1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 * cgfs-ng.c: this is a new, simplified implementation of a filesystem
5 * cgroup backend. The original cgfs.c was designed to be as flexible
6 * as possible. It would try to find cgroup filesystems no matter where
7 * or how you had them mounted, and deduce the most usable mount for
10 * This new implementation assumes that cgroup filesystems are mounted
11 * under /sys/fs/cgroup/clist where clist is either the controller, or
12 * a comma-separated list of controllers.
22 #include <linux/kdev_t.h>
23 #include <linux/types.h>
30 #include <sys/epoll.h>
31 #include <sys/types.h>
37 #include "cgroup2_devices.h"
38 #include "cgroup_utils.h"
40 #include "commands_utils.h"
46 #include "memory_utils.h"
47 #include "mount_utils.h"
48 #include "storage/storage.h"
49 #include "string_utils.h"
50 #include "syscall_wrappers.h"
54 #include "include/strlcpy.h"
58 #include "include/strlcat.h"
61 lxc_log_define(cgfsng
, cgroup
);
63 /* Given a pointer to a null-terminated array of pointers, realloc to add one
64 * entry, and point the new entry to NULL. Do not fail. Return the index to the
65 * second-to-last entry - that is, the one which is now available for use
66 * (keeping the list null-terminated).
68 static int append_null_to_list(void ***list
)
73 for (; (*list
)[newentry
]; newentry
++)
76 *list
= must_realloc(*list
, (newentry
+ 2) * sizeof(void **));
77 (*list
)[newentry
+ 1] = NULL
;
81 /* Given a null-terminated array of strings, check whether @entry is one of the
84 static bool string_in_list(char **list
, const char *entry
)
89 for (int i
= 0; list
[i
]; i
++)
90 if (strequal(list
[i
], entry
))
96 /* Return a copy of @entry prepending "name=", i.e. turn "systemd" into
97 * "name=systemd". Do not fail.
99 static char *cg_legacy_must_prefix_named(char *entry
)
105 prefixed
= must_realloc(NULL
, len
+ 6);
107 memcpy(prefixed
, "name=", STRLITERALLEN("name="));
108 memcpy(prefixed
+ STRLITERALLEN("name="), entry
, len
);
109 prefixed
[len
+ 5] = '\0';
114 /* Append an entry to the clist. Do not fail. @clist must be NULL the first time
117 * We also handle named subsystems here. Any controller which is not a kernel
118 * subsystem, we prefix "name=". Any which is both a kernel and named subsystem,
119 * we refuse to use because we're not sure which we have here.
120 * (TODO: We could work around this in some cases by just remounting to be
121 * unambiguous, or by comparing mountpoint contents with current cgroup.)
123 * The last entry will always be NULL.
125 static void must_append_controller(char **klist
, char **nlist
, char ***clist
,
131 if (string_in_list(klist
, entry
) && string_in_list(nlist
, entry
)) {
132 ERROR("Refusing to use ambiguous controller \"%s\"", entry
);
133 ERROR("It is both a named and kernel subsystem");
137 newentry
= append_null_to_list((void ***)clist
);
139 if (strnequal(entry
, "name=", 5))
140 copy
= must_copy_string(entry
);
141 else if (string_in_list(klist
, entry
))
142 copy
= must_copy_string(entry
);
144 copy
= cg_legacy_must_prefix_named(entry
);
146 (*clist
)[newentry
] = copy
;
149 /* Given a handler's cgroup data, return the struct hierarchy for the controller
150 * @c, or NULL if there is none.
152 static struct hierarchy
*get_hierarchy(struct cgroup_ops
*ops
, const char *controller
)
154 if (!ops
->hierarchies
)
155 return log_trace_errno(NULL
, errno
, "There are no useable cgroup controllers");
157 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
159 /* This is the empty unified hierarchy. */
160 if (ops
->hierarchies
[i
]->controllers
&& !ops
->hierarchies
[i
]->controllers
[0])
161 return ops
->hierarchies
[i
];
167 * Handle controllers with significant implementation changes
168 * from cgroup to cgroup2.
170 if (pure_unified_layout(ops
)) {
171 if (strequal(controller
, "devices")) {
172 if (ops
->unified
->bpf_device_controller
)
176 } else if (strequal(controller
, "freezer")) {
177 if (ops
->unified
->freezer_controller
)
184 if (string_in_list(ops
->hierarchies
[i
]->controllers
, controller
))
185 return ops
->hierarchies
[i
];
189 WARN("There is no useable %s controller", controller
);
191 WARN("There is no empty unified cgroup hierarchy");
193 return ret_set_errno(NULL
, ENOENT
);
196 /* Taken over modified from the kernel sources. */
197 #define NBITS 32 /* bits in uint32_t */
198 #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d))
199 #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS)
201 static void set_bit(unsigned bit
, uint32_t *bitarr
)
203 bitarr
[bit
/ NBITS
] |= (1 << (bit
% NBITS
));
206 static void clear_bit(unsigned bit
, uint32_t *bitarr
)
208 bitarr
[bit
/ NBITS
] &= ~(1 << (bit
% NBITS
));
211 static bool is_set(unsigned bit
, uint32_t *bitarr
)
213 return (bitarr
[bit
/ NBITS
] & (1 << (bit
% NBITS
))) != 0;
216 /* Create cpumask from cpulist aka turn:
224 static uint32_t *lxc_cpumask(char *buf
, size_t nbits
)
226 __do_free
uint32_t *bitarr
= NULL
;
230 arrlen
= BITS_TO_LONGS(nbits
);
231 bitarr
= calloc(arrlen
, sizeof(uint32_t));
233 return ret_set_errno(NULL
, ENOMEM
);
235 lxc_iterate_parts(token
, buf
, ",") {
240 start
= strtoul(token
, NULL
, 0);
242 range
= strchr(token
, '-');
244 end
= strtoul(range
+ 1, NULL
, 0);
247 return ret_set_errno(NULL
, EINVAL
);
250 return ret_set_errno(NULL
, EINVAL
);
253 set_bit(start
++, bitarr
);
256 return move_ptr(bitarr
);
259 /* Turn cpumask into simple, comma-separated cpulist. */
260 static char *lxc_cpumask_to_cpulist(uint32_t *bitarr
, size_t nbits
)
262 __do_free_string_list
char **cpulist
= NULL
;
263 char numstr
[INTTYPE_TO_STRLEN(size_t)] = {0};
266 for (size_t i
= 0; i
<= nbits
; i
++) {
267 if (!is_set(i
, bitarr
))
270 ret
= strnprintf(numstr
, sizeof(numstr
), "%zu", i
);
274 ret
= lxc_append_string(&cpulist
, numstr
);
276 return ret_set_errno(NULL
, ENOMEM
);
280 return ret_set_errno(NULL
, ENOMEM
);
282 return lxc_string_join(",", (const char **)cpulist
, false);
285 static ssize_t
get_max_cpus(char *cpulist
)
288 char *maxcpus
= cpulist
;
291 c1
= strrchr(maxcpus
, ',');
295 c2
= strrchr(maxcpus
, '-');
309 cpus
= strtoul(c1
, NULL
, 0);
316 static inline bool is_unified_hierarchy(const struct hierarchy
*h
)
318 return h
->version
== CGROUP2_SUPER_MAGIC
;
321 /* Given two null-terminated lists of strings, return true if any string is in
324 static bool controller_lists_intersect(char **l1
, char **l2
)
329 for (int i
= 0; l1
[i
]; i
++)
330 if (string_in_list(l2
, l1
[i
]))
336 /* For a null-terminated list of controllers @clist, return true if any of those
337 * controllers is already listed the null-terminated list of hierarchies @hlist.
338 * Realistically, if one is present, all must be present.
340 static bool controller_list_is_dup(struct hierarchy
**hlist
, char **clist
)
345 for (int i
= 0; hlist
[i
]; i
++)
346 if (controller_lists_intersect(hlist
[i
]->controllers
, clist
))
352 /* Return true if the controller @entry is found in the null-terminated list of
353 * hierarchies @hlist.
355 static bool controller_found(struct hierarchy
**hlist
, char *entry
)
360 for (int i
= 0; hlist
[i
]; i
++)
361 if (string_in_list(hlist
[i
]->controllers
, entry
))
367 /* Return true if all of the controllers which we require have been found. The
368 * required list is freezer and anything in lxc.cgroup.use.
370 static bool all_controllers_found(struct cgroup_ops
*ops
)
372 struct hierarchy
**hlist
;
374 if (!ops
->cgroup_use
)
377 hlist
= ops
->hierarchies
;
378 for (char **cur
= ops
->cgroup_use
; cur
&& *cur
; cur
++)
379 if (!controller_found(hlist
, *cur
))
380 return log_error(false, "No %s controller mountpoint found", *cur
);
385 /* Get the controllers from a mountinfo line There are other ways we could get
386 * this info. For lxcfs, field 3 is /cgroup/controller-list. For cgroupfs, we
387 * could parse the mount options. But we simply assume that the mountpoint must
388 * be /sys/fs/cgroup/controller-list
390 static char **cg_hybrid_get_controllers(char **klist
, char **nlist
, char *line
,
393 /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list
394 * for legacy hierarchies.
396 __do_free_string_list
char **aret
= NULL
;
399 char *p
= line
, *sep
= ",";
401 for (i
= 0; i
< 4; i
++) {
408 /* Note, if we change how mountinfo works, then our caller will need to
409 * verify /sys/fs/cgroup/ in this field.
411 if (!strnequal(p
, DEFAULT_CGROUP_MOUNTPOINT
"/", 15))
412 return log_warn(NULL
, "Found hierarchy not under " DEFAULT_CGROUP_MOUNTPOINT
": \"%s\"", p
);
417 return log_error(NULL
, "Corrupt mountinfo");
420 if (type
== CGROUP_SUPER_MAGIC
) {
421 __do_free
char *dup
= NULL
;
423 /* strdup() here for v1 hierarchies. Otherwise
424 * lxc_iterate_parts() will destroy mountpoints such as
425 * "/sys/fs/cgroup/cpu,cpuacct".
427 dup
= must_copy_string(p
);
431 lxc_iterate_parts(tok
, dup
, sep
)
432 must_append_controller(klist
, nlist
, &aret
, tok
);
436 return move_ptr(aret
);
439 static char **cg_unified_make_empty_controller(void)
441 __do_free_string_list
char **aret
= NULL
;
444 newentry
= append_null_to_list((void ***)&aret
);
445 aret
[newentry
] = NULL
;
446 return move_ptr(aret
);
449 static char **cg_unified_get_controllers(int dfd
, const char *file
)
451 __do_free
char *buf
= NULL
;
452 __do_free_string_list
char **aret
= NULL
;
456 buf
= read_file_at(dfd
, file
, PROTECT_OPEN
, 0);
460 lxc_iterate_parts(tok
, buf
, sep
) {
464 newentry
= append_null_to_list((void ***)&aret
);
465 copy
= must_copy_string(tok
);
466 aret
[newentry
] = copy
;
469 return move_ptr(aret
);
472 static bool cgroup_use_wants_controllers(const struct cgroup_ops
*ops
,
475 if (!ops
->cgroup_use
)
478 for (char **cur_ctrl
= controllers
; cur_ctrl
&& *cur_ctrl
; cur_ctrl
++) {
481 for (char **cur_use
= ops
->cgroup_use
; cur_use
&& *cur_use
; cur_use
++) {
482 if (!strequal(*cur_use
, *cur_ctrl
))
498 static int add_hierarchy(struct cgroup_ops
*ops
, char **clist
, char *mountpoint
,
499 char *container_base_path
, int type
)
501 __do_close
int dfd_base
= -EBADF
, dfd_mnt
= -EBADF
;
502 __do_free
struct hierarchy
*new = NULL
;
503 __do_free_string_list
char **controllers
= clist
;
506 if (abspath(container_base_path
))
507 return syserrno_set(-EINVAL
, "Container base path must be relative to controller mount");
509 if (!controllers
&& type
!= CGROUP2_SUPER_MAGIC
)
510 return syserrno_set(-EINVAL
, "Empty controller list for non-unified cgroup hierarchy passed");
512 dfd_mnt
= open_at(-EBADF
, mountpoint
, PROTECT_OPATH_DIRECTORY
,
513 PROTECT_LOOKUP_ABSOLUTE_XDEV
, 0);
515 return syserrno(-errno
, "Failed to open %s", mountpoint
);
517 if (!is_empty_string(container_base_path
)) {
518 dfd_base
= open_at(dfd_mnt
, container_base_path
,
519 PROTECT_OPATH_DIRECTORY
,
520 PROTECT_LOOKUP_BENEATH_XDEV
, 0);
522 return syserrno(-errno
, "Failed to open %d(%s)", dfd_base
, container_base_path
);
527 * We assume that the cgroup we're currently in has been delegated to
528 * us and we are free to further delege all of the controllers listed
529 * in cgroup.controllers further down the hierarchy.
532 controllers
= cg_unified_get_controllers(dfd_mnt
, "cgroup.controllers");
534 controllers
= cg_unified_get_controllers(dfd_base
, "cgroup.controllers");
536 controllers
= cg_unified_make_empty_controller();
538 TRACE("No controllers are enabled for delegation");
541 /* Exclude all controllers that cgroup use does not want. */
542 if (!cgroup_use_wants_controllers(ops
, controllers
))
543 return log_trace(0, "Skipping cgroup hiearchy with non-requested controllers");
545 new = zalloc(sizeof(*new));
547 return ret_errno(ENOMEM
);
550 new->controllers
= move_ptr(controllers
);
551 new->mountpoint
= mountpoint
;
552 new->container_base_path
= container_base_path
;
553 new->cgfd_con
= -EBADF
;
554 new->cgfd_limit
= -EBADF
;
555 new->cgfd_mon
= -EBADF
;
557 TRACE("Adding cgroup hierarchy with mountpoint %s and base cgroup %s",
558 mountpoint
, container_base_path
);
559 for (char *const *it
= new->controllers
; it
&& *it
; it
++)
560 TRACE("The detected hierarchy contains the %s controller", *it
);
562 idx
= append_null_to_list((void ***)&ops
->hierarchies
);
564 new->dfd_base
= dfd_mnt
;
566 new->dfd_base
= move_fd(dfd_base
);
567 new->dfd_mnt
= move_fd(dfd_mnt
);
568 if (type
== CGROUP2_SUPER_MAGIC
)
570 (ops
->hierarchies
)[idx
] = move_ptr(new);
574 /* Get a copy of the mountpoint from @line, which is a line from
575 * /proc/self/mountinfo.
577 static char *cg_hybrid_get_mountpoint(char *line
)
579 char *p
= line
, *sret
= NULL
;
583 for (int i
= 0; i
< 4; i
++) {
590 if (!strnequal(p
, DEFAULT_CGROUP_MOUNTPOINT
"/", 15))
593 p2
= strchr(p
+ 15, ' ');
599 sret
= must_realloc(NULL
, len
+ 1);
600 memcpy(sret
, p
, len
);
606 /* Given a multi-line string, return a null-terminated copy of the current line. */
607 static char *copy_to_eol(char *p
)
612 p2
= strchr(p
, '\n');
617 sret
= must_realloc(NULL
, len
+ 1);
618 memcpy(sret
, p
, len
);
624 /* cgline: pointer to character after the first ':' in a line in a \n-terminated
625 * /proc/self/cgroup file. Check whether controller c is present.
