2 * lxc: linux Container library
4 * Copyright © 2016 Canonical Ltd.
7 * Serge Hallyn <serge.hallyn@ubuntu.com>
8 * Christian Brauner <christian.brauner@ubuntu.com>
10 * This library is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public
12 * License as published by the Free Software Foundation; either
13 * version 2.1 of the License, or (at your option) any later version.
15 * This library is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 * Lesser General Public License for more details.
20 * You should have received a copy of the GNU Lesser General Public
21 * License along with this library; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
26 * cgfs-ng.c: this is a new, simplified implementation of a filesystem
27 * cgroup backend. The original cgfs.c was designed to be as flexible
28 * as possible. It would try to find cgroup filesystems no matter where
29 * or how you had them mounted, and deduce the most usable mount for
32 * This new implementation assumes that cgroup filesystems are mounted
33 * under /sys/fs/cgroup/clist where clist is either the controller, or
34 * a comman-separated list of controllers.
48 #include <linux/kdev_t.h>
49 #include <linux/types.h>
50 #include <sys/types.h>
54 #include "cgroup_utils.h"
58 #include "storage/storage.h"
62 #include "include/strlcpy.h"
65 lxc_log_define(lxc_cgfsng
, lxc
);
67 static void free_string_list(char **clist
)
74 for (i
= 0; clist
[i
]; i
++)
80 /* Allocate a pointer, do not fail. */
81 static void *must_alloc(size_t sz
)
83 return must_realloc(NULL
, sz
);
86 /* Given a pointer to a null-terminated array of pointers, realloc to add one
87 * entry, and point the new entry to NULL. Do not fail. Return the index to the
88 * second-to-last entry - that is, the one which is now available for use
89 * (keeping the list null-terminated).
91 static int append_null_to_list(void ***list
)
96 for (; (*list
)[newentry
]; newentry
++)
99 *list
= must_realloc(*list
, (newentry
+ 2) * sizeof(void **));
100 (*list
)[newentry
+ 1] = NULL
;
104 /* Given a null-terminated array of strings, check whether @entry is one of the
107 static bool string_in_list(char **list
, const char *entry
)
114 for (i
= 0; list
[i
]; i
++)
115 if (strcmp(list
[i
], entry
) == 0)
121 /* Return a copy of @entry prepending "name=", i.e. turn "systemd" into
122 * "name=systemd". Do not fail.
124 static char *cg_legacy_must_prefix_named(char *entry
)
130 prefixed
= must_alloc(len
+ 6);
132 memcpy(prefixed
, "name=", sizeof("name=") - 1);
133 memcpy(prefixed
+ sizeof("name=") - 1, entry
, len
);
134 prefixed
[len
+ 5] = '\0';
138 /* Append an entry to the clist. Do not fail. @clist must be NULL the first time
141 * We also handle named subsystems here. Any controller which is not a kernel
142 * subsystem, we prefix "name=". Any which is both a kernel and named subsystem,
143 * we refuse to use because we're not sure which we have here.
144 * (TODO: We could work around this in some cases by just remounting to be
145 * unambiguous, or by comparing mountpoint contents with current cgroup.)
147 * The last entry will always be NULL.
149 static void must_append_controller(char **klist
, char **nlist
, char ***clist
,
155 if (string_in_list(klist
, entry
) && string_in_list(nlist
, entry
)) {
156 ERROR("Refusing to use ambiguous controller \"%s\"", entry
);
157 ERROR("It is both a named and kernel subsystem");
161 newentry
= append_null_to_list((void ***)clist
);
163 if (strncmp(entry
, "name=", 5) == 0)
164 copy
= must_copy_string(entry
);
165 else if (string_in_list(klist
, entry
))
166 copy
= must_copy_string(entry
);
168 copy
= cg_legacy_must_prefix_named(entry
);
170 (*clist
)[newentry
] = copy
;
173 /* Given a handler's cgroup data, return the struct hierarchy for the controller
174 * @c, or NULL if there is none.
176 struct hierarchy
*get_hierarchy(struct cgroup_ops
*ops
, const char *c
)
180 if (!ops
->hierarchies
)
183 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
185 /* This is the empty unified hierarchy. */
186 if (ops
->hierarchies
[i
]->controllers
&&
187 !ops
->hierarchies
[i
]->controllers
[0])
188 return ops
->hierarchies
[i
];
193 if (string_in_list(ops
->hierarchies
[i
]->controllers
, c
))
194 return ops
->hierarchies
[i
];
200 #define BATCH_SIZE 50
201 static void batch_realloc(char **mem
, size_t oldlen
, size_t newlen
)
203 int newbatches
= (newlen
/ BATCH_SIZE
) + 1;
204 int oldbatches
= (oldlen
/ BATCH_SIZE
) + 1;
206 if (!*mem
|| newbatches
> oldbatches
) {
207 *mem
= must_realloc(*mem
, newbatches
* BATCH_SIZE
);
211 static void append_line(char **dest
, size_t oldlen
, char *new, size_t newlen
)
213 size_t full
= oldlen
+ newlen
;
215 batch_realloc(dest
, oldlen
, full
+ 1);
217 memcpy(*dest
+ oldlen
, new, newlen
+ 1);
220 /* Slurp in a whole file */
221 static char *read_file(const char *fnam
)
224 char *line
= NULL
, *buf
= NULL
;
225 size_t len
= 0, fulllen
= 0;
228 f
= fopen(fnam
, "r");
231 while ((linelen
= getline(&line
, &len
, f
)) != -1) {
232 append_line(&buf
, fulllen
, line
, linelen
);
240 /* Taken over modified from the kernel sources. */
241 #define NBITS 32 /* bits in uint32_t */
242 #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d))
243 #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS)
245 static void set_bit(unsigned bit
, uint32_t *bitarr
)
247 bitarr
[bit
/ NBITS
] |= (1 << (bit
% NBITS
));
250 static void clear_bit(unsigned bit
, uint32_t *bitarr
)
252 bitarr
[bit
/ NBITS
] &= ~(1 << (bit
% NBITS
));
255 static bool is_set(unsigned bit
, uint32_t *bitarr
)
257 return (bitarr
[bit
/ NBITS
] & (1 << (bit
% NBITS
))) != 0;
260 /* Create cpumask from cpulist aka turn:
268 static uint32_t *lxc_cpumask(char *buf
, size_t nbits
)
273 char *saveptr
= NULL
;
275 arrlen
= BITS_TO_LONGS(nbits
);
276 bitarr
= calloc(arrlen
, sizeof(uint32_t));
280 for (; (token
= strtok_r(buf
, ",", &saveptr
)); buf
= NULL
) {
285 start
= strtoul(token
, NULL
, 0);
287 range
= strchr(token
, '-');
289 end
= strtoul(range
+ 1, NULL
, 0);
291 if (!(start
<= end
)) {
302 set_bit(start
++, bitarr
);
308 /* Turn cpumask into simple, comma-separated cpulist. */
309 static char *lxc_cpumask_to_cpulist(uint32_t *bitarr
, size_t nbits
)
313 char **cpulist
= NULL
;
314 char numstr
[LXC_NUMSTRLEN64
] = {0};
316 for (i
= 0; i
<= nbits
; i
++) {
317 if (!is_set(i
, bitarr
))
320 ret
= snprintf(numstr
, LXC_NUMSTRLEN64
, "%zu", i
);
321 if (ret
< 0 || (size_t)ret
>= LXC_NUMSTRLEN64
) {
322 lxc_free_array((void **)cpulist
, free
);
326 ret
= lxc_append_string(&cpulist
, numstr
);
328 lxc_free_array((void **)cpulist
, free
);
336 return lxc_string_join(",", (const char **)cpulist
, false);
339 static ssize_t
get_max_cpus(char *cpulist
)
342 char *maxcpus
= cpulist
;
345 c1
= strrchr(maxcpus
, ',');
349 c2
= strrchr(maxcpus
, '-');
363 cpus
= strtoul(c1
, NULL
, 0);
370 #define __ISOL_CPUS "/sys/devices/system/cpu/isolated"
371 static bool cg_legacy_filter_and_set_cpus(char *path
, bool am_initialized
)
375 char *lastslash
, *fpath
, oldv
;
376 ssize_t maxisol
= 0, maxposs
= 0;
377 char *cpulist
= NULL
, *isolcpus
= NULL
, *posscpus
= NULL
;
378 uint32_t *isolmask
= NULL
, *possmask
= NULL
;
379 bool bret
= false, flipped_bit
= false;
381 lastslash
= strrchr(path
, '/');
383 ERROR("Failed to detect \"/\" in \"%s\"", path
);
388 fpath
= must_make_path(path
, "cpuset.cpus", NULL
);
389 posscpus
= read_file(fpath
);
391 SYSERROR("Failed to read file \"%s\"", fpath
);
395 /* Get maximum number of cpus found in possible cpuset. */
396 maxposs
= get_max_cpus(posscpus
);
400 if (!file_exists(__ISOL_CPUS
)) {
401 /* This system doesn't expose isolated cpus. */
402 DEBUG("The path \""__ISOL_CPUS
"\" to read isolated cpus from does not exist");
404 /* No isolated cpus but we weren't already initialized by
405 * someone. We should simply copy the parents cpuset.cpus
408 if (!am_initialized
) {
409 DEBUG("Copying cpu settings of parent cgroup");
412 /* No isolated cpus but we were already initialized by someone.
