc.cgroup.pattern is only NULL on error. */
2560 ERROR("Failed to retrieve cgroup pattern");
2563 ops
->cgroup_pattern
= must_copy_string(cgroup_pattern
);
2568 struct cgroup_ops
*cgfsng_ops_init(void)
2570 struct cgroup_ops
*cgfsng_ops
;
2572 cgfsng_ops
= malloc(sizeof(struct cgroup_ops
));
2576 memset(cgfsng_ops
, 0, sizeof(struct cgroup_ops
));
2577 cgfsng_ops
->cgroup_layout
= CGROUP_LAYOUT_UNKNOWN
;
2579 if (!cg_init(cgfsng_ops
)) {
2584 cgfsng_ops
->data_init
= cgfsng_data_init
;
2585 cgfsng_ops
->destroy
= cgfsng_destroy
;
2586 cgfsng_ops
->create
= cgfsng_create
;
2587 cgfsng_ops
->enter
= cgfsng_enter
;
2588 cgfsng_ops
->escape
= cgfsng_escape
;
2589 cgfsng_ops
->num_hierarchies
= cgfsng_num_hierarchies
;
2590 cgfsng_ops
->get_hierarchies
= cgfsng_get_hierarchies
;
2591 cgfsng_ops
->get_cgroup
= cgfsng_get_cgroup
;
2592 cgfsng_ops
->get
= cgfsng_get
;
2593 cgfsng_ops
->set
= cgfsng_set
;
2594 cgfsng_ops
->unfreeze
= cgfsng_unfreeze
;
2595 cgfsng_ops
->setup_limits
= cgfsng_setup_limits
;
2596 cgfsng_ops
->driver
= "cgfsng";
2597 cgfsng_ops
->version
= "1.0.0";
2598 cgfsng_ops
->attach
= cgfsng_attach
;
2599 cgfsng_ops
->chown
= cgfsng_chown
;
2600 cgfsng_ops
->mount
= cgfsng_mount
;
2601 cgfsng_ops
->nrtasks
= cgfsng_nrtasks
;