627 static bool controller_in_clist(char *cgline
, char *c
)
629 __do_free
char *tmp
= NULL
;
633 eol
= strchr(cgline
, ':');
638 tmp
= must_realloc(NULL
, len
+ 1);
639 memcpy(tmp
, cgline
, len
);
642 lxc_iterate_parts(tok
, tmp
, ",")
643 if (strequal(tok
, c
))
649 static inline char *trim(char *s
)
654 while ((len
> 1) && (s
[len
- 1] == '\n'))
660 /* @basecginfo is a copy of /proc/$$/cgroup. Return the current cgroup for
663 static char *cg_hybrid_get_current_cgroup(bool relative
, char *basecginfo
,
664 char *controller
, int type
)
666 char *base_cgroup
= basecginfo
;
669 bool is_cgv2_base_cgroup
= false;
671 /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */
672 if ((type
== CGROUP2_SUPER_MAGIC
) && (*base_cgroup
== '0'))
673 is_cgv2_base_cgroup
= true;
675 base_cgroup
= strchr(base_cgroup
, ':');
680 if (is_cgv2_base_cgroup
|| (controller
&& controller_in_clist(base_cgroup
, controller
))) {
681 __do_free
char *copy
= NULL
;
683 base_cgroup
= strchr(base_cgroup
, ':');
688 copy
= copy_to_eol(base_cgroup
);
694 base_cgroup
= prune_init_scope(copy
);
701 if (abspath(base_cgroup
))
702 base_cgroup
= deabs(base_cgroup
);
704 /* We're allowing base_cgroup to be "". */
705 return strdup(base_cgroup
);
708 base_cgroup
= strchr(base_cgroup
, '\n');
715 static void must_append_string(char ***list
, char *entry
)
720 newentry
= append_null_to_list((void ***)list
);
721 copy
= must_copy_string(entry
);
722 (*list
)[newentry
] = copy
;
725 static int get_existing_subsystems(char ***klist
, char ***nlist
)
727 __do_free
char *line
= NULL
;
728 __do_fclose
FILE *f
= NULL
;
731 f
= fopen("/proc/self/cgroup", "re");
735 while (getline(&line
, &len
, f
) != -1) {
737 p
= strchr(line
, ':');
746 /* If the kernel has cgroup v2 support, then /proc/self/cgroup
747 * contains an entry of the form:
751 * In this case we use "cgroup2" as controller name.
754 must_append_string(klist
, "cgroup2");
758 lxc_iterate_parts(tok
, p
, ",") {
759 if (strnequal(tok
, "name=", 5))
760 must_append_string(nlist
, tok
);
762 must_append_string(klist
, tok
);
769 static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo
, char **klist
,
775 TRACE("basecginfo is:");
776 TRACE("%s", basecginfo
);
778 for (k
= 0, it
= klist
; it
&& *it
; it
++, k
++)
779 TRACE("kernel subsystem %d: %s", k
, *it
);
781 for (k
= 0, it
= nlist
; it
&& *it
; it
++, k
++)
782 TRACE("named subsystem %d: %s", k
, *it
);
785 static int cgroup_tree_remove(struct hierarchy
**hierarchies
, const char *path_prune
)
787 if (!path_prune
|| !hierarchies
)
790 for (int i
= 0; hierarchies
[i
]; i
++) {
791 struct hierarchy
*h
= hierarchies
[i
];
794 ret
= cgroup_tree_prune(h
->dfd_base
, path_prune
);
796 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, path_prune
);
798 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, path_prune
);
800 free_equal(h
->container_limit_path
, h
->container_full_path
);
806 struct generic_userns_exec_data
{
807 struct hierarchy
**hierarchies
;
808 const char *path_prune
;
809 struct lxc_conf
*conf
;
810 uid_t origuid
; /* target uid in parent namespace */
814 static int cgroup_tree_remove_wrapper(void *data
)
816 struct generic_userns_exec_data
*arg
= data
;
817 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
818 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
821 if (!lxc_drop_groups() && errno
!= EPERM
)
822 return log_error_errno(-1, errno
, "Failed to setgroups(0, NULL)");
824 ret
= setresgid(nsgid
, nsgid
, nsgid
);
826 return log_error_errno(-1, errno
, "Failed to setresgid(%d, %d, %d)",
827 (int)nsgid
, (int)nsgid
, (int)nsgid
);
829 ret
= setresuid(nsuid
, nsuid
, nsuid
);
831 return log_error_errno(-1, errno
, "Failed to setresuid(%d, %d, %d)",
832 (int)nsuid
, (int)nsuid
, (int)nsuid
);
834 return cgroup_tree_remove(arg
->hierarchies
, arg
->path_prune
);
837 __cgfsng_ops
static void cgfsng_payload_destroy(struct cgroup_ops
*ops
,
838 struct lxc_handler
*handler
)
843 ERROR("Called with uninitialized cgroup operations");
847 if (!ops
->hierarchies
)
851 ERROR("Called with uninitialized handler");
855 if (!handler
->conf
) {
856 ERROR("Called with uninitialized conf");
860 if (!ops
->container_limit_cgroup
) {
861 WARN("Uninitialized limit cgroup");
865 ret
= bpf_program_cgroup_detach(handler
->cgroup_ops
->cgroup2_devices
);
867 WARN("Failed to detach bpf program from cgroup");
869 if (!lxc_list_empty(&handler
->conf
->id_map
)) {
870 struct generic_userns_exec_data wrap
= {
871 .conf
= handler
->conf
,
872 .path_prune
= ops
->container_limit_cgroup
,
873 .hierarchies
= ops
->hierarchies
,
876 ret
= userns_exec_1(handler
->conf
, cgroup_tree_remove_wrapper
,
877 &wrap
, "cgroup_tree_remove_wrapper");
879 ret
= cgroup_tree_remove(ops
->hierarchies
, ops
->container_limit_cgroup
);
882 SYSWARN("Failed to destroy cgroups");
885 #define __ISOL_CPUS "/sys/devices/system/cpu/isolated"
886 #define __OFFLINE_CPUS "/sys/devices/system/cpu/offline"
887 static bool cpuset1_cpus_initialize(int dfd_parent
, int dfd_child
,
890 __do_free
char *cpulist
= NULL
, *fpath
= NULL
, *isolcpus
= NULL
,
891 *offlinecpus
= NULL
, *posscpus
= NULL
;
892 __do_free
uint32_t *isolmask
= NULL
, *offlinemask
= NULL
,
896 ssize_t maxisol
= 0, maxoffline
= 0, maxposs
= 0;
897 bool flipped_bit
= false;
899 posscpus
= read_file_at(dfd_parent
, "cpuset.cpus", PROTECT_OPEN
, 0);
901 return log_error_errno(false, errno
, "Failed to read file \"%s\"", fpath
);
903 /* Get maximum number of cpus found in possible cpuset. */
904 maxposs
= get_max_cpus(posscpus
);
905 if (maxposs
< 0 || maxposs
>= INT_MAX
- 1)
908 if (file_exists(__ISOL_CPUS
)) {
909 isolcpus
= read_file_at(-EBADF
, __ISOL_CPUS
, PROTECT_OPEN
, 0);
911 return log_error_errno(false, errno
, "Failed to read file \"%s\"", __ISOL_CPUS
);
913 if (isdigit(isolcpus
[0])) {
914 /* Get maximum number of cpus found in isolated cpuset. */
915 maxisol
= get_max_cpus(isolcpus
);
916 if (maxisol
< 0 || maxisol
>= INT_MAX
- 1)
920 if (maxposs
< maxisol
)
924 TRACE("The path \""__ISOL_CPUS
"\" to read isolated cpus from does not exist");
927 if (file_exists(__OFFLINE_CPUS
)) {
928 offlinecpus
= read_file_at(-EBADF
, __OFFLINE_CPUS
, PROTECT_OPEN
, 0);
930 return log_error_errno(false, errno
, "Failed to read file \"%s\"", __OFFLINE_CPUS
);
932 if (isdigit(offlinecpus
[0])) {
933 /* Get maximum number of cpus found in offline cpuset. */
934 maxoffline
= get_max_cpus(offlinecpus
);
935 if (maxoffline
< 0 || maxoffline
>= INT_MAX
- 1)
939 if (maxposs
< maxoffline
)
940 maxposs
= maxoffline
;
943 TRACE("The path \""__OFFLINE_CPUS
"\" to read offline cpus from does not exist");
946 if ((maxisol
== 0) && (maxoffline
== 0)) {
947 cpulist
= move_ptr(posscpus
);
951 possmask
= lxc_cpumask(posscpus
, maxposs
);
953 return log_error_errno(false, errno
, "Failed to create cpumask for possible cpus");
956 isolmask
= lxc_cpumask(isolcpus
, maxposs
);
958 return log_error_errno(false, errno
, "Failed to create cpumask for isolated cpus");
961 if (maxoffline
> 0) {
962 offlinemask
= lxc_cpumask(offlinecpus
, maxposs
);
964 return log_error_errno(false, errno
, "Failed to create cpumask for offline cpus");
967 for (i
= 0; i
<= maxposs
; i
++) {
968 if ((isolmask
&& !is_set(i
, isolmask
)) ||
969 (offlinemask
&& !is_set(i
, offlinemask
)) ||
970 !is_set(i
, possmask
))
974 clear_bit(i
, possmask
);
978 cpulist
= lxc_cpumask_to_cpulist(possmask
, maxposs
);
979 TRACE("No isolated or offline cpus present in cpuset");
981 cpulist
= move_ptr(posscpus
);
982 TRACE("Removed isolated or offline cpus from cpuset");
985 return log_error_errno(false, errno
, "Failed to create cpu list");
988 if (!am_initialized
) {
989 ret
= lxc_writeat(dfd_child
, "cpuset.cpus", cpulist
, strlen(cpulist
));
991 return log_error_errno(false, errno
, "Failed to write cpu list to \"%d/cpuset.cpus\"", dfd_child
);
993 TRACE("Copied cpu settings of parent cgroup");
999 static bool cpuset1_initialize(int dfd_base
, int dfd_next
)
1001 char mems
[PATH_MAX
];
1006 * Determine whether the base cgroup has cpuset
1007 * inheritance turned on.
1009 bytes
= lxc_readat(dfd_base
, "cgroup.clone_children", &v
, 1);
1011 return syserrno(false, "Failed to read file %d(cgroup.clone_children)", dfd_base
);
1014 * Initialize cpuset.cpus and make remove any isolated
1017 if (!cpuset1_cpus_initialize(dfd_base
, dfd_next
, v
== '1'))
1018 return syserrno(false, "Failed to initialize cpuset.cpus");
1020 /* Read cpuset.mems from parent... */
1021 bytes
= lxc_readat(dfd_base
, "cpuset.mems", mems
, sizeof(mems
));
1023 return syserrno(false, "Failed to read file %d(cpuset.mems)", dfd_base
);
1025 /* ... and copy to first cgroup in the tree... */
1026 bytes
= lxc_writeat(dfd_next
, "cpuset.mems", mems
, bytes
);
1028 return syserrno(false, "Failed to write %d(cpuset.mems)", dfd_next
);
1030 /* ... and finally turn on cpuset inheritance. */
1031 bytes
= lxc_writeat(dfd_next
, "cgroup.clone_children", "1", 1);
1033 return syserrno(false, "Failed to write %d(cgroup.clone_children)", dfd_next
);
1035 return log_trace(true, "Initialized cpuset in the legacy hierarchy");
1038 static int __cgroup_tree_create(int dfd_base
, const char *path
, mode_t mode
,
1039 bool cpuset_v1
, bool eexist_ignore
)
1041 __do_close
int dfd_final
= -EBADF
;
1042 int dfd_cur
= dfd_base
;
1048 if (is_empty_string(path
))
1049 return ret_errno(EINVAL
);
1051 len
= strlcpy(buf
, path
, sizeof(buf
));
1052 if (len
>= sizeof(buf
))
1053 return ret_errno(E2BIG
);
1055 lxc_iterate_parts(cur
, buf
, "/") {
1057 * Even though we vetted the paths when we parsed the config
1058 * we're paranoid here and check that the path is neither
1059 * absolute nor walks upwards.
1062 return syserrno_set(-EINVAL
, "No absolute paths allowed");
1064 if (strnequal(cur
, "..", STRLITERALLEN("..")))
1065 return syserrno_set(-EINVAL
, "No upward walking paths allowed");
1067 ret
= mkdirat(dfd_cur
, cur
, mode
);
1069 if (errno
!= EEXIST
)
1070 return syserrno(-errno
, "Failed to create %d(%s)", dfd_cur
, cur
);
1074 TRACE("%s %d(%s) cgroup", !ret
? "Created" : "Reusing", dfd_cur
, cur
);
1076 dfd_final
= open_at(dfd_cur
, cur
, PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH
, 0);
1078 return syserrno(-errno
, "Fail to open%s directory %d(%s)",
1079 !ret
? " newly created" : "", dfd_base
, cur
);
1080 if (dfd_cur
!= dfd_base
)
1082 else if (cpuset_v1
&& !cpuset1_initialize(dfd_base
, dfd_final
))
1083 return syserrno(-EINVAL
, "Failed to initialize cpuset controller in the legacy hierarchy");
1085 * Leave dfd_final pointing to the last fd we opened so
1086 * it will be automatically zapped if we return early.
1088 dfd_cur
= dfd_final
;
1091 /* The final cgroup must be succesfully creatd by us. */
1093 if (ret
!= -EEXIST
|| !eexist_ignore
)
1094 return syserrno_set(ret
, "Creating the final cgroup %d(%s) failed", dfd_base
, path
);
1097 return move_fd(dfd_final
);
1100 static bool cgroup_tree_create(struct cgroup_ops
*ops
, struct lxc_conf
*conf
,
1101 struct hierarchy
*h
, const char *cgroup_limit_dir
,
1102 const char *cgroup_leaf
, bool payload
)
1104 __do_close
int fd_limit
= -EBADF
, fd_final
= -EBADF
;
1105 __do_free
char *path
= NULL
, *limit_path
= NULL
;
1106 bool cpuset_v1
= false;
1109 * The legacy cpuset controller needs massaging in case inheriting
1110 * settings from its immediate ancestor cgroup hasn't been turned on.