413 * Nothing more to do for us.
418 isolcpus
= read_file(__ISOL_CPUS
);
420 SYSERROR("Failed to read file \""__ISOL_CPUS
"\"");
423 if (!isdigit(isolcpus
[0])) {
424 TRACE("No isolated cpus detected");
426 /* No isolated cpus but we weren't already initialized by
427 * someone. We should simply copy the parents cpuset.cpus
430 if (!am_initialized
) {
431 DEBUG("Copying cpu settings of parent cgroup");
434 /* No isolated cpus but we were already initialized by someone.
435 * Nothing more to do for us.
440 /* Get maximum number of cpus found in isolated cpuset. */
441 maxisol
= get_max_cpus(isolcpus
);
445 if (maxposs
< maxisol
)
449 possmask
= lxc_cpumask(posscpus
, maxposs
);
451 ERROR("Failed to create cpumask for possible cpus");
455 isolmask
= lxc_cpumask(isolcpus
, maxposs
);
457 ERROR("Failed to create cpumask for isolated cpus");
461 for (i
= 0; i
<= maxposs
; i
++) {
462 if (!is_set(i
, isolmask
) || !is_set(i
, possmask
))
466 clear_bit(i
, possmask
);
470 DEBUG("No isolated cpus present in cpuset");
473 DEBUG("Removed isolated cpus from cpuset");
475 cpulist
= lxc_cpumask_to_cpulist(possmask
, maxposs
);
477 ERROR("Failed to create cpu list");
484 fpath
= must_make_path(path
, "cpuset.cpus", NULL
);
485 ret
= lxc_write_to_file(fpath
, cpulist
, strlen(cpulist
), false, 0666);
487 SYSERROR("Failed to write cpu list to \"%s\"", fpath
);
500 if (posscpus
!= cpulist
)
508 /* Copy contents of parent(@path)/@file to @path/@file */
509 static bool copy_parent_file(char *path
, char *file
)
512 char *fpath
, *lastslash
, oldv
;
516 lastslash
= strrchr(path
, '/');
518 ERROR("Failed to detect \"/\" in \"%s\"", path
);
523 fpath
= must_make_path(path
, file
, NULL
);
524 len
= lxc_read_from_file(fpath
, NULL
, 0);
528 value
= must_alloc(len
+ 1);
529 ret
= lxc_read_from_file(fpath
, value
, len
);
535 fpath
= must_make_path(path
, file
, NULL
);
536 ret
= lxc_write_to_file(fpath
, value
, len
, false, 0666);
538 SYSERROR("Failed to write \"%s\" to file \"%s\"", value
, fpath
);
544 SYSERROR("Failed to read file \"%s\"", fpath
);
550 /* Initialize the cpuset hierarchy in first directory of @gname and set
551 * cgroup.clone_children so that children inherit settings. Since the
552 * h->base_path is populated by init or ourselves, we know it is already
555 static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy
*h
, char *cgname
)
559 char *cgpath
, *clonechildrenpath
, *slash
;
561 if (!string_in_list(h
->controllers
, "cpuset"))
566 slash
= strchr(cgname
, '/');
570 cgpath
= must_make_path(h
->mountpoint
, h
->base_cgroup
, cgname
, NULL
);
574 ret
= mkdir(cgpath
, 0755);
576 if (errno
!= EEXIST
) {
577 SYSERROR("Failed to create directory \"%s\"", cgpath
);
584 must_make_path(cgpath
, "cgroup.clone_children", NULL
);
585 /* unified hierarchy doesn't have clone_children */
586 if (!file_exists(clonechildrenpath
)) {
587 free(clonechildrenpath
);
592 ret
= lxc_read_from_file(clonechildrenpath
, &v
, 1);
594 SYSERROR("Failed to read file \"%s\"", clonechildrenpath
);
595 free(clonechildrenpath
);
600 /* Make sure any isolated cpus are removed from cpuset.cpus. */
601 if (!cg_legacy_filter_and_set_cpus(cgpath
, v
== '1')) {
602 SYSERROR("Failed to remove isolated cpus");
603 free(clonechildrenpath
);
608 /* Already set for us by someone else. */
610 DEBUG("\"cgroup.clone_children\" was already set to \"1\"");
611 free(clonechildrenpath
);
616 /* copy parent's settings */
617 if (!copy_parent_file(cgpath
, "cpuset.mems")) {
618 SYSERROR("Failed to copy \"cpuset.mems\" settings");
620 free(clonechildrenpath
);
625 ret
= lxc_write_to_file(clonechildrenpath
, "1", 1, false, 0666);
627 /* Set clone_children so children inherit our settings */
628 SYSERROR("Failed to write 1 to \"%s\"", clonechildrenpath
);
629 free(clonechildrenpath
);
632 free(clonechildrenpath
);
636 /* Given two null-terminated lists of strings, return true if any string is in
639 static bool controller_lists_intersect(char **l1
, char **l2
)
646 for (i
= 0; l1
[i
]; i
++) {
647 if (string_in_list(l2
, l1
[i
]))
654 /* For a null-terminated list of controllers @clist, return true if any of those
655 * controllers is already listed the null-terminated list of hierarchies @hlist.
656 * Realistically, if one is present, all must be present.
658 static bool controller_list_is_dup(struct hierarchy
**hlist
, char **clist
)
665 for (i
= 0; hlist
[i
]; i
++)
666 if (controller_lists_intersect(hlist
[i
]->controllers
, clist
))
672 /* Return true if the controller @entry is found in the null-terminated list of
673 * hierarchies @hlist.
675 static bool controller_found(struct hierarchy
**hlist
, char *entry
)
682 for (i
= 0; hlist
[i
]; i
++)
683 if (string_in_list(hlist
[i
]->controllers
, entry
))
689 /* Return true if all of the controllers which we require have been found. The
690 * required list is freezer and anything in lxc.cgroup.use.
692 static bool all_controllers_found(struct cgroup_ops
*ops
)
695 char *saveptr
= NULL
;
696 struct hierarchy
**hlist
= ops
->hierarchies
;
698 if (!controller_found(hlist
, "freezer")) {
699 ERROR("No freezer controller mountpoint found");
703 if (!ops
->cgroup_use
)
706 for (; (p
= strtok_r(ops
->cgroup_use
, ",", &saveptr
)); ops
->cgroup_use
= NULL
)
707 if (!controller_found(hlist
, p
)) {
708 ERROR("No %s controller mountpoint found", p
);
715 /* Get the controllers from a mountinfo line There are other ways we could get
716 * this info. For lxcfs, field 3 is /cgroup/controller-list. For cgroupfs, we
717 * could parse the mount options. But we simply assume that the mountpoint must
718 * be /sys/fs/cgroup/controller-list
720 static char **cg_hybrid_get_controllers(char **klist
, char **nlist
, char *line
,
723 /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list
724 * for legacy hierarchies.
727 char *dup
, *p2
, *tok
;
728 char *p
= line
, *saveptr
= NULL
, *sep
= ",";
731 for (i
= 0; i
< 4; i
++) {
738 /* Note, if we change how mountinfo works, then our caller will need to
739 * verify /sys/fs/cgroup/ in this field.
741 if (strncmp(p
, "/sys/fs/cgroup/", 15) != 0) {
742 ERROR("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p
);
749 ERROR("Corrupt mountinfo");
754 if (type
== CGROUP_SUPER_MAGIC
) {
755 /* strdup() here for v1 hierarchies. Otherwise strtok_r() will
756 * destroy mountpoints such as "/sys/fs/cgroup/cpu,cpuacct".
762 for (tok
= strtok_r(dup
, sep
, &saveptr
); tok
;
763 tok
= strtok_r(NULL
, sep
, &saveptr
))
764 must_append_controller(klist
, nlist
, &aret
, tok
);
773 static char **cg_unified_make_empty_controller(void)
778 newentry
= append_null_to_list((void ***)&aret
);
779 aret
[newentry
] = NULL
;
783 static char **cg_unified_get_controllers(const char *file
)
786 char *saveptr
= NULL
, *sep
= " \t\n";
789 buf
= read_file(file
);
793 for (tok
= strtok_r(buf
, sep
, &saveptr
); tok
;
794 tok
= strtok_r(NULL
, sep
, &saveptr
)) {
798 newentry
= append_null_to_list((void ***)&aret
);
799 copy
= must_copy_string(tok
);
800 aret
[newentry
] = copy
;
807 static struct hierarchy
*add_hierarchy(struct hierarchy
***h
, char **clist
, char *mountpoint
,
808 char *base_cgroup
, int type
)
810 struct hierarchy
*new;
813 new = must_alloc(sizeof(*new));
814 new->controllers
= clist
;
815 new->mountpoint
= mountpoint
;
816 new->base_cgroup
= base_cgroup
;
817 new->fullcgpath
= NULL
;
820 newentry
= append_null_to_list((void ***)h
);
821 (*h
)[newentry
] = new;
825 /* Get a copy of the mountpoint from @line, which is a line from
826 * /proc/self/mountinfo.
828 static char *cg_hybrid_get_mountpoint(char *line
)
833 char *p
= line
, *sret
= NULL
;
835 for (i
= 0; i
< 4; i
++) {
842 if (strncmp(p
, "/sys/fs/cgroup/", 15) != 0)
845 p2
= strchr(p
+ 15, ' ');
851 sret
= must_alloc(len
+ 1);
852 memcpy(sret
, p
, len
);
857 /* Given a multi-line string, return a null-terminated copy of the current line. */
858 static char *copy_to_eol(char *p
)
860 char *p2
= strchr(p
, '\n'), *sret
;
867 sret
= must_alloc(len
+ 1);
868 memcpy(sret
, p
, len
);
873 /* cgline: pointer to character after the first ':' in a line in a \n-terminated
874 * /proc/self/cgroup file. Check whether controller c is present.
876 static bool controller_in_clist(char *cgline
, char *c
)
878 char *tok
, *saveptr
= NULL
, *eol
, *tmp
;
881 eol
= strchr(cgline
, ':');
886 tmp
= alloca(len
+ 1);
887 memcpy(tmp
, cgline
, len
);
890 for (tok
= strtok_r(tmp
, ",", &saveptr
); tok
;
891 tok
= strtok_r(NULL
, ",", &saveptr
)) {
892 if (strcmp(tok
, c
) == 0)
899 /* @basecginfo is a copy of /proc/$$/cgroup. Return the current cgroup for
902 static char *cg_hybrid_get_current_cgroup(char *basecginfo
, char *controller
,
905 char *p
= basecginfo
;
908 bool is_cgv2_base_cgroup
= false;
910 /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */
911 if ((type
== CGROUP2_SUPER_MAGIC
) && (*p
== '0'))
912 is_cgv2_base_cgroup
= true;
919 if (is_cgv2_base_cgroup
|| (controller
&& controller_in_clist(p
, controller
))) {
924 return copy_to_eol(p
);
934 static void must_append_string(char ***list
, char *entry
)
939 newentry
= append_null_to_list((void ***)list
);
940 copy
= must_copy_string(entry
);
941 (*list
)[newentry
] = copy
;
944 static int get_existing_subsystems(char ***klist
, char ***nlist
)
950 f
= fopen("/proc/self/cgroup", "r");
954 while (getline(&line
, &len
, f
) != -1) {
955 char *p
, *p2
, *tok
, *saveptr
= NULL
;
956 p
= strchr(line
, ':');
965 /* If the kernel has cgroup v2 support, then /proc/self/cgroup
966 * contains an entry of the form:
970 * In this case we use "cgroup2" as controller name.
973 must_append_string(klist
, "cgroup2");
977 for (tok
= strtok_r(p
, ",", &saveptr
); tok
;
978 tok
= strtok_r(NULL
, ",", &saveptr
)) {
979 if (strncmp(tok
, "name=", 5) == 0)
980 must_append_string(nlist
, tok
);
982 must_append_string(klist
, tok
);
991 static void trim(char *s
)
996 while ((len
> 1) && (s
[len
- 1] == '\n'))
1000 static void lxc_cgfsng_print_hierarchies(struct cgroup_ops
*ops
)
1003 struct hierarchy
**it
;
1005 if (!ops
->hierarchies
) {
1006 TRACE(" No hierarchies found");
1010 TRACE(" Hierarchies:");
1011 for (i
= 0, it
= ops
->hierarchies
; it
&& *it
; it
++, i
++) {
1015 TRACE(" %d: base_cgroup: %s", i
, (*it
)->base_cgroup
? (*it
)->base_cgroup
: "(null)");
1016 TRACE(" mountpoint: %s", (*it
)->mountpoint
? (*it
)->mountpoint
: "(null)");
1017 TRACE(" controllers:");
1018 for (j
= 0, cit
= (*it
)->controllers
; cit
&& *cit
; cit
++, j
++)
1019 TRACE(" %d: %s", j
, *cit
);
1023 static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo
, char **klist
,
1029 TRACE("basecginfo is:");
1030 TRACE("%s", basecginfo
);
1032 for (k
= 0, it
= klist
; it
&& *it
; it
++, k
++)
1033 TRACE("kernel subsystem %d: %s", k
, *it
);
1035 for (k
= 0, it
= nlist
; it
&& *it
; it
++, k
++)
1036 TRACE("named subsystem %d: %s", k
, *it
);
1039 static int recursive_destroy(char *dirname
)
1042 struct dirent
*direntp
;
1046 dir
= opendir(dirname
);
1050 while ((direntp
= readdir(dir
))) {
1054 if (!strcmp(direntp
->d_name
, ".") ||
1055 !strcmp(direntp
->d_name
, ".."))