1112 cpuset_v1
= !is_unified_hierarchy(h
) && string_in_list(h
->controllers
, "cpuset");
1114 if (payload
&& cgroup_leaf
) {
1115 /* With isolation both parts need to not already exist. */
1116 fd_limit
= __cgroup_tree_create(h
->dfd_base
, cgroup_limit_dir
, 0755, cpuset_v1
, false);
1118 return syserrno(false, "Failed to create limiting cgroup %d(%s)", h
->dfd_base
, cgroup_limit_dir
);
1120 TRACE("Created limit cgroup %d->%d(%s)",
1121 fd_limit
, h
->dfd_base
, cgroup_limit_dir
);
1124 * With isolation the devices legacy cgroup needs to be
1125 * iinitialized early, as it typically contains an 'a' (all)
1126 * line, which is not possible once a subdirectory has been
1129 if (string_in_list(h
->controllers
, "devices") &&
1130 !ops
->setup_limits_legacy(ops
, conf
, true))
1131 return log_error(false, "Failed to setup legacy device limits");
1133 limit_path
= must_make_path(h
->mountpoint
, h
->container_base_path
, cgroup_limit_dir
, NULL
);
1134 path
= must_make_path(limit_path
, cgroup_leaf
, NULL
);
1137 * If we use a separate limit cgroup, the leaf cgroup, i.e. the
1138 * cgroup the container actually resides in, is below fd_limit.
1140 fd_final
= __cgroup_tree_create(fd_limit
, cgroup_leaf
, 0755, cpuset_v1
, false);
1142 /* Ensure we don't leave any garbage behind. */
1143 if (cgroup_tree_prune(h
->dfd_base
, cgroup_limit_dir
))
1144 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, cgroup_limit_dir
);
1146 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, cgroup_limit_dir
);
1149 path
= must_make_path(h
->mountpoint
, h
->container_base_path
, cgroup_limit_dir
, NULL
);
1151 fd_final
= __cgroup_tree_create(h
->dfd_base
, cgroup_limit_dir
, 0755, cpuset_v1
, false);
1154 return syserrno(false, "Failed to create %s cgroup %d(%s)", payload
? "payload" : "monitor", h
->dfd_base
, cgroup_limit_dir
);
1157 h
->cgfd_con
= move_fd(fd_final
);
1158 h
->container_full_path
= move_ptr(path
);
1161 h
->cgfd_limit
= h
->cgfd_con
;
1163 h
->cgfd_limit
= move_fd(fd_limit
);
1166 h
->container_limit_path
= move_ptr(limit_path
);
1168 h
->container_limit_path
= h
->container_full_path
;
1170 h
->cgfd_mon
= move_fd(fd_final
);
1176 static void cgroup_tree_prune_leaf(struct hierarchy
*h
, const char *path_prune
,
1182 /* Check whether we actually created the cgroup to prune. */
1183 if (h
->cgfd_limit
< 0)
1186 free_equal(h
->container_full_path
, h
->container_limit_path
);
1187 close_equal(h
->cgfd_con
, h
->cgfd_limit
);
1189 /* Check whether we actually created the cgroup to prune. */
1190 if (h
->cgfd_mon
< 0)
1193 close_prot_errno_disarm(h
->cgfd_mon
);
1196 /* We didn't create this cgroup. */
1200 if (cgroup_tree_prune(h
->dfd_base
, path_prune
))
1201 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, path_prune
);
1203 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, path_prune
);
1206 __cgfsng_ops
static void cgfsng_monitor_destroy(struct cgroup_ops
*ops
,
1207 struct lxc_handler
*handler
)
1210 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
1211 const struct lxc_conf
*conf
;
1214 ERROR("Called with uninitialized cgroup operations");
1218 if (!ops
->hierarchies
)
1222 ERROR("Called with uninitialized handler");
1226 if (!handler
->conf
) {
1227 ERROR("Called with uninitialized conf");
1230 conf
= handler
->conf
;
1232 if (!ops
->monitor_cgroup
) {
1233 WARN("Uninitialized monitor cgroup");
1237 len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", handler
->monitor_pid
);
1241 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1242 __do_close
int fd_pivot
= -EBADF
;
1243 __do_free
char *pivot_path
= NULL
;
1244 struct hierarchy
*h
= ops
->hierarchies
[i
];
1245 bool cpuset_v1
= false;
1248 /* Monitor might have died before we entered the cgroup. */
1249 if (handler
->monitor_pid
<= 0) {
1250 WARN("No valid monitor process found while destroying cgroups");
1251 goto cgroup_prune_tree
;
1254 if (conf
->cgroup_meta
.monitor_pivot_dir
)
1255 pivot_path
= must_make_path(conf
->cgroup_meta
.monitor_pivot_dir
, CGROUP_PIVOT
, NULL
);
1256 else if (conf
->cgroup_meta
.dir
)
1257 pivot_path
= must_make_path(conf
->cgroup_meta
.dir
, CGROUP_PIVOT
, NULL
);
1259 pivot_path
= must_make_path(CGROUP_PIVOT
, NULL
);
1261 cpuset_v1
= !is_unified_hierarchy(h
) && string_in_list(h
->controllers
, "cpuset");
1263 fd_pivot
= __cgroup_tree_create(h
->dfd_base
, pivot_path
, 0755, cpuset_v1
, true);
1265 SYSWARN("Failed to create pivot cgroup %d(%s)", h
->dfd_base
, pivot_path
);
1269 ret
= lxc_writeat(fd_pivot
, "cgroup.procs", pidstr
, len
);
1271 SYSWARN("Failed to move monitor %s to \"%s\"", pidstr
, pivot_path
);
1276 ret
= cgroup_tree_prune(h
->dfd_base
, ops
->monitor_cgroup
);
1278 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, ops
->monitor_cgroup
);
1280 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, ops
->monitor_cgroup
);
1285 * Check we have no lxc.cgroup.dir, and that lxc.cgroup.dir.limit_prefix is a
1286 * proper prefix directory of lxc.cgroup.dir.payload.
1288 * Returns the prefix length if it is set, otherwise zero on success.
1290 static bool check_cgroup_dir_config(struct lxc_conf
*conf
)
1292 const char *monitor_dir
= conf
->cgroup_meta
.monitor_dir
,
1293 *container_dir
= conf
->cgroup_meta
.container_dir
,
1294 *namespace_dir
= conf
->cgroup_meta
.namespace_dir
;
1296 /* none of the new options are set, all is fine */
1297 if (!monitor_dir
&& !container_dir
&& !namespace_dir
)
1300 /* some are set, make sure lxc.cgroup.dir is not also set*/
1301 if (conf
->cgroup_meta
.dir
)
1302 return log_error_errno(false, EINVAL
,
1303 "lxc.cgroup.dir conflicts with lxc.cgroup.dir.payload/monitor");
1305 /* make sure both monitor and payload are set */
1306 if (!monitor_dir
|| !container_dir
)
1307 return log_error_errno(false, EINVAL
,
1308 "lxc.cgroup.dir.payload and lxc.cgroup.dir.monitor must both be set");
1310 /* namespace_dir may be empty */
1314 __cgfsng_ops
static bool cgfsng_monitor_create(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
1316 __do_free
char *monitor_cgroup
= NULL
;
1320 char *suffix
= NULL
;
1321 struct lxc_conf
*conf
;
1324 return ret_set_errno(false, ENOENT
);
1326 if (!ops
->hierarchies
)
1329 if (ops
->monitor_cgroup
)
1330 return ret_set_errno(false, EEXIST
);
1332 if (!handler
|| !handler
->conf
)
1333 return ret_set_errno(false, EINVAL
);
1335 conf
= handler
->conf
;
1337 if (!check_cgroup_dir_config(conf
))
1340 if (conf
->cgroup_meta
.monitor_dir
) {
1341 monitor_cgroup
= strdup(conf
->cgroup_meta
.monitor_dir
);
1342 } else if (conf
->cgroup_meta
.dir
) {
1343 monitor_cgroup
= must_concat(&len
, conf
->cgroup_meta
.dir
, "/",
1344 DEFAULT_MONITOR_CGROUP_PREFIX
,
1346 CGROUP_CREATE_RETRY
, NULL
);
1347 } else if (ops
->cgroup_pattern
) {
1348 __do_free
char *cgroup_tree
= NULL
;
1350 cgroup_tree
= lxc_string_replace("%n", handler
->name
, ops
->cgroup_pattern
);
1352 return ret_set_errno(false, ENOMEM
);
1354 monitor_cgroup
= must_concat(&len
, cgroup_tree
, "/",
1355 DEFAULT_MONITOR_CGROUP
,
1356 CGROUP_CREATE_RETRY
, NULL
);
1358 monitor_cgroup
= must_concat(&len
, DEFAULT_MONITOR_CGROUP_PREFIX
,
1360 CGROUP_CREATE_RETRY
, NULL
);
1362 if (!monitor_cgroup
)
1363 return ret_set_errno(false, ENOMEM
);
1365 if (!conf
->cgroup_meta
.monitor_dir
) {
1366 suffix
= monitor_cgroup
+ len
- CGROUP_CREATE_RETRY_LEN
;
1371 sprintf(suffix
, "-%d", idx
);
1373 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1374 if (cgroup_tree_create(ops
, handler
->conf
,
1375 ops
->hierarchies
[i
],
1376 monitor_cgroup
, NULL
, false))
1379 DEBUG("Failed to create cgroup %s)", monitor_cgroup
);
1380 for (int j
= 0; j
<= i
; j
++)
1381 cgroup_tree_prune_leaf(ops
->hierarchies
[j
],
1382 monitor_cgroup
, false);
1387 } while (ops
->hierarchies
[i
] && idx
> 0 && idx
< 1000 && suffix
);
1389 if (idx
== 1000 || (!suffix
&& idx
!= 0))
1390 return log_error_errno(false, ERANGE
, "Failed to create monitor cgroup");
1392 ops
->monitor_cgroup
= move_ptr(monitor_cgroup
);
1393 return log_info(true, "The monitor process uses \"%s\" as cgroup", ops
->monitor_cgroup
);
1397 * Try to create the same cgroup in all hierarchies. Start with cgroup_pattern;
1398 * next cgroup_pattern-1, -2, ..., -999.
1400 __cgfsng_ops
static bool cgfsng_payload_create(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
1402 __do_free
char *container_cgroup
= NULL
, *__limit_cgroup
= NULL
;
1407 char *suffix
= NULL
;
1408 struct lxc_conf
*conf
;
1411 return ret_set_errno(false, ENOENT
);
1413 if (!ops
->hierarchies
)
1416 if (ops
->container_cgroup
|| ops
->container_limit_cgroup
)
1417 return ret_set_errno(false, EEXIST
);
1419 if (!handler
|| !handler
->conf
)
1420 return ret_set_errno(false, EINVAL
);
1422 conf
= handler
->conf
;
1424 if (!check_cgroup_dir_config(conf
))
1427 if (conf
->cgroup_meta
.container_dir
) {
1428 __limit_cgroup
= strdup(conf
->cgroup_meta
.container_dir
);
1429 if (!__limit_cgroup
)
1430 return ret_set_errno(false, ENOMEM
);
1432 if (conf
->cgroup_meta
.namespace_dir
) {
1433 container_cgroup
= must_make_path(__limit_cgroup
,
1434 conf
->cgroup_meta
.namespace_dir
,
1436 limit_cgroup
= __limit_cgroup
;
1438 /* explicit paths but without isolation */
1439 limit_cgroup
= move_ptr(__limit_cgroup
);
1440 container_cgroup
= limit_cgroup
;
1442 } else if (conf
->cgroup_meta
.dir
) {
1443 limit_cgroup
= must_concat(&len
, conf
->cgroup_meta
.dir
, "/",
1444 DEFAULT_PAYLOAD_CGROUP_PREFIX
,
1446 CGROUP_CREATE_RETRY
, NULL
);
1447 container_cgroup
= limit_cgroup
;
1448 } else if (ops
->cgroup_pattern
) {
1449 __do_free
char *cgroup_tree
= NULL
;
1451 cgroup_tree
= lxc_string_replace("%n", handler
->name
, ops
->cgroup_pattern
);
1453 return ret_set_errno(false, ENOMEM
);
1455 limit_cgroup
= must_concat(&len
, cgroup_tree
, "/",
1456 DEFAULT_PAYLOAD_CGROUP
,
1457 CGROUP_CREATE_RETRY
, NULL
);
1458 container_cgroup
= limit_cgroup
;
1460 limit_cgroup
= must_concat(&len
, DEFAULT_PAYLOAD_CGROUP_PREFIX
,
1462 CGROUP_CREATE_RETRY
, NULL
);
1463 container_cgroup
= limit_cgroup
;
1466 return ret_set_errno(false, ENOMEM
);
1468 if (!conf
->cgroup_meta
.container_dir
) {
1469 suffix
= container_cgroup
+ len
- CGROUP_CREATE_RETRY_LEN
;
1474 sprintf(suffix
, "-%d", idx
);
1476 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1477 if (cgroup_tree_create(ops
, handler
->conf
,
1478 ops
->hierarchies
[i
], limit_cgroup
,
1479 conf
->cgroup_meta
.namespace_dir
,
1483 DEBUG("Failed to create cgroup \"%s\"", ops
->hierarchies
[i
]->container_full_path
?: "(null)");
1484 for (int j
= 0; j
<= i
; j
++)
1485 cgroup_tree_prune_leaf(ops
->hierarchies
[j
],
1486 limit_cgroup
, true);
1491 } while (ops
->hierarchies
[i
] && idx
> 0 && idx
< 1000 && suffix
);
1493 if (idx
== 1000 || (!suffix
&& idx
!= 0))
1494 return log_error_errno(false, ERANGE
, "Failed to create container cgroup");
1496 ops
->container_cgroup
= move_ptr(container_cgroup
);
1498 ops
->container_limit_cgroup
= move_ptr(__limit_cgroup
);
1500 ops
->container_limit_cgroup
= ops
->container_cgroup
;
1501 INFO("The container process uses \"%s\" as inner and \"%s\" as limit cgroup",
1502 ops
->container_cgroup
, ops
->container_limit_cgroup
);
1506 __cgfsng_ops
static bool cgfsng_monitor_enter(struct cgroup_ops
*ops
,
1507 struct lxc_handler
*handler
)
1509 int monitor_len
, transient_len
= 0;
1510 char monitor
[INTTYPE_TO_STRLEN(pid_t
)],
1511 transient
[INTTYPE_TO_STRLEN(pid_t
)];
1514 return ret_set_errno(false, ENOENT
);
1516 if (!ops
->hierarchies
)
1519 if (!ops
->monitor_cgroup
)
1520 return ret_set_errno(false, ENOENT
);
1522 if (!handler
|| !handler
->conf
)
1523 return ret_set_errno(false, EINVAL
);
1525 monitor_len
= strnprintf(monitor
, sizeof(monitor
), "%d", handler
->monitor_pid
);
1526 if (monitor_len
< 0)
1529 if (handler
->transient_pid
> 0) {
1530 transient_len
= strnprintf(transient
, sizeof(transient
), "%d", handler
->transient_pid
);
1531 if (transient_len
< 0)
1535 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1536 struct hierarchy
*h
= ops
->hierarchies
[i
];
1539 ret
= lxc_writeat(h
->cgfd_mon
, "cgroup.procs", monitor
, monitor_len
);
1541 return log_error_errno(false, errno
, "Failed to enter cgroup %d", h
->cgfd_mon
);
1543 TRACE("Moved monitor into cgroup %d", h
->cgfd_mon
);
1545 if (handler
->transient_pid
<= 0)
1548 ret
= lxc_writeat(h
->cgfd_mon
, "cgroup.procs", transient
, transient_len
);
1550 return log_error_errno(false, errno
, "Failed to enter cgroup %d", h
->cgfd_mon
);
1552 TRACE("Moved transient process into cgroup %d", h
->cgfd_mon
);
1555 * we don't keep the fds for non-unified hierarchies around
1556 * mainly because we don't make use of them anymore after the
1557 * core cgroup setup is done but also because there are quite a
1560 if (!is_unified_hierarchy(h
))
1561 close_prot_errno_disarm(h
->cgfd_mon
);
1563 handler
->transient_pid
= -1;
1568 __cgfsng_ops
static bool cgfsng_payload_enter(struct cgroup_ops
*ops
,
1569 struct lxc_handler
*handler
)
1572 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
1575 return ret_set_errno(false, ENOENT
);
1577 if (!ops
->hierarchies
)
1580 if (!ops
->container_cgroup
)
1581 return ret_set_errno(false, ENOENT
);
1583 if (!handler
|| !handler
->conf
)
1584 return ret_set_errno(false, EINVAL
);
1586 len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", handler
->pid
);
1590 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1591 struct hierarchy
*h
= ops
->hierarchies
[i
];
1594 if (is_unified_hierarchy(h
) &&
1595 (handler
->clone_flags
& CLONE_INTO_CGROUP
))
1598 ret
= lxc_writeat(h
->cgfd_con
, "cgroup.procs", pidstr
, len
);
1600 return log_error_errno(false, errno
, "Failed to enter cgroup \"%s\"", h
->container_full_path
);
1602 TRACE("Moved container into %s cgroup via %d", h
->container_full_path
, h
->cgfd_con
);
1608 static int fchowmodat(int dirfd
, const char *path
, uid_t chown_uid
,
1609 gid_t chown_gid
, mode_t chmod_mode
)
1613 ret
= fchownat(dirfd
, path
, chown_uid
, chown_gid
,
1614 AT_EMPTY_PATH
| AT_SYMLINK_NOFOLLOW
);
1616 return log_warn_errno(-1,
1617 errno
, "Failed to fchownat(%d, %s, %d, %d, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW )",
1618 dirfd
, path
, (int)chown_uid
,
1621 ret
= fchmodat(dirfd
, (*path
!= '\0') ? path
: ".", chmod_mode
, 0);
1623 return log_warn_errno(-1, errno
, "Failed to fchmodat(%d, %s, %d, AT_SYMLINK_NOFOLLOW)",
1624 dirfd
, path
, (int)chmod_mode
);
1629 /* chgrp the container cgroups to container group. We leave
1630 * the container owner as cgroup owner. So we must make the
1631 * directories 775 so that the container can create sub-cgroups.