1058 pathname
= must_make_path(dirname
, direntp
->d_name
, NULL
);
1060 ret
= lstat(pathname
, &mystat
);
1063 WARN("Failed to stat \"%s\"", pathname
);
1068 if (!S_ISDIR(mystat
.st_mode
))
1071 ret
= recursive_destroy(pathname
);
1078 ret
= rmdir(dirname
);
1081 WARN("%s - Failed to delete \"%s\"", strerror(errno
), dirname
);
1085 ret
= closedir(dir
);
1088 WARN("%s - Failed to delete \"%s\"", strerror(errno
), dirname
);
1095 static int cgroup_rmdir(struct hierarchy
**hierarchies
,
1096 const char *container_cgroup
)
1100 if (!container_cgroup
|| !hierarchies
)
1103 for (i
= 0; hierarchies
[i
]; i
++) {
1105 struct hierarchy
*h
= hierarchies
[i
];
1110 ret
= recursive_destroy(h
->fullcgpath
);
1112 WARN("Failed to destroy \"%s\"", h
->fullcgpath
);
1114 free(h
->fullcgpath
);
1115 h
->fullcgpath
= NULL
;
1121 struct generic_userns_exec_data
{
1122 struct hierarchy
**hierarchies
;
1123 const char *container_cgroup
;
1124 struct lxc_conf
*conf
;
1125 uid_t origuid
; /* target uid in parent namespace */
1129 static int cgroup_rmdir_wrapper(void *data
)
1132 struct generic_userns_exec_data
*arg
= data
;
1133 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
1134 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
1136 ret
= setresgid(nsgid
, nsgid
, nsgid
);
1138 SYSERROR("Failed to setresgid(%d, %d, %d)", (int)nsgid
,
1139 (int)nsgid
, (int)nsgid
);
1143 ret
= setresuid(nsuid
, nsuid
, nsuid
);
1145 SYSERROR("Failed to setresuid(%d, %d, %d)", (int)nsuid
,
1146 (int)nsuid
, (int)nsuid
);
1150 ret
= setgroups(0, NULL
);
1151 if (ret
< 0 && errno
!= EPERM
) {
1152 SYSERROR("Failed to setgroups(0, NULL)");
1156 return cgroup_rmdir(arg
->hierarchies
, arg
->container_cgroup
);
1159 static void cgfsng_destroy(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
1162 struct generic_userns_exec_data wrap
;
1165 wrap
.container_cgroup
= ops
->container_cgroup
;
1166 wrap
.hierarchies
= ops
->hierarchies
;
1167 wrap
.conf
= handler
->conf
;
1169 if (handler
->conf
&& !lxc_list_empty(&handler
->conf
->id_map
))
1170 ret
= userns_exec_1(handler
->conf
, cgroup_rmdir_wrapper
, &wrap
,
1171 "cgroup_rmdir_wrapper");
1173 ret
= cgroup_rmdir(ops
->hierarchies
, ops
->container_cgroup
);
1175 WARN("Failed to destroy cgroups");
1180 static bool cg_unified_create_cgroup(struct hierarchy
*h
, char *cgname
)
1182 size_t i
, parts_len
;
1184 size_t full_len
= 0;
1185 char *add_controllers
= NULL
, *cgroup
= NULL
;
1186 char **parts
= NULL
;
1189 if (h
->version
!= CGROUP2_SUPER_MAGIC
)
1192 if (!h
->controllers
)
1195 /* For now we simply enable all controllers that we have detected by
1196 * creating a string like "+memory +pids +cpu +io".
1197 * TODO: In the near future we might want to support "-<controller>"
1198 * etc. but whether supporting semantics like this make sense will need
1201 for (it
= h
->controllers
; it
&& *it
; it
++) {
1202 full_len
+= strlen(*it
) + 2;
1203 add_controllers
= must_realloc(add_controllers
, full_len
+ 1);
1205 if (h
->controllers
[0] == *it
)
1206 add_controllers
[0] = '\0';
1208 strncat(add_controllers
, "+", 1);
1209 strncat(add_controllers
, *it
, strlen(*it
));
1211 if ((it
+ 1) && *(it
+ 1))
1212 strncat(add_controllers
, " ", 1);
1215 parts
= lxc_string_split(cgname
, '/');
1219 parts_len
= lxc_array_len((void **)parts
);
1223 cgroup
= must_make_path(h
->mountpoint
, h
->base_cgroup
, NULL
);
1224 for (i
= 0; i
< parts_len
; i
++) {
1228 cgroup
= must_append_path(cgroup
, parts
[i
], NULL
);
1229 target
= must_make_path(cgroup
, "cgroup.subtree_control", NULL
);
1230 ret
= lxc_write_to_file(target
, add_controllers
, full_len
, false, 0666);
1233 SYSERROR("Could not enable \"%s\" controllers in the "
1234 "unified cgroup \"%s\"", add_controllers
, cgroup
);
1242 lxc_free_array((void **)parts
, free
);
1243 free(add_controllers
);
1248 static bool create_path_for_hierarchy(struct hierarchy
*h
, char *cgname
)
1252 h
->fullcgpath
= must_make_path(h
->mountpoint
, h
->base_cgroup
, cgname
, NULL
);
1253 if (dir_exists(h
->fullcgpath
)) {
1254 ERROR("The cgroup \"%s\" already existed", h
->fullcgpath
);
1258 if (!cg_legacy_handle_cpuset_hierarchy(h
, cgname
)) {
1259 ERROR("Failed to handle legacy cpuset controller");
1263 ret
= mkdir_p(h
->fullcgpath
, 0755);
1265 ERROR("Failed to create cgroup \"%s\"", h
->fullcgpath
);
1269 return cg_unified_create_cgroup(h
, cgname
);
1272 static void remove_path_for_hierarchy(struct hierarchy
*h
, char *cgname
)
1276 ret
= rmdir(h
->fullcgpath
);
1278 SYSERROR("Failed to rmdir(\"%s\") from failed creation attempt", h
->fullcgpath
);
1280 free(h
->fullcgpath
);
1281 h
->fullcgpath
= NULL
;
1284 /* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern;
1285 * next cgroup_pattern-1, -2, ..., -999.
1287 static inline bool cgfsng_create(struct cgroup_ops
*ops
,
1288 struct lxc_handler
*handler
)
1292 char *container_cgroup
, *offset
, *tmp
;
1294 struct lxc_conf
*conf
= handler
->conf
;
1296 if (ops
->container_cgroup
) {
1297 WARN("cgfsng_create called a second time: %s", ops
->container_cgroup
);
1304 if (conf
->cgroup_meta
.dir
)
1305 tmp
= lxc_string_join("/", (const char *[]){conf
->cgroup_meta
.dir
, handler
->name
, NULL
}, false);
1307 tmp
= lxc_string_replace("%n", handler
->name
, ops
->cgroup_pattern
);
1309 ERROR("Failed expanding cgroup name pattern");
1313 len
= strlen(tmp
) + 5; /* leave room for -NNN\0 */
1314 container_cgroup
= must_alloc(len
);
1315 (void)strlcpy(container_cgroup
, tmp
, len
);
1317 offset
= container_cgroup
+ len
- 5;
1321 ERROR("Too many conflicting cgroup names");
1328 ret
= snprintf(offset
, 5, "-%d", idx
);
1329 if (ret
< 0 || (size_t)ret
>= 5) {
1330 FILE *f
= fopen("/dev/null", "w");
1332 fprintf(f
, "Workaround for GCC7 bug: "
1333 "https://gcc.gnu.org/bugzilla/"
1334 "show_bug.cgi?id=78969");
1340 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1341 if (!create_path_for_hierarchy(ops
->hierarchies
[i
], container_cgroup
)) {
1343 ERROR("Failed to create cgroup \"%s\"", ops
->hierarchies
[i
]->fullcgpath
);
1344 free(ops
->hierarchies
[i
]->fullcgpath
);
1345 ops
->hierarchies
[i
]->fullcgpath
= NULL
;
1346 for (j
= 0; j
< i
; j
++)
1347 remove_path_for_hierarchy(ops
->hierarchies
[j
], container_cgroup
);
1353 ops
->container_cgroup
= container_cgroup
;
1358 free(container_cgroup
);
1363 static bool cgfsng_enter(struct cgroup_ops
*ops
, pid_t pid
)
1368 len
= snprintf(pidstr
, 25, "%d", pid
);
1369 if (len
< 0 || len
>= 25)
1372 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1376 fullpath
= must_make_path(ops
->hierarchies
[i
]->fullcgpath
,
1377 "cgroup.procs", NULL
);
1378 ret
= lxc_write_to_file(fullpath
, pidstr
, len
, false, 0666);
1380 SYSERROR("Failed to enter cgroup \"%s\"", fullpath
);
1390 static int chowmod(char *path
, uid_t chown_uid
, gid_t chown_gid
,
1395 ret
= chown(path
, chown_uid
, chown_gid
);
1397 WARN("%s - Failed to chown(%s, %d, %d)", strerror(errno
), path
,
1398 (int)chown_uid
, (int)chown_gid
);
1402 ret
= chmod(path
, chmod_mode
);
1404 WARN("%s - Failed to chmod(%s, %d)", strerror(errno
), path
,
1412 /* chgrp the container cgroups to container group. We leave
1413 * the container owner as cgroup owner. So we must make the
1414 * directories 775 so that the container can create sub-cgroups.
1416 * Also chown the tasks and cgroup.procs files. Those may not
1417 * exist depending on kernel version.
1419 static int chown_cgroup_wrapper(void *data
)
1423 struct generic_userns_exec_data
*arg
= data
;
1424 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
1425 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
1427 ret
= setresgid(nsgid
, nsgid
, nsgid
);
1429 SYSERROR("Failed to setresgid(%d, %d, %d)",
1430 (int)nsgid
, (int)nsgid
, (int)nsgid
);
1434 ret
= setresuid(nsuid
, nsuid
, nsuid
);
1436 SYSERROR("Failed to setresuid(%d, %d, %d)",
1437 (int)nsuid
, (int)nsuid
, (int)nsuid
);
1441 ret
= setgroups(0, NULL
);
1442 if (ret
< 0 && errno
!= EPERM
) {
1443 SYSERROR("Failed to setgroups(0, NULL)");
1447 destuid
= get_ns_uid(arg
->origuid
);
1449 for (i
= 0; arg
->hierarchies
[i
]; i
++) {
1451 char *path
= arg
->hierarchies
[i
]->fullcgpath
;
1453 ret
= chowmod(path
, destuid
, nsgid
, 0775);
1457 /* Failures to chown() these are inconvenient but not
1458 * detrimental We leave these owned by the container launcher,
1459 * so that container root can write to the files to attach. We
1460 * chmod() them 664 so that container systemd can write to the
1461 * files (which systemd in wily insists on doing).
1464 if (arg
->hierarchies
[i
]->version
== CGROUP_SUPER_MAGIC
) {
1465 fullpath
= must_make_path(path
, "tasks", NULL
);
1466 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1470 fullpath
= must_make_path(path
, "cgroup.procs", NULL
);
1471 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1474 if (arg
->hierarchies
[i
]->version
!= CGROUP2_SUPER_MAGIC
)
1477 fullpath
= must_make_path(path
, "cgroup.subtree_control", NULL
);
1478 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1481 fullpath
= must_make_path(path
, "cgroup.threads", NULL
);
1482 (void)chowmod(fullpath
, destuid
, nsgid
, 0664);
1489 static bool cgfsng_chown(struct cgroup_ops
*ops
, struct lxc_conf
*conf
)
1491 struct generic_userns_exec_data wrap
;
1493 if (lxc_list_empty(&conf
->id_map
))
1496 wrap
.origuid
= geteuid();
1498 wrap
.hierarchies
= ops
->hierarchies
;
1501 if (userns_exec_1(conf
, chown_cgroup_wrapper
, &wrap
,
1502 "chown_cgroup_wrapper") < 0) {
1503 ERROR("Error requesting cgroup chown in new user namespace");
1510 /* cgroup-full:* is done, no need to create subdirs */
1511 static bool cg_mount_needs_subdirs(int type
)
1513 if (type
>= LXC_AUTO_CGROUP_FULL_RO
)
1519 /* After $rootfs/sys/fs/container/controller/the/cg/path has been created,
1520 * remount controller ro if needed and bindmount the cgroupfs onto
1521 * controll/the/cg/path.
1523 static int cg_legacy_mount_controllers(int type
, struct hierarchy
*h
,
1524 char *controllerpath
, char *cgpath
,
1525 const char *container_cgroup
)
1527 int ret
, remount_flags
;
1529 int flags
= MS_BIND
;
1531 if (type
== LXC_AUTO_CGROUP_RO
|| type
== LXC_AUTO_CGROUP_MIXED
) {
1532 ret
= mount(controllerpath
, controllerpath
, "cgroup", MS_BIND
, NULL
);
1534 SYSERROR("Failed to bind mount \"%s\" onto \"%s\"",
1535 controllerpath
, controllerpath
);
1539 remount_flags
= add_required_remount_flags(controllerpath
,
1541 flags
| MS_REMOUNT
);
1542 ret
= mount(controllerpath
, controllerpath
, "cgroup",
1543 remount_flags
| MS_REMOUNT
| MS_BIND
| MS_RDONLY
,
1546 SYSERROR("Failed to remount \"%s\" ro", controllerpath
);
1550 INFO("Remounted %s read-only", controllerpath
);
1553 sourcepath
= must_make_path(h
->mountpoint
, h
->base_cgroup
,
1554 container_cgroup
, NULL
);
1555 if (type
== LXC_AUTO_CGROUP_RO
)
1558 ret
= mount(sourcepath
, cgpath
, "cgroup", flags
, NULL
);
1560 SYSERROR("Failed to mount \"%s\" onto \"%s\"", h
->controllers
[0], cgpath
);
1564 INFO("Mounted \"%s\" onto \"%s\"", h
->controllers
[0], cgpath
);
1566 if (flags
& MS_RDONLY
) {
1567 remount_flags
= add_required_remount_flags(sourcepath
, cgpath
,
1568 flags
| MS_REMOUNT
);
1569 ret
= mount(sourcepath
, cgpath
, "cgroup", remount_flags
, NULL
);
1571 SYSERROR("Failed to remount \"%s\" ro", cgpath
);
1575 INFO("Remounted %s read-only", cgpath
);
1579 INFO("Completed second stage cgroup automounts for \"%s\"", cgpath
);
1583 /* __cg_mount_direct
1585 * Mount cgroup hierarchies directly without using bind-mounts. The main
1586 * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting
1587 * cgroups for the LXC_AUTO_CGROUP_FULL option.
1589 static int __cg_mount_direct(int type
, struct hierarchy
*h
,
1590 const char *controllerpath
)
1593 char *controllers
= NULL
;
1594 char *fstype
= "cgroup2";
1595 unsigned long flags
= 0;
1600 flags
|= MS_RELATIME
;
1602 if (type
== LXC_AUTO_CGROUP_RO
|| type
== LXC_AUTO_CGROUP_FULL_RO
)
1605 if (h
->version
!= CGROUP2_SUPER_MAGIC
) {
1606 controllers
= lxc_string_join(",", (const char **)h
->controllers
, false);
1612 ret
= mount("cgroup", controllerpath
, fstype
, flags
, controllers
);
1615 SYSERROR("Failed to mount \"%s\" with cgroup filesystem type %s", controllerpath
, fstype
);
1619 DEBUG("Mounted \"%s\" with cgroup filesystem type %s", controllerpath
, fstype
);
1623 static inline int cg_mount_in_cgroup_namespace(int type
, struct hierarchy
*h
,
1624 const char *controllerpath
)
1626 return __cg_mount_direct(type
, h
, controllerpath
);
1629 static inline int cg_mount_cgroup_full(int type
, struct hierarchy
*h
,
1630 const char *controllerpath
)
1632 if (type
< LXC_AUTO_CGROUP_FULL_RO
|| type
> LXC_AUTO_CGROUP_FULL_MIXED
)
1635 return __cg_mount_direct(type
, h
, controllerpath
);
1638 static bool cgfsng_mount(struct cgroup_ops
*ops
, struct lxc_handler
*handler
,
1639 const char *root
, int type
)
1642 char *tmpfspath
= NULL
;
1643 bool has_cgns
= false, retval
= false, wants_force_mount
= false;
1645 if ((type
& LXC_AUTO_CGROUP_MASK
) == 0)
1648 if (type
& LXC_AUTO_CGROUP_FORCE
) {
1649 type
&= ~LXC_AUTO_CGROUP_FORCE
;
1650 wants_force_mount
= true;
1653 if (!wants_force_mount
){
1654 if (!lxc_list_empty(&handler
->conf
->keepcaps
))
1655 wants_force_mount
= !in_caplist(CAP_SYS_ADMIN
, &handler
->conf
->keepcaps
);
1657 wants_force_mount
= in_caplist(CAP_SYS_ADMIN
, &handler
->conf
->caps
);
1660 has_cgns
= cgns_supported();
1661 if (has_cgns
&& !wants_force_mount
)
1664 if (type
== LXC_AUTO_CGROUP_NOSPEC
)
1665 type
= LXC_AUTO_CGROUP_MIXED
;
1666 else if (type
== LXC_AUTO_CGROUP_FULL_NOSPEC
)
1667 type
= LXC_AUTO_CGROUP_FULL_MIXED
;
1670 tmpfspath
= must_make_path(root
, "/sys/fs/cgroup", NULL
);
1671 ret
= safe_mount(NULL
, tmpfspath
, "tmpfs",
1672 MS_NOSUID
| MS_NODEV
| MS_NOEXEC
| MS_RELATIME
,
1673 "size=10240k,mode=755", root
);
1677 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1678 char *controllerpath
, *path2
;
1679 struct hierarchy
*h
= ops
->hierarchies
[i
];
1680 char *controller
= strrchr(h
->mountpoint
, '/');
1686 controllerpath
= must_make_path(tmpfspath
, controller
, NULL
);
1687 if (dir_exists(controllerpath
)) {
1688 free(controllerpath
);
1692 ret
= mkdir(controllerpath
, 0755);
1694 SYSERROR("Error creating cgroup path: %s", controllerpath
);
1695 free(controllerpath
);
1699 if (has_cgns
&& wants_force_mount
) {
1700 /* If cgroup namespaces are supported but the container
1701 * will not have CAP_SYS_ADMIN after it has started we
1702 * need to mount the cgroups manually.