1633 * Also chown the tasks and cgroup.procs files. Those may not
1634 * exist depending on kernel version.
1636 static int chown_cgroup_wrapper(void *data
)
1640 struct generic_userns_exec_data
*arg
= data
;
1641 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
1642 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
1644 if (!lxc_drop_groups() && errno
!= EPERM
)
1645 return log_error_errno(-1, errno
, "Failed to setgroups(0, NULL)");
1647 ret
= setresgid(nsgid
, nsgid
, nsgid
);
1649 return log_error_errno(-1, errno
, "Failed to setresgid(%d, %d, %d)",
1650 (int)nsgid
, (int)nsgid
, (int)nsgid
);
1652 ret
= setresuid(nsuid
, nsuid
, nsuid
);
1654 return log_error_errno(-1, errno
, "Failed to setresuid(%d, %d, %d)",
1655 (int)nsuid
, (int)nsuid
, (int)nsuid
);
1657 destuid
= get_ns_uid(arg
->origuid
);
1658 if (destuid
== LXC_INVALID_UID
)
1661 for (int i
= 0; arg
->hierarchies
[i
]; i
++) {
1662 int dirfd
= arg
->hierarchies
[i
]->cgfd_con
;
1664 (void)fchowmodat(dirfd
, "", destuid
, nsgid
, 0775);
1667 * Failures to chown() these are inconvenient but not
1668 * detrimental We leave these owned by the container launcher,
1669 * so that container root can write to the files to attach. We
1670 * chmod() them 664 so that container systemd can write to the
1671 * files (which systemd in wily insists on doing).
1674 if (arg
->hierarchies
[i
]->version
== CGROUP_SUPER_MAGIC
)
1675 (void)fchowmodat(dirfd
, "tasks", destuid
, nsgid
, 0664);
1677 (void)fchowmodat(dirfd
, "cgroup.procs", destuid
, nsgid
, 0664);
1679 if (arg
->hierarchies
[i
]->version
!= CGROUP2_SUPER_MAGIC
)
1682 for (char **p
= arg
->hierarchies
[i
]->cgroup2_chown
; p
&& *p
; p
++)
1683 (void)fchowmodat(dirfd
, *p
, destuid
, nsgid
, 0664);
1689 __cgfsng_ops
static bool cgfsng_chown(struct cgroup_ops
*ops
,
1690 struct lxc_conf
*conf
)
1692 struct generic_userns_exec_data wrap
;
1695 return ret_set_errno(false, ENOENT
);
1697 if (!ops
->hierarchies
)
1700 if (!ops
->container_cgroup
)
1701 return ret_set_errno(false, ENOENT
);
1704 return ret_set_errno(false, EINVAL
);
1706 if (lxc_list_empty(&conf
->id_map
))
1709 wrap
.origuid
= geteuid();
1711 wrap
.hierarchies
= ops
->hierarchies
;
1714 if (userns_exec_1(conf
, chown_cgroup_wrapper
, &wrap
, "chown_cgroup_wrapper") < 0)
1715 return log_error_errno(false, errno
, "Error requesting cgroup chown in new user namespace");
1720 __cgfsng_ops
static void cgfsng_payload_finalize(struct cgroup_ops
*ops
)
1725 if (!ops
->hierarchies
)
1728 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1729 struct hierarchy
*h
= ops
->hierarchies
[i
];
1731 * we don't keep the fds for non-unified hierarchies around
1732 * mainly because we don't make use of them anymore after the
1733 * core cgroup setup is done but also because there are quite a
1736 if (!is_unified_hierarchy(h
))
1737 close_prot_errno_disarm(h
->cgfd_con
);
1741 * The checking for freezer support should obviously be done at cgroup
1742 * initialization time but that doesn't work reliable. The freezer
1743 * controller has been demoted (rightly so) to a simple file located in
1744 * each non-root cgroup. At the time when the container is created we
1745 * might still be located in /sys/fs/cgroup and so checking for
1746 * cgroup.freeze won't tell us anything because this file doesn't exist
1747 * in the root cgroup. We could then iterate through /sys/fs/cgroup and
1748 * find an already existing cgroup and then check within that cgroup
1749 * for the existence of cgroup.freeze but that will only work on
1750 * systemd based hosts. Other init systems might not manage cgroups and
1751 * so no cgroup will exist. So we defer until we have created cgroups
1752 * for our container which means we check here.
1754 if (pure_unified_layout(ops
) &&
1755 !faccessat(ops
->unified
->cgfd_con
, "cgroup.freeze", F_OK
,
1756 AT_SYMLINK_NOFOLLOW
)) {
1757 TRACE("Unified hierarchy supports freezer");
1758 ops
->unified
->freezer_controller
= 1;
1762 /* cgroup-full:* is done, no need to create subdirs */
1763 static inline bool cg_mount_needs_subdirs(int cgroup_automount_type
)
1765 switch (cgroup_automount_type
) {
1766 case LXC_AUTO_CGROUP_RO
:
1768 case LXC_AUTO_CGROUP_RW
:
1770 case LXC_AUTO_CGROUP_MIXED
:
1777 /* After $rootfs/sys/fs/container/controller/the/cg/path has been created,
1778 * remount controller ro if needed and bindmount the cgroupfs onto
1779 * control/the/cg/path.
1781 static int cg_legacy_mount_controllers(int cgroup_automount_type
, struct hierarchy
*h
,
1782 char *controllerpath
, char *cgpath
,
1783 const char *container_cgroup
)
1785 __do_free
char *sourcepath
= NULL
;
1786 int ret
, remount_flags
;
1787 int flags
= MS_BIND
;
1789 if ((cgroup_automount_type
== LXC_AUTO_CGROUP_RO
) ||
1790 (cgroup_automount_type
== LXC_AUTO_CGROUP_MIXED
)) {
1791 ret
= mount(controllerpath
, controllerpath
, "cgroup", MS_BIND
, NULL
);
1793 return log_error_errno(-1, errno
, "Failed to bind mount \"%s\" onto \"%s\"",
1794 controllerpath
, controllerpath
);
1796 remount_flags
= add_required_remount_flags(controllerpath
,
1798 flags
| MS_REMOUNT
);
1799 ret
= mount(controllerpath
, controllerpath
, "cgroup",
1800 remount_flags
| MS_REMOUNT
| MS_BIND
| MS_RDONLY
,
1803 return log_error_errno(-1, errno
, "Failed to remount \"%s\" ro", controllerpath
);
1805 INFO("Remounted %s read-only", controllerpath
);
1808 sourcepath
= must_make_path(h
->mountpoint
, h
->container_base_path
,
1809 container_cgroup
, NULL
);
1810 if (cgroup_automount_type
== LXC_AUTO_CGROUP_RO
)
1813 ret
= mount(sourcepath
, cgpath
, "cgroup", flags
, NULL
);
1815 return log_error_errno(-1, errno
, "Failed to mount \"%s\" onto \"%s\"",
1816 h
->controllers
[0], cgpath
);
1817 INFO("Mounted \"%s\" onto \"%s\"", h
->controllers
[0], cgpath
);
1819 if (flags
& MS_RDONLY
) {
1820 remount_flags
= add_required_remount_flags(sourcepath
, cgpath
,
1821 flags
| MS_REMOUNT
);
1822 ret
= mount(sourcepath
, cgpath
, "cgroup", remount_flags
, NULL
);
1824 return log_error_errno(-1, errno
, "Failed to remount \"%s\" ro", cgpath
);
1825 INFO("Remounted %s read-only", cgpath
);
1828 INFO("Completed second stage cgroup automounts for \"%s\"", cgpath
);
1834 * Mount cgroup hierarchies directly without using bind-mounts. The main
1835 * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting
1836 * cgroups for the LXC_AUTO_CGROUP_FULL option.
1838 static int __cgroupfs_mount(int cgroup_automount_type
, struct hierarchy
*h
,
1839 struct lxc_rootfs
*rootfs
, int dfd_mnt_cgroupfs
,
1840 const char *hierarchy_mnt
)
1842 __do_close
int fd_fs
= -EBADF
;
1843 unsigned int flags
= 0;
1847 if (dfd_mnt_cgroupfs
< 0)
1848 return ret_errno(EINVAL
);
1850 flags
|= MOUNT_ATTR_NOSUID
;
1851 flags
|= MOUNT_ATTR_NOEXEC
;
1852 flags
|= MOUNT_ATTR_NODEV
;
1853 flags
|= MOUNT_ATTR_RELATIME
;
1855 if ((cgroup_automount_type
== LXC_AUTO_CGROUP_RO
) ||
1856 (cgroup_automount_type
== LXC_AUTO_CGROUP_FULL_RO
))
1857 flags
|= MOUNT_ATTR_RDONLY
;
1859 if (is_unified_hierarchy(h
))
1864 if (can_use_mount_api()) {
1865 fd_fs
= fs_prepare(fstype
, -EBADF
, "", 0, 0);
1867 return log_error_errno(-errno
, errno
, "Failed to prepare filesystem context for %s", fstype
);
1869 if (!is_unified_hierarchy(h
)) {
1870 for (const char **it
= (const char **)h
->controllers
; it
&& *it
; it
++) {
1871 if (strnequal(*it
, "name=", STRLITERALLEN("name=")))
1872 ret
= fs_set_property(fd_fs
, "name", *it
+ STRLITERALLEN("name="));
1874 ret
= fs_set_property(fd_fs
, *it
, "");
1876 return log_error_errno(-errno
, errno
, "Failed to add %s controller to cgroup filesystem context %d(dev)", *it
, fd_fs
);
1880 ret
= fs_attach(fd_fs
, dfd_mnt_cgroupfs
, hierarchy_mnt
,
1881 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH
,
1884 __do_free
char *controllers
= NULL
, *target
= NULL
;
1885 unsigned int old_flags
= 0;
1886 const char *rootfs_mnt
;
1888 if (!is_unified_hierarchy(h
)) {
1889 controllers
= lxc_string_join(",", (const char **)h
->controllers
, false);
1891 return ret_errno(ENOMEM
);
1894 rootfs_mnt
= get_rootfs_mnt(rootfs
);
1895 ret
= mnt_attributes_old(flags
, &old_flags
);
1897 return log_error_errno(-EINVAL
, EINVAL
, "Unsupported mount properties specified");
1899 target
= must_make_path(rootfs_mnt
, DEFAULT_CGROUP_MOUNTPOINT
, hierarchy_mnt
, NULL
);
1900 ret
= safe_mount(NULL
, target
, fstype
, old_flags
, controllers
, rootfs_mnt
);
1903 return log_error_errno(ret
, errno
, "Failed to mount %s filesystem onto %d(%s)",
1904 fstype
, dfd_mnt_cgroupfs
, maybe_empty(hierarchy_mnt
));
1906 DEBUG("Mounted cgroup filesystem %s onto %d(%s)",
1907 fstype
, dfd_mnt_cgroupfs
, maybe_empty(hierarchy_mnt
));
1911 static inline int cgroupfs_mount(int cgroup_automount_type
, struct hierarchy
*h
,
1912 struct lxc_rootfs
*rootfs
,
1913 int dfd_mnt_cgroupfs
, const char *hierarchy_mnt
)
1915 return __cgroupfs_mount(cgroup_automount_type
, h
, rootfs
,
1916 dfd_mnt_cgroupfs
, hierarchy_mnt
);
1919 static inline int cgroupfs_bind_mount(int cgroup_automount_type
, struct hierarchy
*h
,
1920 struct lxc_rootfs
*rootfs
,
1921 int dfd_mnt_cgroupfs
,
1922 const char *hierarchy_mnt
)
1924 switch (cgroup_automount_type
) {
1925 case LXC_AUTO_CGROUP_FULL_RO
:
1927 case LXC_AUTO_CGROUP_FULL_RW
:
1929 case LXC_AUTO_CGROUP_FULL_MIXED
:
1935 return __cgroupfs_mount(cgroup_automount_type
, h
, rootfs
,
1936 dfd_mnt_cgroupfs
, hierarchy_mnt
);
1939 __cgfsng_ops
static bool cgfsng_mount(struct cgroup_ops
*ops
,
1940 struct lxc_handler
*handler
, int cg_flags
)
1942 __do_close
int dfd_mnt_tmpfs
= -EBADF
, fd_fs
= -EBADF
;
1943 __do_free
char *cgroup_root
= NULL
;
1944 int cgroup_automount_type
;
1945 bool in_cgroup_ns
= false, wants_force_mount
= false;
1946 struct lxc_conf
*conf
= handler
->conf
;
1947 struct lxc_rootfs
*rootfs
= &conf
->rootfs
;
1948 const char *rootfs_mnt
= get_rootfs_mnt(rootfs
);
1952 return ret_set_errno(false, ENOENT
);
1954 if (!ops
->hierarchies
)
1958 return ret_set_errno(false, EINVAL
);
1960 if ((cg_flags
& LXC_AUTO_CGROUP_MASK
) == 0)
1961 return log_trace(true, "No cgroup mounts requested");
1963 if (cg_flags
& LXC_AUTO_CGROUP_FORCE
) {
1964 cg_flags
&= ~LXC_AUTO_CGROUP_FORCE
;
1965 wants_force_mount
= true;
1969 case LXC_AUTO_CGROUP_RO
:
1970 TRACE("Read-only cgroup mounts requested");
1972 case LXC_AUTO_CGROUP_RW
:
1973 TRACE("Read-write cgroup mounts requested");
1975 case LXC_AUTO_CGROUP_MIXED
:
1976 TRACE("Mixed cgroup mounts requested");
1978 case LXC_AUTO_CGROUP_FULL_RO
:
1979 TRACE("Full read-only cgroup mounts requested");
1981 case LXC_AUTO_CGROUP_FULL_RW
:
1982 TRACE("Full read-write cgroup mounts requested");
1984 case LXC_AUTO_CGROUP_FULL_MIXED
:
1985 TRACE("Full mixed cgroup mounts requested");
1988 return log_error_errno(false, EINVAL
, "Invalid cgroup mount options specified");
1990 cgroup_automount_type
= cg_flags
;
1992 if (!wants_force_mount
) {
1993 wants_force_mount
= !lxc_wants_cap(CAP_SYS_ADMIN
, conf
);
1996 * Most recent distro versions currently have init system that
1997 * do support cgroup2 but do not mount it by default unless
1998 * explicitly told so even if the host is cgroup2 only. That
1999 * means they often will fail to boot. Fix this by pre-mounting
2000 * cgroup2 by default. We will likely need to be doing this a
2001 * few years until all distros have switched over to cgroup2 at
2002 * which point we can safely assume that their init systems
2003 * will mount it themselves.
2005 if (pure_unified_layout(ops
))
2006 wants_force_mount
= true;
2009 if (cgns_supported() && container_uses_namespace(handler
, CLONE_NEWCGROUP
))
2010 in_cgroup_ns
= true;
2012 if (in_cgroup_ns
&& !wants_force_mount
)
2013 return log_trace(true, "Mounting cgroups not requested or needed");
2015 /* This is really the codepath that we want. */
2016 if (pure_unified_layout(ops
)) {
2017 __do_close
int dfd_mnt_unified
= -EBADF
;
2019 dfd_mnt_unified
= open_at(rootfs
->dfd_mnt
, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
,
2020 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH_XDEV
, 0);
2021 if (dfd_mnt_unified
< 0)
2022 return syserrno(-errno
, "Failed to open %d(%s)", rootfs
->dfd_mnt
,
2023 DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
);
2025 * If cgroup namespaces are supported but the container will
2026 * not have CAP_SYS_ADMIN after it has started we need to mount
2027 * the cgroups manually.
2029 * Note that here we know that wants_force_mount is true.
2030 * Otherwise we would've returned early above.
2034 * 1. cgroup:rw:force -> Mount the cgroup2 filesystem.
2035 * 2. cgroup:ro:force -> Mount the cgroup2 filesystem read-only.
2036 * 3. cgroup:mixed:force -> See comment above how this
2038 * cgroup:mixed is equal to
2039 * cgroup:rw when cgroup
2040 * namespaces are supported.
2042 * 4. cgroup:rw -> No-op; init system responsible for mounting.
2043 * 5. cgroup:ro -> No-op; init system responsible for mounting.
2044 * 6. cgroup:mixed -> No-op; init system responsible for mounting.
2046 * 7. cgroup-full:rw -> Not supported.
2047 * 8. cgroup-full:ro -> Not supported.
2048 * 9. cgroup-full:mixed -> Not supported.
2050 * 10. cgroup-full:rw:force -> Not supported.
2051 * 11. cgroup-full:ro:force -> Not supported.
2052 * 12. cgroup-full:mixed:force -> Not supported.
2054 ret
= cgroupfs_mount(cgroup_automount_type
, ops
->unified
, rootfs
, dfd_mnt_unified
, "");
2056 return syserrno(false, "Failed to force mount cgroup filesystem in cgroup namespace");
2058 return log_trace(true, "Force mounted cgroup filesystem in new cgroup namespace");
2061 * Either no cgroup namespace supported (highly
2062 * unlikely unless we're dealing with a Frankenkernel.
2063 * Or the user requested to keep the cgroup namespace
2064 * of the host or another container.
2066 if (wants_force_mount
) {
2068 * 1. cgroup:rw:force -> Bind-mount the cgroup2 filesystem writable.
2069 * 2. cgroup:ro:force -> Bind-mount the cgroup2 filesystem read-only.
2070 * 3. cgroup:mixed:force -> bind-mount the cgroup2 filesystem and
2071 * and make the parent directory of the
2072 * container's cgroup read-only but the
2073 * container's cgroup writable.
2075 * 10. cgroup-full:rw:force ->
2076 * 11. cgroup-full:ro:force ->
2077 * 12. cgroup-full:mixed:force ->
2080 SYSWARN("Force-mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
2083 SYSWARN("Mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
2087 return syserrno(false, "Failed to mount cgroups");
2091 * Mount a tmpfs over DEFAULT_CGROUP_MOUNTPOINT. Note that we're
2092 * relying on RESOLVE_BENEATH so we need to skip the leading "/" in the
2093 * DEFAULT_CGROUP_MOUNTPOINT define.
2095 if (can_use_mount_api()) {
2096 fd_fs
= fs_prepare("tmpfs", -EBADF
, "", 0, 0);
2098 return log_error_errno(-errno
, errno
, "Failed to create new filesystem context for tmpfs");
2100 ret
= fs_set_property(fd_fs
, "mode", "0755");
2102 return log_error_errno(-errno
, errno
, "Failed to mount tmpfs onto %d(dev)", fd_fs
);
2104 ret
= fs_set_property(fd_fs
, "size", "10240k");
2106 return log_error_errno(-errno
, errno
, "Failed to mount tmpfs onto %d(dev)", fd_fs
);
2108 ret
= fs_attach(fd_fs
, rootfs
->dfd_mnt
, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
,
2109 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH_XDEV
,
2110 MOUNT_ATTR_NOSUID
| MOUNT_ATTR_NODEV
|
2111 MOUNT_ATTR_NOEXEC
| MOUNT_ATTR_RELATIME
);
2113 cgroup_root
= must_make_path(rootfs_mnt
, DEFAULT_CGROUP_MOUNTPOINT
, NULL
);
2114 ret
= safe_mount(NULL
, cgroup_root
, "tmpfs",
2115 MS_NOSUID
| MS_NODEV
| MS_NOEXEC
| MS_RELATIME
,
2116 "size=10240k,mode=755", rootfs_mnt
);
2119 return log_error_errno(false, errno
, "Failed to mount tmpfs on %s",
2120 DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
);
2122 dfd_mnt_tmpfs
= open_at(rootfs
->dfd_mnt
, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
,
2123 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH_XDEV
, 0);
2124 if (dfd_mnt_tmpfs
< 0)
2125 return syserrno(-errno
, "Failed to open %d(%s)", rootfs
->dfd_mnt
,
2126 DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
);
2128 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
2129 __do_free
char *controllerpath
= NULL
, *path2
= NULL
;
2130 struct hierarchy
*h
= ops
->hierarchies
[i
];
2131 char *controller
= strrchr(h
->mountpoint
, '/');
2137 ret
= mkdirat(dfd_mnt_tmpfs
, controller
, 0000);
2139 return log_error_errno(false, errno
, "Failed to create cgroup mountpoint %d(%s)", dfd_mnt_tmpfs
, controller
);
2141 if (in_cgroup_ns
&& wants_force_mount
) {
2143 * If cgroup namespaces are supported but the container
2144 * will not have CAP_SYS_ADMIN after it has started we
2145 * need to mount the cgroups manually.
2147 ret
= cgroupfs_mount(cgroup_automount_type
, h
, rootfs
, dfd_mnt_tmpfs
, controller
);
2154 /* Here is where the ancient kernel section begins. */
2155 ret
= cgroupfs_bind_mount(cgroup_automount_type
, h
, rootfs
, dfd_mnt_tmpfs
, controller
);
2159 if (!cg_mount_needs_subdirs(cgroup_automount_type
))
2163 cgroup_root
= must_make_path(rootfs_mnt
, DEFAULT_CGROUP_MOUNTPOINT
, NULL
);
2165 controllerpath
= must_make_path(cgroup_root
, controller
, NULL
);
2166 path2
= must_make_path(controllerpath
, h
->container_base_path
, ops
->container_cgroup
, NULL
);
2167 ret
= mkdir_p(path2
, 0755);
2168 if (ret
< 0 && (errno
!= EEXIST
))
2171 ret
= cg_legacy_mount_controllers(cgroup_automount_type
, h
, controllerpath
, path2
, ops
->container_cgroup
);
2179 /* Only root needs to escape to the cgroup of its init. */
2180 __cgfsng_ops
static bool cgfsng_criu_escape(const struct cgroup_ops
*ops
,
2181 struct lxc_conf
*conf
)
2184 return ret_set_errno(false, ENOENT
);
2186 if (!ops
->hierarchies
)
2190 return ret_set_errno(false, EINVAL
);
2192 if (conf
->cgroup_meta
.relative
|| geteuid())
2195 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
2196 __do_free
char *fullpath
= NULL
;
2200 must_make_path(ops
->hierarchies
[i
]->mountpoint
,
2201 ops
->hierarchies
[i
]->container_base_path
,
2202 "cgroup.procs", NULL
);
2203 ret
= lxc_write_to_file(fullpath
, "0", 2, false, 0666);
2205 return log_error_errno(false, errno
, "Failed to escape to cgroup \"%s\"", fullpath
);
2211 __cgfsng_ops
static int cgfsng_criu_num_hierarchies(struct cgroup_ops
*ops
)
2216 return ret_set_errno(-1, ENOENT
);
2218 if (!ops
->hierarchies
)
2221 for (; ops
->hierarchies
[i
]; i
++)
2227 __cgfsng_ops
static bool cgfsng_criu_get_hierarchies(struct cgroup_ops
*ops
,
2233 return ret_set_errno(false, ENOENT
);
2235 if (!ops
->hierarchies
)
2236 return ret_set_errno(false, ENOENT
);
2238 /* sanity check n */
2239 for (i
= 0; i
< n
; i
++)
2240 if (!ops
->hierarchies
[i
])
2241 return ret_set_errno(false, ENOENT
);
2243 *out
= ops
->hierarchies
[i
]->controllers
;
2248 static bool cg_legacy_freeze(struct cgroup_ops
*ops
)
2250 struct hierarchy
*h
;
2252 h
= get_hierarchy(ops
, "freezer");
2254 return ret_set_errno(-1, ENOENT
);
2256 return lxc_write_openat(h
->container_full_path
, "freezer.state",
2257 "FROZEN", STRLITERALLEN("FROZEN"));
2260 static int freezer_cgroup_events_cb(int fd
, uint32_t events
, void *cbdata
,
2261 struct lxc_epoll_descr
*descr
)
2263 __do_free
char *line
= NULL
;
2264 __do_fclose
FILE *f
= NULL
;
2265 int state
= PTR_TO_INT(cbdata
);
2267 const char *state_string
;
2269 f
= fdopen_at(fd
, "", "re", PROTECT_OPEN
, PROTECT_LOOKUP_BENEATH
);
2271 return LXC_MAINLOOP_ERROR
;
2274 state_string
= "frozen 1";
2276 state_string
= "frozen 0";
2278 while (getline(&line
, &len
, f
) != -1)
2279 if (strnequal(line
, state_string
, STRLITERALLEN("frozen") + 2))
2280 return LXC_MAINLOOP_CLOSE
;
2284 return LXC_MAINLOOP_CONTINUE
;
2287 static int cg_unified_freeze_do(struct cgroup_ops
*ops
, int timeout
,
2288 const char *state_string
,
2290 const char *epoll_error
,
2291 const char *wait_error
)
2293 __do_close
int fd
= -EBADF
;
2294 call_cleaner(lxc_mainloop_close
) struct lxc_epoll_descr
*descr_ptr
= NULL
;
2296 struct lxc_epoll_descr descr
;
2297 struct hierarchy
*h
;
2301 return ret_set_errno(-1, ENOENT
);
2303 if (!h
->container_full_path
)
2304 return ret_set_errno(-1, EEXIST
);
2307 __do_free
char *events_file
= NULL
;
2309 events_file
= must_make_path(h
->container_full_path
, "cgroup.events", NULL
);
2310 fd
= open(events_file
, O_RDONLY
| O_CLOEXEC
);
2312 return log_error_errno(-1, errno
, "Failed to open cgroup.events file");
2314 ret
= lxc_mainloop_open(&descr
);
2316 return log_error_errno(-1, errno
, "%s", epoll_error
);
2318 /* automatically cleaned up now */
2321 ret
= lxc_mainloop_add_handler_events(&descr
, fd
, EPOLLPRI
, freezer_cgroup_events_cb
, INT_TO_PTR(state_num
));
2323 return log_error_errno(-1, errno
, "Failed to add cgroup.events fd handler to mainloop");
2326 ret
= lxc_write_openat(h
->container_full_path
, "cgroup.freeze", state_string
, 1);
2328 return log_error_errno(-1, errno
, "Failed to open cgroup.freeze file");
2330 if (timeout
!= 0 && lxc_mainloop(&descr
, timeout
))
2331 return log_error_errno(-1, errno
, "%s", wait_error
);
2336 static int cg_unified_freeze(struct cgroup_ops
*ops
, int timeout
)
2338 return cg_unified_freeze_do(ops
, timeout
, "1", 1,
2339 "Failed to create epoll instance to wait for container freeze",
2340 "Failed to wait for container to be frozen");
2343 __cgfsng_ops
static int cgfsng_freeze(struct cgroup_ops
*ops
, int timeout
)
2345 if (!ops
->hierarchies
)
2346 return ret_set_errno(-1, ENOENT
);
2348 if (ops
->cgroup_layout
!= CGROUP_LAYOUT_UNIFIED
)
2349 return cg_legacy_freeze(ops
);
2351 return cg_unified_freeze(ops
, timeout
);
2354 static int cg_legacy_unfreeze(struct cgroup_ops
*ops
)
2356 struct hierarchy
*h
;
2358 h
= get_hierarchy(ops
, "freezer");
2360 return ret_set_errno(-1, ENOENT
);
2362 return lxc_write_openat(h
->container_full_path
, "freezer.state",
2363 "THAWED", STRLITERALLEN("THAWED"));
2366 static int cg_unified_unfreeze(struct cgroup_ops
*ops
, int timeout
)
2368 return cg_unified_freeze_do(ops
, timeout
, "0", 0,
2369 "Failed to create epoll instance to wait for container unfreeze",
2370 "Failed to wait for container to be unfrozen");
2373 __cgfsng_ops
static int cgfsng_unfreeze(struct cgroup_ops
*ops
, int timeout
)
2375 if (!ops
->hierarchies
)
2376 return ret_set_errno(-1, ENOENT
);
2378 if (ops
->cgroup_layout
!= CGROUP_LAYOUT_UNIFIED
)
2379 return cg_legacy_unfreeze(ops
);
2381 return cg_unified_unfreeze(ops
, timeout
);
2384 static const char *cgfsng_get_cgroup_do(struct cgroup_ops
*ops
,
2385 const char *controller
, bool limiting
)
2387 struct hierarchy
*h
;
2389 h
= get_hierarchy(ops
, controller
);
2391 return log_warn_errno(NULL
, ENOENT
, "Failed to find hierarchy for controller \"%s\"",
2392 controller
? controller
: "(null)");
2395 return h
->container_limit_path
2396 ? h
->container_limit_path
+ strlen(h
->mountpoint
)
2399 return h
->container_full_path
2400 ? h
->container_full_path
+ strlen(h
->mountpoint
)
2404 __cgfsng_ops
static const char *cgfsng_get_cgroup(struct cgroup_ops
*ops
,
2405 const char *controller
)
2407 return cgfsng_get_cgroup_do(ops
, controller
, false);
2410 __cgfsng_ops
static const char *cgfsng_get_limiting_cgroup(struct cgroup_ops
*ops
,
2411 const char *controller
)
2413 return cgfsng_get_cgroup_do(ops
, controller
, true);
2416 /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path,
2417 * which must be freed by the caller.