1704 ret
= cg_mount_in_cgroup_namespace(type
, h
, controllerpath
);
1705 free(controllerpath
);
1712 ret
= cg_mount_cgroup_full(type
, h
, controllerpath
);
1714 free(controllerpath
);
1718 if (!cg_mount_needs_subdirs(type
)) {
1719 free(controllerpath
);
1723 path2
= must_make_path(controllerpath
, h
->base_cgroup
,
1724 ops
->container_cgroup
, NULL
);
1725 ret
= mkdir_p(path2
, 0755);
1727 free(controllerpath
);
1732 ret
= cg_legacy_mount_controllers(type
, h
, controllerpath
,
1733 path2
, ops
->container_cgroup
);
1734 free(controllerpath
);
1746 static int recursive_count_nrtasks(char *dirname
)
1748 struct dirent
*direntp
;
1753 dir
= opendir(dirname
);
1757 while ((direntp
= readdir(dir
))) {
1760 if (!strcmp(direntp
->d_name
, ".") ||
1761 !strcmp(direntp
->d_name
, ".."))
1764 path
= must_make_path(dirname
, direntp
->d_name
, NULL
);
1766 if (lstat(path
, &mystat
))
1769 if (!S_ISDIR(mystat
.st_mode
))
1772 count
+= recursive_count_nrtasks(path
);
1777 path
= must_make_path(dirname
, "cgroup.procs", NULL
);
1778 ret
= lxc_count_file_lines(path
);
1783 (void)closedir(dir
);
1788 static int cgfsng_nrtasks(struct cgroup_ops
*ops
)
1793 if (!ops
->container_cgroup
|| !ops
->hierarchies
)
1796 path
= must_make_path(ops
->hierarchies
[0]->fullcgpath
, NULL
);
1797 count
= recursive_count_nrtasks(path
);
1802 /* Only root needs to escape to the cgroup of its init. */
1803 static bool cgfsng_escape(const struct cgroup_ops
*ops
)
1810 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1814 fullpath
= must_make_path(ops
->hierarchies
[i
]->mountpoint
,
1815 ops
->hierarchies
[i
]->base_cgroup
,
1816 "cgroup.procs", NULL
);
1817 ret
= lxc_write_to_file(fullpath
, "0", 2, false, 0666);
1819 SYSERROR("Failed to escape to cgroup \"%s\"", fullpath
);
1829 static int cgfsng_num_hierarchies(struct cgroup_ops
*ops
)
1833 for (i
= 0; ops
->hierarchies
[i
]; i
++)
1839 static bool cgfsng_get_hierarchies(struct cgroup_ops
*ops
, int n
, char ***out
)
1843 /* sanity check n */
1844 for (i
= 0; i
< n
; i
++)
1845 if (!ops
->hierarchies
[i
])
1848 *out
= ops
->hierarchies
[i
]->controllers
;
1853 #define THAWED "THAWED"
1854 #define THAWED_LEN (strlen(THAWED))
1856 /* TODO: If the unified cgroup hierarchy grows a freezer controller this needs
1859 static bool cgfsng_unfreeze(struct cgroup_ops
*ops
)
1863 struct hierarchy
*h
;
1865 h
= get_hierarchy(ops
, "freezer");
1869 fullpath
= must_make_path(h
->fullcgpath
, "freezer.state", NULL
);
1870 ret
= lxc_write_to_file(fullpath
, THAWED
, THAWED_LEN
, false, 0666);
1878 static const char *cgfsng_get_cgroup(struct cgroup_ops
*ops
,
1879 const char *controller
)
1881 struct hierarchy
*h
;
1883 h
= get_hierarchy(ops
, controller
);
1885 WARN("Failed to find hierarchy for controller \"%s\"",
1886 controller
? controller
: "(null)");
1890 return h
->fullcgpath
? h
->fullcgpath
+ strlen(h
->mountpoint
) : NULL
;
1893 /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path,
1894 * which must be freed by the caller.
1896 static inline char *build_full_cgpath_from_monitorpath(struct hierarchy
*h
,
1898 const char *filename
)
1900 return must_make_path(h
->mountpoint
, inpath
, filename
, NULL
);
1903 /* Technically, we're always at a delegation boundary here (This is especially
1904 * true when cgroup namespaces are available.). The reasoning is that in order
1905 * for us to have been able to start a container in the first place the root
1906 * cgroup must have been a leaf node. Now, either the container's init system
1907 * has populated the cgroup and kept it as a leaf node or it has created
1908 * subtrees. In the former case we will simply attach to the leaf node we
1909 * created when we started the container in the latter case we create our own
1910 * cgroup for the attaching process.
1912 static int __cg_unified_attach(const struct hierarchy
*h
, const char *name
,
1913 const char *lxcpath
, const char *pidstr
,
1914 size_t pidstr_len
, const char *controller
)
1918 int fret
= -1, idx
= 0;
1919 char *base_path
= NULL
, *container_cgroup
= NULL
, *full_path
= NULL
;
1921 container_cgroup
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
1923 if (!container_cgroup
)
1926 base_path
= must_make_path(h
->mountpoint
, container_cgroup
, NULL
);
1927 full_path
= must_make_path(base_path
, "cgroup.procs", NULL
);
1928 /* cgroup is populated */
1929 ret
= lxc_write_to_file(full_path
, pidstr
, pidstr_len
, false, 0666);
1930 if (ret
< 0 && errno
!= EBUSY
)
1938 len
= strlen(base_path
) + sizeof("/lxc-1000") - 1 +
1939 sizeof("/cgroup-procs") - 1;
1940 full_path
= must_alloc(len
+ 1);
1943 ret
= snprintf(full_path
, len
+ 1, "%s/lxc-%d",
1946 ret
= snprintf(full_path
, len
+ 1, "%s/lxc", base_path
);
1947 if (ret
< 0 || (size_t)ret
>= len
+ 1)
1950 ret
= mkdir_p(full_path
, 0755);
1951 if (ret
< 0 && errno
!= EEXIST
)
1954 strncat(full_path
, "/cgroup.procs", strlen("/cgroup.procs"));
1955 ret
= lxc_write_to_file(full_path
, pidstr
, len
, false, 0666);
1959 /* this is a non-leaf node */
1963 } while (++idx
> 0 && idx
< 1000);
1971 free(container_cgroup
);
1977 static bool cgfsng_attach(struct cgroup_ops
*ops
, const char *name
,
1978 const char *lxcpath
, pid_t pid
)
1983 len
= snprintf(pidstr
, 25, "%d", pid
);
1984 if (len
< 0 || len
>= 25)
1987 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1989 char *fullpath
= NULL
;
1990 struct hierarchy
*h
= ops
->hierarchies
[i
];
1992 if (h
->version
== CGROUP2_SUPER_MAGIC
) {
1993 ret
= __cg_unified_attach(h
, name
, lxcpath
, pidstr
, len
,
2001 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, h
->controllers
[0]);
2006 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, "cgroup.procs");
2008 ret
= lxc_write_to_file(fullpath
, pidstr
, len
, false, 0666);
2010 SYSERROR("Failed to attach %d to %s", (int)pid
, fullpath
);
2020 /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we
2021 * don't have a cgroup_data set up, so we ask the running container through the
2022 * commands API for the cgroup path.