2419 static inline char *build_full_cgpath_from_monitorpath(struct hierarchy
*h
,
2421 const char *filename
)
2423 return must_make_path(h
->mountpoint
, inpath
, filename
, NULL
);
2426 static int cgroup_attach_leaf(const struct lxc_conf
*conf
, int unified_fd
, pid_t pid
)
2430 char pidstr
[INTTYPE_TO_STRLEN(int64_t) + 1];
2433 /* Create leaf cgroup. */
2434 ret
= mkdirat(unified_fd
, ".lxc", 0755);
2435 if (ret
< 0 && errno
!= EEXIST
)
2436 return log_error_errno(-errno
, errno
, "Failed to create leaf cgroup \".lxc\"");
2438 pidstr_len
= strnprintf(pidstr
, sizeof(pidstr
), INT64_FMT
, (int64_t)pid
);
2442 ret
= lxc_writeat(unified_fd
, ".lxc/cgroup.procs", pidstr
, pidstr_len
);
2444 ret
= lxc_writeat(unified_fd
, "cgroup.procs", pidstr
, pidstr_len
);
2446 return log_trace(0, "Moved process %s into cgroup %d(.lxc)", pidstr
, unified_fd
);
2448 /* this is a non-leaf node */
2450 return log_error_errno(-errno
, errno
, "Failed to attach to unified cgroup");
2454 char attach_cgroup
[STRLITERALLEN(".lxc-/cgroup.procs") + INTTYPE_TO_STRLEN(int) + 1];
2455 char *slash
= attach_cgroup
;
2457 ret
= strnprintf(attach_cgroup
, sizeof(attach_cgroup
), ".lxc-%d/cgroup.procs", idx
);
2462 * This shouldn't really happen but the compiler might complain
2463 * that a short write would cause a buffer overrun. So be on
2466 if (ret
< STRLITERALLEN(".lxc-/cgroup.procs"))
2467 return log_error_errno(-EINVAL
, EINVAL
, "Unexpected short write would cause buffer-overrun");
2469 slash
+= (ret
- STRLITERALLEN("/cgroup.procs"));
2472 ret
= mkdirat(unified_fd
, attach_cgroup
, 0755);
2473 if (ret
< 0 && errno
!= EEXIST
)
2474 return log_error_errno(-1, errno
, "Failed to create cgroup %s", attach_cgroup
);
2480 ret
= lxc_writeat(unified_fd
, attach_cgroup
, pidstr
, pidstr_len
);
2482 return log_trace(0, "Moved process %s into cgroup %d(%s)", pidstr
, unified_fd
, attach_cgroup
);
2484 if (rm
&& unlinkat(unified_fd
, attach_cgroup
, AT_REMOVEDIR
))
2485 SYSERROR("Failed to remove cgroup \"%d(%s)\"", unified_fd
, attach_cgroup
);
2487 /* this is a non-leaf node */
2489 return log_error_errno(-1, errno
, "Failed to attach to unified cgroup");
2492 } while (idx
< 1000);
2494 return log_error_errno(-1, errno
, "Failed to attach to unified cgroup");
2497 static int cgroup_attach_create_leaf(const struct lxc_conf
*conf
,
2498 int unified_fd
, int *sk_fd
)
2500 __do_close
int sk
= *sk_fd
, target_fd0
= -EBADF
, target_fd1
= -EBADF
;
2504 /* Create leaf cgroup. */
2505 ret
= mkdirat(unified_fd
, ".lxc", 0755);
2506 if (ret
< 0 && errno
!= EEXIST
)
2507 return log_error_errno(-1, errno
, "Failed to create leaf cgroup \".lxc\"");
2509 target_fd0
= open_at(unified_fd
, ".lxc/cgroup.procs", PROTECT_OPEN_W
, PROTECT_LOOKUP_BENEATH
, 0);
2511 return log_error_errno(-errno
, errno
, "Failed to open \".lxc/cgroup.procs\"");
2512 target_fds
[0] = target_fd0
;
2514 target_fd1
= open_at(unified_fd
, "cgroup.procs", PROTECT_OPEN_W
, PROTECT_LOOKUP_BENEATH
, 0);
2516 return log_error_errno(-errno
, errno
, "Failed to open \".lxc/cgroup.procs\"");
2517 target_fds
[1] = target_fd1
;
2519 ret
= lxc_abstract_unix_send_fds(sk
, target_fds
, 2, NULL
, 0);
2521 return log_error_errno(-errno
, errno
, "Failed to send \".lxc/cgroup.procs\" fds %d and %d",
2522 target_fd0
, target_fd1
);
2524 return log_debug(0, "Sent target cgroup fds %d and %d", target_fd0
, target_fd1
);
2527 static int cgroup_attach_move_into_leaf(const struct lxc_conf
*conf
,
2528 int *sk_fd
, pid_t pid
)
2530 __do_close
int sk
= *sk_fd
, target_fd0
= -EBADF
, target_fd1
= -EBADF
;
2532 char pidstr
[INTTYPE_TO_STRLEN(int64_t) + 1];
2536 ret
= lxc_abstract_unix_recv_fds(sk
, target_fds
, 2, NULL
, 0);
2538 return log_error_errno(-1, errno
, "Failed to receive target cgroup fd");
2539 target_fd0
= target_fds
[0];
2540 target_fd1
= target_fds
[1];
2542 pidstr_len
= sprintf(pidstr
, INT64_FMT
, (int64_t)pid
);
2544 ret
= lxc_write_nointr(target_fd0
, pidstr
, pidstr_len
);
2545 if (ret
> 0 && ret
== pidstr_len
)
2546 return log_debug(0, "Moved process into target cgroup via fd %d", target_fd0
);
2548 ret
= lxc_write_nointr(target_fd1
, pidstr
, pidstr_len
);
2549 if (ret
> 0 && ret
== pidstr_len
)
2550 return log_debug(0, "Moved process into target cgroup via fd %d", target_fd1
);
2552 return log_debug_errno(-1, errno
, "Failed to move process into target cgroup via fd %d and %d",
2553 target_fd0
, target_fd1
);
2556 struct userns_exec_unified_attach_data
{
2557 const struct lxc_conf
*conf
;
2563 static int cgroup_unified_attach_child_wrapper(void *data
)
2565 struct userns_exec_unified_attach_data
*args
= data
;
2567 if (!args
->conf
|| args
->unified_fd
< 0 || args
->pid
<= 0 ||
2568 args
->sk_pair
[0] < 0 || args
->sk_pair
[1] < 0)
2569 return ret_errno(EINVAL
);
2571 close_prot_errno_disarm(args
->sk_pair
[0]);
2572 return cgroup_attach_create_leaf(args
->conf
, args
->unified_fd
,
2576 static int cgroup_unified_attach_parent_wrapper(void *data
)
2578 struct userns_exec_unified_attach_data
*args
= data
;
2580 if (!args
->conf
|| args
->unified_fd
< 0 || args
->pid
<= 0 ||
2581 args
->sk_pair
[0] < 0 || args
->sk_pair
[1] < 0)
2582 return ret_errno(EINVAL
);
2584 close_prot_errno_disarm(args
->sk_pair
[1]);
2585 return cgroup_attach_move_into_leaf(args
->conf
, &args
->sk_pair
[0],
2589 /* Technically, we're always at a delegation boundary here (This is especially
2590 * true when cgroup namespaces are available.). The reasoning is that in order
2591 * for us to have been able to start a container in the first place the root
2592 * cgroup must have been a leaf node. Now, either the container's init system
2593 * has populated the cgroup and kept it as a leaf node or it has created
2594 * subtrees. In the former case we will simply attach to the leaf node we
2595 * created when we started the container in the latter case we create our own
2596 * cgroup for the attaching process.
2598 static int __cg_unified_attach(const struct hierarchy
*h
,
2599 const struct lxc_conf
*conf
, const char *name
,
2600 const char *lxcpath
, pid_t pid
,
2601 const char *controller
)
2603 __do_close
int unified_fd
= -EBADF
;
2604 __do_free
char *path
= NULL
, *cgroup
= NULL
;
2607 if (!conf
|| !name
|| !lxcpath
|| pid
<= 0)
2608 return ret_errno(EINVAL
);
2610 ret
= cgroup_attach(conf
, name
, lxcpath
, pid
);
2612 return log_trace(0, "Attached to unified cgroup via command handler");
2613 if (ret
!= -ENOCGROUP2
)
2614 return log_error_errno(ret
, errno
, "Failed to attach to unified cgroup");
2616 /* Fall back to retrieving the path for the unified cgroup. */
2617 cgroup
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
2622 path
= must_make_path(h
->mountpoint
, cgroup
, NULL
);
2624 unified_fd
= open(path
, O_PATH
| O_DIRECTORY
| O_CLOEXEC
);
2626 return ret_errno(EBADF
);
2628 if (!lxc_list_empty(&conf
->id_map
)) {
2629 struct userns_exec_unified_attach_data args
= {
2631 .unified_fd
= unified_fd
,
2635 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, args
.sk_pair
);
2639 ret
= userns_exec_minimal(conf
,
2640 cgroup_unified_attach_parent_wrapper
,
2642 cgroup_unified_attach_child_wrapper
,
2645 ret
= cgroup_attach_leaf(conf
, unified_fd
, pid
);
2651 __cgfsng_ops
static bool cgfsng_attach(struct cgroup_ops
*ops
,
2652 const struct lxc_conf
*conf
,
2653 const char *name
, const char *lxcpath
,
2657 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
2660 return ret_set_errno(false, ENOENT
);
2662 if (!ops
->hierarchies
)
2665 len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", pid
);
2669 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
2670 __do_free
char *fullpath
= NULL
, *path
= NULL
;
2671 struct hierarchy
*h
= ops
->hierarchies
[i
];
2673 if (h
->version
== CGROUP2_SUPER_MAGIC
) {
2674 ret
= __cg_unified_attach(h
, conf
, name
, lxcpath
, pid
,
2682 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, h
->controllers
[0]);
2687 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, "cgroup.procs");
2688 ret
= lxc_write_to_file(fullpath
, pidstr
, len
, false, 0666);
2690 return log_error_errno(false, errno
, "Failed to attach %d to %s",
2691 (int)pid
, fullpath
);
2697 /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we
2698 * don't have a cgroup_data set up, so we ask the running container through the
2699 * commands API for the cgroup path.
2701 __cgfsng_ops
static int cgfsng_get(struct cgroup_ops
*ops
, const char *filename
,
2702 char *value
, size_t len
, const char *name
,
2703 const char *lxcpath
)
2705 __do_free
char *path
= NULL
;
2706 __do_free
char *controller
= NULL
;
2708 struct hierarchy
*h
;
2712 return ret_set_errno(-1, ENOENT
);
2714 controller
= must_copy_string(filename
);
2715 p
= strchr(controller
, '.');
2719 path
= lxc_cmd_get_limiting_cgroup_path(name
, lxcpath
, controller
);
2724 h
= get_hierarchy(ops
, controller
);
2726 __do_free
char *fullpath
= NULL
;
2728 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, filename
);
2729 ret
= lxc_read_from_file(fullpath
, value
, len
);
2735 static int device_cgroup_parse_access(struct device_item
*device
, const char *val
)
2737 for (int count
= 0; count
< 3; count
++, val
++) {
2740 device
->access
[count
] = *val
;
2743 device
->access
[count
] = *val
;
2746 device
->access
[count
] = *val
;
2753 return ret_errno(EINVAL
);
2760 static int device_cgroup_rule_parse(struct device_item
*device
, const char *key
,
2766 if (strequal("devices.allow", key
))
2767 device
->allow
= 1; /* allow the device */
2769 device
->allow
= 0; /* deny the device */
2771 if (strequal(val
, "a")) {
2785 device
->type
= *val
;
2798 } else if (isdigit(*val
)) {
2799 memset(temp
, 0, sizeof(temp
));
2800 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
2806 ret
= lxc_safe_int(temp
, &device
->major
);
2820 } else if (isdigit(*val
)) {
2821 memset(temp
, 0, sizeof(temp
));
2822 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
2828 ret
= lxc_safe_int(temp
, &device
->minor
);
2837 return device_cgroup_parse_access(device
, ++val
);
2840 /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we
2841 * don't have a cgroup_data set up, so we ask the running container through the
2842 * commands API for the cgroup path.
2844 __cgfsng_ops
static int cgfsng_set(struct cgroup_ops
*ops
,
2845 const char *key
, const char *value
,
2846 const char *name
, const char *lxcpath
)
2848 __do_free
char *path
= NULL
;
2849 __do_free
char *controller
= NULL
;
2851 struct hierarchy
*h
;
2854 if (!ops
|| is_empty_string(key
) || is_empty_string(value
) ||
2855 is_empty_string(name
) || is_empty_string(lxcpath
))
2856 return ret_errno(EINVAL
);
2858 controller
= must_copy_string(key
);
2859 p
= strchr(controller
, '.');
2863 if (pure_unified_layout(ops
) && strequal(controller
, "devices")) {
2864 struct device_item device
= {};
2866 ret
= device_cgroup_rule_parse(&device
, key
, value
);
2868 return log_error_errno(-1, EINVAL
, "Failed to parse device string %s=%s",
2871 ret
= lxc_cmd_add_bpf_device_cgroup(name
, lxcpath
, &device
);
2878 path
= lxc_cmd_get_limiting_cgroup_path(name
, lxcpath
, controller
);
2883 h
= get_hierarchy(ops
, controller
);
2885 __do_free
char *fullpath
= NULL
;
2887 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, key
);
2888 ret
= lxc_write_to_file(fullpath
, value
, strlen(value
), false, 0666);
2894 /* take devices cgroup line
2896 * and convert it to a valid
2897 * type major:minor mode
2898 * line. Return <0 on error. Dest is a preallocated buffer long enough to hold
2901 static int device_cgroup_rule_parse_devpath(struct device_item
*device
,
2902 const char *devpath
)
2904 __do_free
char *path
= NULL
;
2910 path
= must_copy_string(devpath
);
2913 * Read path followed by mode. Ignore any trailing text.
2914 * A ' # comment' would be legal. Technically other text is not
2915 * legal, we could check for that if we cared to.
2917 for (n_parts
= 1, p
= path
; *p
; p
++) {
2933 return ret_set_errno(-1, EINVAL
);
2937 return ret_errno(EINVAL
);
2939 if (device_cgroup_parse_access(device
, mode
) < 0)
2942 ret
= stat(path
, &sb
);
2944 return ret_set_errno(-1, errno
);
2946 mode_t m
= sb
.st_mode
& S_IFMT
;
2955 return log_error_errno(-1, EINVAL
, "Unsupported device type %i for \"%s\"", m
, path
);
2958 device
->major
= MAJOR(sb
.st_rdev
);
2959 device
->minor
= MINOR(sb
.st_rdev
);
2965 static int convert_devpath(const char *invalue
, char *dest
)
2967 struct device_item device
= {};
2970 ret
= device_cgroup_rule_parse_devpath(&device
, invalue
);
2974 ret
= strnprintf(dest
, 50, "%c %d:%d %s", device
.type
, device
.major
,
2975 device
.minor
, device
.access
);
2977 return log_error_errno(ret
, -ret
,
2978 "Error on configuration value \"%c %d:%d %s\" (max 50 chars)",
2979 device
.type
, device
.major
, device
.minor
,
2985 /* Called from setup_limits - here we have the container's cgroup_data because
2986 * we created the cgroups.
2988 static int cg_legacy_set_data(struct cgroup_ops
*ops
, const char *filename
,
2989 const char *value
, bool is_cpuset
)
2991 __do_free
char *controller
= NULL
;
2993 /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */
2994 char converted_value
[50];
2995 struct hierarchy
*h
;
2997 controller
= must_copy_string(filename
);
2998 p
= strchr(controller
, '.');
3002 if (strequal("devices.allow", filename
) && value
[0] == '/') {
3005 ret
= convert_devpath(value
, converted_value
);
3008 value
= converted_value
;
3011 h
= get_hierarchy(ops
, controller
);
3013 return log_error_errno(-ENOENT
, ENOENT
, "Failed to setup limits for the \"%s\" controller. The controller seems to be unused by \"cgfsng\" cgroup driver or not enabled on the cgroup hierarchy", controller
);
3016 int ret
= lxc_write_openat(h
->container_full_path
, filename
, value
, strlen(value
));
3020 return lxc_write_openat(h
->container_limit_path
, filename
, value
, strlen(value
));
3023 __cgfsng_ops
static bool cgfsng_setup_limits_legacy(struct cgroup_ops
*ops
,
3024 struct lxc_conf
*conf
,
3027 __do_free
struct lxc_list
*sorted_cgroup_settings
= NULL
;
3028 struct lxc_list
*cgroup_settings
= &conf
->cgroup
;
3029 struct lxc_list
*iterator
, *next
;
3030 struct lxc_cgroup
*cg
;
3034 return ret_set_errno(false, ENOENT
);
3037 return ret_set_errno(false, EINVAL
);
3039 cgroup_settings
= &conf
->cgroup
;
3040 if (lxc_list_empty(cgroup_settings
))
3043 if (!ops
->hierarchies
)
3044 return ret_set_errno(false, EINVAL
);
3046 if (pure_unified_layout(ops
))
3047 return log_warn_errno(true, EINVAL
, "Ignoring legacy cgroup limits on pure cgroup2 system");
3049 sorted_cgroup_settings
= sort_cgroup_settings(cgroup_settings
);
3050 if (!sorted_cgroup_settings
)
3053 lxc_list_for_each(iterator
, sorted_cgroup_settings
) {
3054 cg
= iterator
->elem
;
3056 if (do_devices
== strnequal("devices", cg
->subsystem
, 7)) {
3057 if (cg_legacy_set_data(ops
, cg
->subsystem
, cg
->value
, strnequal("cpuset", cg
->subsystem
, 6))) {
3058 if (do_devices
&& (errno
== EACCES
|| errno
== EPERM
)) {
3059 SYSWARN("Failed to set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
3062 SYSERROR("Failed to set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
3065 DEBUG("Set controller \"%s\" set to \"%s\"", cg
->subsystem
, cg
->value
);
3070 INFO("Limits for the legacy cgroup hierarchies have been setup");
3072 lxc_list_for_each_safe(iterator
, sorted_cgroup_settings
, next
) {
3073 lxc_list_del(iterator
);
3081 * Some of the parsing logic comes from the original cgroup device v1
3082 * implementation in the kernel.
3084 static int bpf_device_cgroup_prepare(struct cgroup_ops
*ops
,
3085 struct lxc_conf
*conf
, const char *key
,
3088 struct device_item device_item
= {};
3091 if (strequal("devices.allow", key
) && *val
== '/')
3092 ret
= device_cgroup_rule_parse_devpath(&device_item
, val
);
3094 ret
= device_cgroup_rule_parse(&device_item
, key
, val
);
3096 return log_error_errno(-1, EINVAL
, "Failed to parse device string %s=%s", key
, val
);
3099 * Note that bpf_list_add_device() indicates whether or not it had to
3100 * alter the current device list by return 1 and 0; both indicate
3101 * success. A negative return value indicates and error.
3103 ret
= bpf_list_add_device(&conf
->bpf_devices
, &device_item
);
3110 __cgfsng_ops
static bool cgfsng_setup_limits(struct cgroup_ops
*ops
,
3111 struct lxc_handler
*handler
)
3113 struct lxc_list
*cgroup_settings
, *iterator
;
3114 struct hierarchy
*h
;
3115 struct lxc_conf
*conf
;
3118 return ret_set_errno(false, ENOENT
);
3120 if (!ops
->hierarchies
)
3123 if (!ops
->container_cgroup
)
3124 return ret_set_errno(false, EINVAL
);
3126 if (!handler
|| !handler
->conf
)
3127 return ret_set_errno(false, EINVAL
);
3128 conf
= handler
->conf
;
3130 cgroup_settings
= &conf
->cgroup2
;
3131 if (lxc_list_empty(cgroup_settings
))
3134 if (!pure_unified_layout(ops
))
3135 return log_warn_errno(true, EINVAL
, "Ignoring cgroup2 limits on legacy cgroup system");
3141 lxc_list_for_each (iterator
, cgroup_settings
) {
3142 struct lxc_cgroup
*cg
= iterator
->elem
;
3145 if (strnequal("devices", cg
->subsystem
, 7))
3146 ret
= bpf_device_cgroup_prepare(ops
, conf
, cg
->subsystem
, cg
->value
);
3148 ret
= lxc_write_openat(h
->container_limit_path
, cg
->subsystem
, cg
->value
, strlen(cg
->value
));
3150 return log_error_errno(false, errno
, "Failed to set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
3152 TRACE("Set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
3155 return log_info(true, "Limits for the unified cgroup hierarchy have been setup");
3158 __cgfsng_ops
static bool cgfsng_devices_activate(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
3160 struct lxc_conf
*conf
;
3161 struct hierarchy
*unified
;
3164 return ret_set_errno(false, ENOENT
);
3166 if (!ops
->hierarchies
)
3169 if (!ops
->container_cgroup
)
3170 return ret_set_errno(false, EEXIST
);
3172 if (!handler
|| !handler
->conf
)
3173 return ret_set_errno(false, EINVAL
);
3174 conf
= handler
->conf
;
3176 unified
= ops
->unified
;
3177 if (!unified
|| !unified
->bpf_device_controller
||
3178 !unified
->container_full_path
||
3179 lxc_list_empty(&(conf
->bpf_devices
).device_item
))
3182 return bpf_cgroup_devices_attach(ops
, &conf
->bpf_devices
);
3185 static bool __cgfsng_delegate_controllers(struct cgroup_ops
*ops
, const char *cgroup
)
3187 __do_close
int dfd_final
= -EBADF
;
3188 __do_free
char *add_controllers
= NULL
, *copy
= NULL
;
3189 size_t full_len
= 0;
3190 struct hierarchy
*unified
;
3195 if (!ops
->hierarchies
|| !pure_unified_layout(ops
))
3198 unified
= ops
->unified
;
3199 if (!unified
->controllers
[0])
3202 /* For now we simply enable all controllers that we have detected by
3203 * creating a string like "+memory +pids +cpu +io".
3204 * TODO: In the near future we might want to support "-<controller>"
3205 * etc. but whether supporting semantics like this make sense will need
3208 for (it
= unified
->controllers
; it
&& *it
; it
++) {
3209 full_len
+= strlen(*it
) + 2;
3210 add_controllers
= must_realloc(add_controllers
, full_len
+ 1);
3212 if (unified
->controllers
[0] == *it
)
3213 add_controllers
[0] = '\0';
3215 (void)strlcat(add_controllers
, "+", full_len
+ 1);
3216 (void)strlcat(add_controllers
, *it
, full_len
+ 1);
3218 if ((it
+ 1) && *(it
+ 1))
3219 (void)strlcat(add_controllers
, " ", full_len
+ 1);
3222 copy
= strdup(cgroup
);
3227 * Placing the write to cgroup.subtree_control before the open() is
3228 * intentional because of the cgroup2 delegation model. It enforces
3229 * that leaf cgroups don't have any controllers enabled for delegation.
3231 dfd_cur
= unified
->dfd_base
;
3232 lxc_iterate_parts(cur
, copy
, "/") {
3234 * Even though we vetted the paths when we parsed the config
3235 * we're paranoid here and check that the path is neither
3236 * absolute nor walks upwards.
3239 return syserrno_set(-EINVAL
, "No absolute paths allowed");
3241 if (strnequal(cur
, "..", STRLITERALLEN("..")))
3242 return syserrno_set(-EINVAL
, "No upward walking paths allowed");
3244 ret
= lxc_writeat(dfd_cur
, "cgroup.subtree_control", add_controllers
, full_len
);
3246 return syserrno(-errno
, "Could not enable \"%s\" controllers in the unified cgroup %d", add_controllers
, dfd_cur
);
3248 TRACE("Enabled \"%s\" controllers in the unified cgroup %d", add_controllers
, dfd_cur
);
3250 dfd_final
= open_at(dfd_cur
, cur
, PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH
, 0);
3252 return syserrno(-errno
, "Fail to open directory %d(%s)", dfd_cur
, cur
);
3253 if (dfd_cur
!= unified
->dfd_base
)
3256 * Leave dfd_final pointing to the last fd we opened so
3257 * it will be automatically zapped if we return early.
3259 dfd_cur
= dfd_final
;
3265 __cgfsng_ops
static bool cgfsng_monitor_delegate_controllers(struct cgroup_ops
*ops
)
3268 return ret_set_errno(false, ENOENT
);
3270 return __cgfsng_delegate_controllers(ops
, ops
->monitor_cgroup
);
3273 __cgfsng_ops
static bool cgfsng_payload_delegate_controllers(struct cgroup_ops
*ops
)
3276 return ret_set_errno(false, ENOENT
);
3278 return __cgfsng_delegate_controllers(ops
, ops
->container_cgroup
);
3281 static void cg_unified_delegate(char ***delegate
)
3283 __do_free
char *buf
= NULL
;
3284 char *standard
[] = {"cgroup.subtree_control", "cgroup.threads", NULL
};
3288 buf
= read_file_at(-EBADF
, "/sys/kernel/cgroup/delegate", PROTECT_OPEN
, 0);
3290 for (char **p
= standard
; p
&& *p
; p
++) {
3291 idx
= append_null_to_list((void ***)delegate
);
3292 (*delegate
)[idx
] = must_copy_string(*p
);
3294 SYSWARN("Failed to read /sys/kernel/cgroup/delegate");
3298 lxc_iterate_parts(token
, buf
, " \t\n") {
3300 * We always need to chown this for both cgroup and
3303 if (strequal(token
, "cgroup.procs"))
3306 idx
= append_null_to_list((void ***)delegate
);
3307 (*delegate
)[idx
] = must_copy_string(token
);
3311 /* At startup, parse_hierarchies finds all the info we need about cgroup
3312 * mountpoints and current cgroups, and stores it in @d.
3314 static int cg_hybrid_init(struct cgroup_ops
*ops
, bool relative
, bool unprivileged
)
3316 __do_free
char *basecginfo
= NULL
, *line
= NULL
;
3317 __do_free_string_list
char **klist
= NULL
, **nlist
= NULL
;
3318 __do_fclose
FILE *f
= NULL
;
3322 /* Root spawned containers escape the current cgroup, so use init's
3323 * cgroups as our base in that case.