2024 static int cgfsng_get(struct cgroup_ops
*ops
, const char *filename
, char *value
,
2025 size_t len
, const char *name
, const char *lxcpath
)
2028 size_t controller_len
;
2029 char *controller
, *p
, *path
;
2030 struct hierarchy
*h
;
2032 controller_len
= strlen(filename
);
2033 controller
= alloca(controller_len
+ 1);
2034 (void)strlcpy(controller
, filename
, controller_len
+ 1);
2036 p
= strchr(controller
, '.');
2040 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
2045 h
= get_hierarchy(ops
, controller
);
2049 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, filename
);
2050 ret
= lxc_read_from_file(fullpath
, value
, len
);
2058 /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we
2059 * don't have a cgroup_data set up, so we ask the running container through the
2060 * commands API for the cgroup path.
2062 static int cgfsng_set(struct cgroup_ops
*ops
, const char *filename
,
2063 const char *value
, const char *name
, const char *lxcpath
)
2066 size_t controller_len
;
2067 char *controller
, *p
, *path
;
2068 struct hierarchy
*h
;
2070 controller_len
= strlen(filename
);
2071 controller
= alloca(controller_len
+ 1);
2072 (void)strlcpy(controller
, filename
, controller_len
+ 1);
2074 p
= strchr(controller
, '.');
2078 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
2083 h
= get_hierarchy(ops
, controller
);
2087 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, filename
);
2088 ret
= lxc_write_to_file(fullpath
, value
, strlen(value
), false, 0666);
2096 /* take devices cgroup line
2098 * and convert it to a valid
2099 * type major:minor mode
2100 * line. Return <0 on error. Dest is a preallocated buffer long enough to hold
2103 static int convert_devpath(const char *invalue
, char *dest
)
2106 char *p
, *path
, type
;
2107 unsigned long minor
, major
;
2112 path
= must_copy_string(invalue
);
2114 /* Read path followed by mode. Ignore any trailing text.
2115 * A ' # comment' would be legal. Technically other text is not
2116 * legal, we could check for that if we cared to.
2118 for (n_parts
= 1, p
= path
; *p
&& n_parts
< 3; p
++) {
2140 ret
= stat(path
, &sb
);
2144 mode_t m
= sb
.st_mode
& S_IFMT
;
2153 ERROR("Unsupported device type %i for \"%s\"", m
, path
);
2158 major
= MAJOR(sb
.st_rdev
);
2159 minor
= MINOR(sb
.st_rdev
);
2160 ret
= snprintf(dest
, 50, "%c %lu:%lu %s", type
, major
, minor
, mode
);
2161 if (ret
< 0 || ret
>= 50) {
2162 ERROR("Error on configuration value \"%c %lu:%lu %s\" (max 50 "
2163 "chars)", type
, major
, minor
, mode
);
2164 ret
= -ENAMETOOLONG
;
2174 /* Called from setup_limits - here we have the container's cgroup_data because
2175 * we created the cgroups.
2177 static int cg_legacy_set_data(struct cgroup_ops
*ops
, const char *filename
,
2182 /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */
2183 char converted_value
[50];
2184 struct hierarchy
*h
;
2186 char *controller
= NULL
;
2188 len
= strlen(filename
);
2189 controller
= alloca(len
+ 1);
2190 (void)strlcpy(controller
, filename
, len
+ 1);
2192 p
= strchr(controller
, '.');
2196 if (strcmp("devices.allow", filename
) == 0 && value
[0] == '/') {
2197 ret
= convert_devpath(value
, converted_value
);
2200 value
= converted_value
;
2203 h
= get_hierarchy(ops
, controller
);
2205 ERROR("Failed to setup limits for the \"%s\" controller. "
2206 "The controller seems to be unused by \"cgfsng\" cgroup "
2207 "driver or not enabled on the cgroup hierarchy",
2213 fullpath
= must_make_path(h
->fullcgpath
, filename
, NULL
);
2214 ret
= lxc_write_to_file(fullpath
, value
, strlen(value
), false, 0666);
2219 static bool __cg_legacy_setup_limits(struct cgroup_ops
*ops
,
2220 struct lxc_list
*cgroup_settings
,
2223 struct lxc_list
*iterator
, *next
, *sorted_cgroup_settings
;
2224 struct lxc_cgroup
*cg
;
2227 if (lxc_list_empty(cgroup_settings
))
2230 sorted_cgroup_settings
= sort_cgroup_settings(cgroup_settings
);
2231 if (!sorted_cgroup_settings
)
2234 lxc_list_for_each(iterator
, sorted_cgroup_settings
) {
2235 cg
= iterator
->elem
;
2237 if (do_devices
== !strncmp("devices", cg
->subsystem
, 7)) {
2238 if (cg_legacy_set_data(ops
, cg
->subsystem
, cg
->value
)) {
2239 if (do_devices
&& (errno
== EACCES
|| errno
== EPERM
)) {
2240 WARN("Failed to set \"%s\" to \"%s\"",
2241 cg
->subsystem
, cg
->value
);
2244 WARN("Failed to set \"%s\" to \"%s\"",
2245 cg
->subsystem
, cg
->value
);
2248 DEBUG("Set controller \"%s\" set to \"%s\"",
2249 cg
->subsystem
, cg
->value
);
2254 INFO("Limits for the legacy cgroup hierarchies have been setup");
2256 lxc_list_for_each_safe(iterator
, sorted_cgroup_settings
, next
) {
2257 lxc_list_del(iterator
);
2260 free(sorted_cgroup_settings
);
2264 static bool __cg_unified_setup_limits(struct cgroup_ops
*ops
,
2265 struct lxc_list
*cgroup_settings
)
2267 struct lxc_list
*iterator
;
2268 struct hierarchy
*h
= ops
->unified
;
2270 if (lxc_list_empty(cgroup_settings
))
2276 lxc_list_for_each(iterator
, cgroup_settings
) {
2279 struct lxc_cgroup
*cg
= iterator
->elem
;
2281 fullpath
= must_make_path(h
->fullcgpath
, cg
->subsystem
, NULL
);
2282 ret
= lxc_write_to_file(fullpath
, cg
->value
, strlen(cg
->value
), false, 0666);
2285 SYSERROR("Failed to set \"%s\" to \"%s\"",
2286 cg
->subsystem
, cg
->value
);
2289 TRACE("Set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
2292 INFO("Limits for the unified cgroup hierarchy have been setup");
2296 static bool cgfsng_setup_limits(struct cgroup_ops
*ops
, struct lxc_conf
*conf
,
2301 bret
= __cg_legacy_setup_limits(ops
, &conf
->cgroup
, do_devices
);
2305 return __cg_unified_setup_limits(ops
, &conf
->cgroup2
);
2308 /* At startup, parse_hierarchies finds all the info we need about cgroup
2309 * mountpoints and current cgroups, and stores it in @d.
2311 static bool cg_hybrid_init(struct cgroup_ops
*ops
)
2319 char **klist
= NULL
, **nlist
= NULL
;
2321 /* Root spawned containers escape the current cgroup, so use init's
2322 * cgroups as our base in that case.