3325 if (!relative
&& (geteuid() == 0))
3326 basecginfo
= read_file_at(-EBADF
, "/proc/1/cgroup", PROTECT_OPEN
, 0);
3328 basecginfo
= read_file_at(-EBADF
, "/proc/self/cgroup", PROTECT_OPEN
, 0);
3330 return ret_set_errno(-1, ENOMEM
);
3332 ret
= get_existing_subsystems(&klist
, &nlist
);
3334 return log_error_errno(-1, errno
, "Failed to retrieve available legacy cgroup controllers");
3336 f
= fopen("/proc/self/mountinfo", "re");
3338 return log_error_errno(-1, errno
, "Failed to open \"/proc/self/mountinfo\"");
3340 lxc_cgfsng_print_basecg_debuginfo(basecginfo
, klist
, nlist
);
3342 while (getline(&line
, &len
, f
) != -1) {
3343 __do_free
char *base_cgroup
= NULL
, *mountpoint
= NULL
;
3344 __do_free_string_list
char **controller_list
= NULL
;
3348 type
= get_cgroup_version(line
);
3352 if (type
== CGROUP2_SUPER_MAGIC
&& ops
->unified
)
3355 if (ops
->cgroup_layout
== CGROUP_LAYOUT_UNKNOWN
) {
3356 if (type
== CGROUP2_SUPER_MAGIC
)
3357 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
3358 else if (type
== CGROUP_SUPER_MAGIC
)
3359 ops
->cgroup_layout
= CGROUP_LAYOUT_LEGACY
;
3360 } else if (ops
->cgroup_layout
== CGROUP_LAYOUT_UNIFIED
) {
3361 if (type
== CGROUP_SUPER_MAGIC
)
3362 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
3363 } else if (ops
->cgroup_layout
== CGROUP_LAYOUT_LEGACY
) {
3364 if (type
== CGROUP2_SUPER_MAGIC
)
3365 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
3368 controller_list
= cg_hybrid_get_controllers(klist
, nlist
, line
, type
);
3369 if (!controller_list
&& type
== CGROUP_SUPER_MAGIC
)
3372 if (type
== CGROUP_SUPER_MAGIC
)
3373 if (controller_list_is_dup(ops
->hierarchies
, controller_list
)) {
3374 TRACE("Skipping duplicating controller");
3378 mountpoint
= cg_hybrid_get_mountpoint(line
);
3380 WARN("Failed parsing mountpoint from \"%s\"", line
);
3384 if (type
== CGROUP_SUPER_MAGIC
)
3385 base_cgroup
= cg_hybrid_get_current_cgroup(relative
, basecginfo
, controller_list
[0], CGROUP_SUPER_MAGIC
);
3387 base_cgroup
= cg_hybrid_get_current_cgroup(relative
, basecginfo
, NULL
, CGROUP2_SUPER_MAGIC
);
3389 WARN("Failed to find current cgroup");
3393 if (type
== CGROUP2_SUPER_MAGIC
)
3394 writeable
= test_writeable_v2(mountpoint
, base_cgroup
);
3396 writeable
= test_writeable_v1(mountpoint
, base_cgroup
);
3398 TRACE("The %s group is not writeable", base_cgroup
);
3402 if (type
== CGROUP2_SUPER_MAGIC
)
3403 ret
= add_hierarchy(ops
, NULL
, move_ptr(mountpoint
), move_ptr(base_cgroup
), type
);
3405 ret
= add_hierarchy(ops
, move_ptr(controller_list
), move_ptr(mountpoint
), move_ptr(base_cgroup
), type
);
3407 return syserrno(ret
, "Failed to add cgroup hierarchy");
3408 if (ops
->unified
&& unprivileged
)
3409 cg_unified_delegate(&(ops
->unified
)->cgroup2_chown
);
3412 /* verify that all controllers in cgroup.use and all crucial
3413 * controllers are accounted for
3415 if (!all_controllers_found(ops
))
3416 return log_error_errno(-1, ENOENT
, "Failed to find all required controllers");
3421 /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */
3422 static char *cg_unified_get_current_cgroup(bool relative
)
3424 __do_free
char *basecginfo
= NULL
, *copy
= NULL
;
3427 if (!relative
&& (geteuid() == 0))
3428 basecginfo
= read_file_at(-EBADF
, "/proc/1/cgroup", PROTECT_OPEN
, 0);
3430 basecginfo
= read_file_at(-EBADF
, "/proc/self/cgroup", PROTECT_OPEN
, 0);
3434 base_cgroup
= strstr(basecginfo
, "0::/");
3438 base_cgroup
= base_cgroup
+ 3;
3439 copy
= copy_to_eol(base_cgroup
);
3445 base_cgroup
= prune_init_scope(copy
);
3452 if (abspath(base_cgroup
))
3453 base_cgroup
= deabs(base_cgroup
);
3455 /* We're allowing base_cgroup to be "". */
3456 return strdup(base_cgroup
);
3459 static int cg_unified_init(struct cgroup_ops
*ops
, bool relative
,
3462 __do_free
char *base_cgroup
= NULL
;
3465 base_cgroup
= cg_unified_get_current_cgroup(relative
);
3467 return ret_errno(EINVAL
);
3469 /* TODO: If the user requested specific controllers via lxc.cgroup.use
3470 * we should verify here. The reason I'm not doing it right is that I'm
3471 * not convinced that lxc.cgroup.use will be the future since it is a
3472 * global property. I much rather have an option that lets you request
3473 * controllers per container.
3476 ret
= add_hierarchy(ops
, NULL
,
3477 must_copy_string(DEFAULT_CGROUP_MOUNTPOINT
),
3478 move_ptr(base_cgroup
), CGROUP2_SUPER_MAGIC
);
3480 return syserrno(ret
, "Failed to add unified cgroup hierarchy");
3483 cg_unified_delegate(&(ops
->unified
)->cgroup2_chown
);
3485 if (bpf_devices_cgroup_supported())
3486 ops
->unified
->bpf_device_controller
= 1;
3488 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
3489 return CGROUP2_SUPER_MAGIC
;
3492 static int __cgroup_init(struct cgroup_ops
*ops
, struct lxc_conf
*conf
)
3494 __do_close
int dfd
= -EBADF
;
3495 bool relative
= conf
->cgroup_meta
.relative
;
3499 if (ops
->dfd_mnt_cgroupfs_host
>= 0)
3500 return ret_errno(EINVAL
);
3503 * I don't see the need for allowing symlinks here. If users want to
3504 * have their hierarchy available in different locations I strongly
3505 * suggest bind-mounts.
3507 dfd
= open_at(-EBADF
, DEFAULT_CGROUP_MOUNTPOINT
,
3508 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_ABSOLUTE_XDEV
, 0);
3510 return syserrno(-errno
, "Failed to open " DEFAULT_CGROUP_MOUNTPOINT
);
3512 tmp
= lxc_global_config_value("lxc.cgroup.use");
3514 __do_free
char *pin
= NULL
;
3517 pin
= must_copy_string(tmp
);
3520 lxc_iterate_parts(cur
, chop
, ",")
3521 must_append_string(&ops
->cgroup_use
, cur
);
3525 * Keep dfd referenced by the cleanup function and actually move the fd
3526 * once we know the initialization succeeded. So if we fail we clean up
3529 ops
->dfd_mnt_cgroupfs_host
= dfd
;
3531 if (unified_cgroup_fd(dfd
))
3532 ret
= cg_unified_init(ops
, relative
, !lxc_list_empty(&conf
->id_map
));
3534 ret
= cg_hybrid_init(ops
, relative
, !lxc_list_empty(&conf
->id_map
));
3536 return syserrno(ret
, "Failed to initialize cgroups");
3538 /* Transfer ownership to cgroup_ops. */
3543 __cgfsng_ops
static int cgfsng_data_init(struct cgroup_ops
*ops
)
3545 const char *cgroup_pattern
;
3548 return ret_set_errno(-1, ENOENT
);
3550 /* copy system-wide cgroup information */
3551 cgroup_pattern
= lxc_global_config_value("lxc.cgroup.pattern");
3552 if (cgroup_pattern
&& !strequal(cgroup_pattern
, ""))
3553 ops
->cgroup_pattern
= must_copy_string(cgroup_pattern
);
3558 struct cgroup_ops
*cgfsng_ops_init(struct lxc_conf
*conf
)
3560 __do_free
struct cgroup_ops
*cgfsng_ops
= NULL
;
3562 cgfsng_ops
= zalloc(sizeof(struct cgroup_ops
));
3564 return ret_set_errno(NULL
, ENOMEM
);
3566 cgfsng_ops
->cgroup_layout
= CGROUP_LAYOUT_UNKNOWN
;
3567 cgfsng_ops
->dfd_mnt_cgroupfs_host
= -EBADF
;
3569 if (__cgroup_init(cgfsng_ops
, conf
))
3572 cgfsng_ops
->data_init
= cgfsng_data_init
;
3573 cgfsng_ops
->payload_destroy
= cgfsng_payload_destroy
;
3574 cgfsng_ops
->monitor_destroy
= cgfsng_monitor_destroy
;
3575 cgfsng_ops
->monitor_create
= cgfsng_monitor_create
;
3576 cgfsng_ops
->monitor_enter
= cgfsng_monitor_enter
;
3577 cgfsng_ops
->monitor_delegate_controllers
= cgfsng_monitor_delegate_controllers
;
3578 cgfsng_ops
->payload_delegate_controllers
= cgfsng_payload_delegate_controllers
;
3579 cgfsng_ops
->payload_create
= cgfsng_payload_create
;
3580 cgfsng_ops
->payload_enter
= cgfsng_payload_enter
;
3581 cgfsng_ops
->payload_finalize
= cgfsng_payload_finalize
;
3582 cgfsng_ops
->get_cgroup
= cgfsng_get_cgroup
;
3583 cgfsng_ops
->get
= cgfsng_get
;
3584 cgfsng_ops
->set
= cgfsng_set
;
3585 cgfsng_ops
->freeze
= cgfsng_freeze
;
3586 cgfsng_ops
->unfreeze
= cgfsng_unfreeze
;
3587 cgfsng_ops
->setup_limits_legacy
= cgfsng_setup_limits_legacy
;
3588 cgfsng_ops
->setup_limits
= cgfsng_setup_limits
;
3589 cgfsng_ops
->driver
= "cgfsng";
3590 cgfsng_ops
->version
= "1.0.0";
3591 cgfsng_ops
->attach
= cgfsng_attach
;
3592 cgfsng_ops
->chown
= cgfsng_chown
;
3593 cgfsng_ops
->mount
= cgfsng_mount
;
3594 cgfsng_ops
->devices_activate
= cgfsng_devices_activate
;
3595 cgfsng_ops
->get_limiting_cgroup
= cgfsng_get_limiting_cgroup
;
3597 cgfsng_ops
->criu_escape
= cgfsng_criu_escape
;
3598 cgfsng_ops
->criu_num_hierarchies
= cgfsng_criu_num_hierarchies
;
3599 cgfsng_ops
->criu_get_hierarchies
= cgfsng_criu_get_hierarchies
;
3601 return move_ptr(cgfsng_ops
);
3604 int cgroup_attach(const struct lxc_conf
*conf
, const char *name
,
3605 const char *lxcpath
, pid_t pid
)
3607 __do_close
int unified_fd
= -EBADF
;
3610 if (!conf
|| is_empty_string(name
) || is_empty_string(lxcpath
) || pid
<= 0)
3611 return ret_errno(EINVAL
);
3613 unified_fd
= lxc_cmd_get_cgroup2_fd(name
, lxcpath
);
3615 return ret_errno(ENOCGROUP2
);
3617 if (!lxc_list_empty(&conf
->id_map
)) {
3618 struct userns_exec_unified_attach_data args
= {
3620 .unified_fd
= unified_fd
,
3624 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, args
.sk_pair
);
3628 ret
= userns_exec_minimal(conf
,
3629 cgroup_unified_attach_parent_wrapper
,
3631 cgroup_unified_attach_child_wrapper
,
3634 ret
= cgroup_attach_leaf(conf
, unified_fd
, pid
);
3640 /* Connects to command socket therefore isn't callable from command handler. */
3641 int cgroup_get(const char *name
, const char *lxcpath
,
3642 const char *filename
, char *buf
, size_t len
)
3644 __do_close
int unified_fd
= -EBADF
;
3647 if (is_empty_string(filename
) || is_empty_string(name
) ||
3648 is_empty_string(lxcpath
))
3649 return ret_errno(EINVAL
);
3651 if ((buf
&& !len
) || (len
&& !buf
))
3652 return ret_errno(EINVAL
);
3654 unified_fd
= lxc_cmd_get_limiting_cgroup2_fd(name
, lxcpath
);
3656 return ret_errno(ENOCGROUP2
);
3658 ret
= lxc_read_try_buf_at(unified_fd
, filename
, buf
, len
);
3660 SYSERROR("Failed to read cgroup value");
3665 /* Connects to command socket therefore isn't callable from command handler. */
3666 int cgroup_set(const char *name
, const char *lxcpath
,
3667 const char *filename
, const char *value
)
3669 __do_close
int unified_fd
= -EBADF
;
3672 if (is_empty_string(filename
) || is_empty_string(value
) ||
3673 is_empty_string(name
) || is_empty_string(lxcpath
))
3674 return ret_errno(EINVAL
);
3676 unified_fd
= lxc_cmd_get_limiting_cgroup2_fd(name
, lxcpath
);
3678 return ret_errno(ENOCGROUP2
);
3680 if (strnequal(filename
, "devices.", STRLITERALLEN("devices."))) {
3681 struct device_item device
= {};
3683 ret
= device_cgroup_rule_parse(&device
, filename
, value
);
3685 return log_error_errno(-1, EINVAL
, "Failed to parse device string %s=%s", filename
, value
);
3687 ret
= lxc_cmd_add_bpf_device_cgroup(name
, lxcpath
, &device
);
3689 ret
= lxc_writeat(unified_fd
, filename
, value
, strlen(value
));
3695 static int do_cgroup_freeze(int unified_fd
,
3696 const char *state_string
,
3699 const char *epoll_error
,
3700 const char *wait_error
)
3702 __do_close
int events_fd
= -EBADF
;
3703 call_cleaner(lxc_mainloop_close
) struct lxc_epoll_descr
*descr_ptr
= NULL
;
3705 struct lxc_epoll_descr descr
= {};
3708 ret
= lxc_mainloop_open(&descr
);
3710 return log_error_errno(-1, errno
, "%s", epoll_error
);
3712 /* automatically cleaned up now */
3715 events_fd
= open_at(unified_fd
, "cgroup.events", PROTECT_OPEN
, PROTECT_LOOKUP_BENEATH
, 0);
3717 return log_error_errno(-errno
, errno
, "Failed to open cgroup.events file");
3719 ret
= lxc_mainloop_add_handler_events(&descr
, events_fd
, EPOLLPRI
, freezer_cgroup_events_cb
, INT_TO_PTR(state_num
));
3721 return log_error_errno(-1, errno
, "Failed to add cgroup.events fd handler to mainloop");
3724 ret
= lxc_writeat(unified_fd
, "cgroup.freeze", state_string
, 1);
3726 return log_error_errno(-1, errno
, "Failed to open cgroup.freeze file");
3729 ret
= lxc_mainloop(&descr
, timeout
);
3731 return log_error_errno(-1, errno
, "%s", wait_error
);
3734 return log_trace(0, "Container now %s", (state_num
== 1) ? "frozen" : "unfrozen");
3737 static inline int __cgroup_freeze(int unified_fd
, int timeout
)
3739 return do_cgroup_freeze(unified_fd
, "1", 1, timeout
,
3740 "Failed to create epoll instance to wait for container freeze",
3741 "Failed to wait for container to be frozen");
3744 int cgroup_freeze(const char *name
, const char *lxcpath
, int timeout
)
3746 __do_close
int unified_fd
= -EBADF
;
3749 if (is_empty_string(name
) || is_empty_string(lxcpath
))
3750 return ret_errno(EINVAL
);
3752 unified_fd
= lxc_cmd_get_limiting_cgroup2_fd(name
, lxcpath
);
3754 return ret_errno(ENOCGROUP2
);
3756 lxc_cmd_notify_state_listeners(name
, lxcpath
, FREEZING
);
3757 ret
= __cgroup_freeze(unified_fd
, timeout
);
3758 lxc_cmd_notify_state_listeners(name
, lxcpath
, !ret
? FROZEN
: RUNNING
);
3762 int __cgroup_unfreeze(int unified_fd
, int timeout
)
3764 return do_cgroup_freeze(unified_fd
, "0", 0, timeout
,
3765 "Failed to create epoll instance to wait for container freeze",
3766 "Failed to wait for container to be frozen");
3769 int cgroup_unfreeze(const char *name
, const char *lxcpath
, int timeout
)
3771 __do_close
int unified_fd
= -EBADF
;
3774 if (is_empty_string(name
) || is_empty_string(lxcpath
))
3775 return ret_errno(EINVAL
);
3777 unified_fd
= lxc_cmd_get_limiting_cgroup2_fd(name
, lxcpath
);
3779 return ret_errno(ENOCGROUP2
);
3781 lxc_cmd_notify_state_listeners(name
, lxcpath
, THAWED
);
3782 ret
= __cgroup_unfreeze(unified_fd
, timeout
);
3783 lxc_cmd_notify_state_listeners(name
, lxcpath
, !ret
? RUNNING
: FROZEN
);