2324 will_escape
= (geteuid() == 0);
2326 basecginfo
= read_file("/proc/1/cgroup");
2328 basecginfo
= read_file("/proc/self/cgroup");
2332 ret
= get_existing_subsystems(&klist
, &nlist
);
2334 ERROR("Failed to retrieve available legacy cgroup controllers");
2339 f
= fopen("/proc/self/mountinfo", "r");
2341 ERROR("Failed to open \"/proc/self/mountinfo\"");
2346 lxc_cgfsng_print_basecg_debuginfo(basecginfo
, klist
, nlist
);
2348 while (getline(&line
, &len
, f
) != -1) {
2351 struct hierarchy
*new;
2352 char *base_cgroup
= NULL
, *mountpoint
= NULL
;
2353 char **controller_list
= NULL
;
2355 type
= get_cgroup_version(line
);
2359 if (type
== CGROUP2_SUPER_MAGIC
&& ops
->unified
)
2362 if (ops
->cgroup_layout
== CGROUP_LAYOUT_UNKNOWN
) {
2363 if (type
== CGROUP2_SUPER_MAGIC
)
2364 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
2365 else if (type
== CGROUP_SUPER_MAGIC
)
2366 ops
->cgroup_layout
= CGROUP_LAYOUT_LEGACY
;
2367 } else if (ops
->cgroup_layout
== CGROUP_LAYOUT_UNIFIED
) {
2368 if (type
== CGROUP_SUPER_MAGIC
)
2369 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
2370 } else if (ops
->cgroup_layout
== CGROUP_LAYOUT_LEGACY
) {
2371 if (type
== CGROUP2_SUPER_MAGIC
)
2372 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
2375 controller_list
= cg_hybrid_get_controllers(klist
, nlist
, line
, type
);
2376 if (!controller_list
&& type
== CGROUP_SUPER_MAGIC
)
2379 if (type
== CGROUP_SUPER_MAGIC
)
2380 if (controller_list_is_dup(ops
->hierarchies
, controller_list
))
2383 mountpoint
= cg_hybrid_get_mountpoint(line
);
2385 ERROR("Failed parsing mountpoint from \"%s\"", line
);
2389 if (type
== CGROUP_SUPER_MAGIC
)
2390 base_cgroup
= cg_hybrid_get_current_cgroup(basecginfo
, controller_list
[0], CGROUP_SUPER_MAGIC
);
2392 base_cgroup
= cg_hybrid_get_current_cgroup(basecginfo
, NULL
, CGROUP2_SUPER_MAGIC
);
2394 ERROR("Failed to find current cgroup");
2399 prune_init_scope(base_cgroup
);
2400 if (type
== CGROUP2_SUPER_MAGIC
)
2401 writeable
= test_writeable_v2(mountpoint
, base_cgroup
);
2403 writeable
= test_writeable_v1(mountpoint
, base_cgroup
);
2407 if (type
== CGROUP2_SUPER_MAGIC
) {
2408 char *cgv2_ctrl_path
;
2410 cgv2_ctrl_path
= must_make_path(mountpoint
, base_cgroup
,
2411 "cgroup.controllers",
2414 controller_list
= cg_unified_get_controllers(cgv2_ctrl_path
);
2415 free(cgv2_ctrl_path
);
2416 if (!controller_list
) {
2417 controller_list
= cg_unified_make_empty_controller();
2418 TRACE("No controllers are enabled for "
2419 "delegation in the unified hierarchy");
2423 new = add_hierarchy(&ops
->hierarchies
, controller_list
, mountpoint
, base_cgroup
, type
);
2424 if (type
== CGROUP2_SUPER_MAGIC
&& !ops
->unified
)
2430 free_string_list(controller_list
);
2435 free_string_list(klist
);
2436 free_string_list(nlist
);
2443 TRACE("Writable cgroup hierarchies:");
2444 lxc_cgfsng_print_hierarchies(ops
);
2446 /* verify that all controllers in cgroup.use and all crucial
2447 * controllers are accounted for
2449 if (!all_controllers_found(ops
))
2455 static int cg_is_pure_unified(void)
2461 ret
= statfs("/sys/fs/cgroup", &fs
);
2465 if (is_fs_type(&fs
, CGROUP2_SUPER_MAGIC
))
2466 return CGROUP2_SUPER_MAGIC
;
2471 /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */
2472 static char *cg_unified_get_current_cgroup(void)
2474 char *basecginfo
, *base_cgroup
;
2478 will_escape
= (geteuid() == 0);
2480 basecginfo
= read_file("/proc/1/cgroup");
2482 basecginfo
= read_file("/proc/self/cgroup");
2486 base_cgroup
= strstr(basecginfo
, "0::/");
2488 goto cleanup_on_err
;
2490 base_cgroup
= base_cgroup
+ 3;
2491 copy
= copy_to_eol(base_cgroup
);
2493 goto cleanup_on_err
;
2503 static int cg_unified_init(struct cgroup_ops
*ops
)
2506 char *mountpoint
, *subtree_path
;
2508 char *base_cgroup
= NULL
;
2510 ret
= cg_is_pure_unified();
2511 if (ret
== -ENOMEDIUM
)
2514 if (ret
!= CGROUP2_SUPER_MAGIC
)
2517 base_cgroup
= cg_unified_get_current_cgroup();
2520 prune_init_scope(base_cgroup
);
2522 /* We assume that we have already been given controllers to delegate
2523 * further down the hierarchy. If not it is up to the user to delegate
2526 mountpoint
= must_copy_string("/sys/fs/cgroup");
2527 subtree_path
= must_make_path(mountpoint
, base_cgroup
,
2528 "cgroup.subtree_control", NULL
);
2529 delegatable
= cg_unified_get_controllers(subtree_path
);
2532 delegatable
= cg_unified_make_empty_controller();
2533 if (!delegatable
[0])
2534 TRACE("No controllers are enabled for delegation");
2536 /* TODO: If the user requested specific controllers via lxc.cgroup.use
2537 * we should verify here. The reason I'm not doing it right is that I'm
2538 * not convinced that lxc.cgroup.use will be the future since it is a
2539 * global property. I much rather have an option that lets you request
2540 * controllers per container.
2543 add_hierarchy(&ops
->hierarchies
, delegatable
, mountpoint
, base_cgroup
, CGROUP2_SUPER_MAGIC
);
2545 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
2546 return CGROUP2_SUPER_MAGIC
;
2549 static bool cg_init(struct cgroup_ops
*ops
)
2554 tmp
= lxc_global_config_value("lxc.cgroup.use");
2556 ops
->cgroup_use
= must_copy_string(tmp
);
2558 ret
= cg_unified_init(ops
);
2562 if (ret
== CGROUP2_SUPER_MAGIC
)
2565 return cg_hybrid_init(ops
);
2568 static bool cgfsng_data_init(struct cgroup_ops
*ops
)
2570 const char *cgroup_pattern
;
2572 /* copy system-wide cgroup information */
2573 cgroup_pattern
= lxc_global_config_value("lxc.cgroup.pattern");
2574 if (!cgroup_pattern
) {
2575 /* lxc.cgroup.pattern is only NULL on error. */
2576 ERROR("Failed to retrieve cgroup pattern");
2579 ops
->cgroup_pattern
= must_copy_string(cgroup_pattern
);
2584 struct cgroup_ops
*cgfsng_ops_init(void)
2586 struct cgroup_ops
*cgfsng_ops
;
2588 cgfsng_ops
= malloc(sizeof(struct cgroup_ops
));
2592 memset(cgfsng_ops
, 0, sizeof(struct cgroup_ops
));
2593 cgfsng_ops
->cgroup_layout
= CGROUP_LAYOUT_UNKNOWN
;
2595 if (!cg_init(cgfsng_ops
)) {
2600 cgfsng_ops
->data_init
= cgfsng_data_init
;
2601 cgfsng_ops
->destroy
= cgfsng_destroy
;
2602 cgfsng_ops
->create
= cgfsng_create
;
2603 cgfsng_ops
->enter
= cgfsng_enter
;
2604 cgfsng_ops
->escape
= cgfsng_escape
;
2605 cgfsng_ops
->num_hierarchies
= cgfsng_num_hierarchies
;
2606 cgfsng_ops
->get_hierarchies
= cgfsng_get_hierarchies
;
2607 cgfsng_ops
->get_cgroup
= cgfsng_get_cgroup
;
2608 cgfsng_ops
->get
= cgfsng_get
;
2609 cgfsng_ops
->set
= cgfsng_set
;
2610 cgfsng_ops
->unfreeze
= cgfsng_unfreeze
;
2611 cgfsng_ops
->setup_limits
= cgfsng_setup_limits
;
2612 cgfsng_ops
->driver
= "cgfsng";
2613 cgfsng_ops
->version
= "1.0.0";
2614 cgfsng_ops
->attach
= cgfsng_attach
;
2615 cgfsng_ops
->chown
= cgfsng_chown
;
2616 cgfsng_ops
->mount
= cgfsng_mount
;
2617 cgfsng_ops
->nrtasks
= cgfsng_nrtasks
;