1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 * cgfs-ng.c: this is a new, simplified implementation of a filesystem
5 * cgroup backend. The original cgfs.c was designed to be as flexible
6 * as possible. It would try to find cgroup filesystems no matter where
7 * or how you had them mounted, and deduce the most usable mount for
10 * This new implementation assumes that cgroup filesystems are mounted
11 * under /sys/fs/cgroup/clist where clist is either the controller, or
12 * a comma-separated list of controllers.
22 #include <linux/kdev_t.h>
23 #include <linux/types.h>
30 #include <sys/epoll.h>
31 #include <sys/types.h>
37 #include "cgroup2_devices.h"
38 #include "cgroup_utils.h"
40 #include "commands_utils.h"
43 #include "error_utils.h"
47 #include "memory_utils.h"
48 #include "mount_utils.h"
49 #include "storage/storage.h"
50 #include "string_utils.h"
51 #include "syscall_wrappers.h"
55 #include "include/strlcpy.h"
59 #include "include/strlcat.h"
62 lxc_log_define(cgfsng
, cgroup
);
65 * Given a pointer to a null-terminated array of pointers, realloc to add one
66 * entry, and point the new entry to NULL. Do not fail. Return the index to the
67 * second-to-last entry - that is, the one which is now available for use
68 * (keeping the list null-terminated).
70 static int list_add(void ***list
)
76 for (; (*list
)[idx
]; idx
++)
79 p
= realloc(*list
, (idx
+ 2) * sizeof(void **));
81 return ret_errno(ENOMEM
);
89 /* Given a null-terminated array of strings, check whether @entry is one of the
92 static bool string_in_list(char **list
, const char *entry
)
97 for (int i
= 0; list
[i
]; i
++)
98 if (strequal(list
[i
], entry
))
104 /* Given a handler's cgroup data, return the struct hierarchy for the controller
105 * @c, or NULL if there is none.
107 static struct hierarchy
*get_hierarchy(struct cgroup_ops
*ops
, const char *controller
)
109 if (!ops
->hierarchies
)
110 return log_trace_errno(NULL
, errno
, "There are no useable cgroup controllers");
112 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
114 /* This is the empty unified hierarchy. */
115 if (ops
->hierarchies
[i
]->controllers
&& !ops
->hierarchies
[i
]->controllers
[0])
116 return ops
->hierarchies
[i
];
122 * Handle controllers with significant implementation changes
123 * from cgroup to cgroup2.
125 if (pure_unified_layout(ops
)) {
126 if (strequal(controller
, "devices")) {
127 if (device_utility_controller(ops
->unified
))
131 } else if (strequal(controller
, "freezer")) {
132 if (freezer_utility_controller(ops
->unified
))
139 if (string_in_list(ops
->hierarchies
[i
]->controllers
, controller
))
140 return ops
->hierarchies
[i
];
144 WARN("There is no useable %s controller", controller
);
146 WARN("There is no empty unified cgroup hierarchy");
148 return ret_set_errno(NULL
, ENOENT
);
151 /* Taken over modified from the kernel sources. */
152 #define NBITS 32 /* bits in uint32_t */
153 #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d))
154 #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS)
156 static void set_bit(unsigned bit
, uint32_t *bitarr
)
158 bitarr
[bit
/ NBITS
] |= (1 << (bit
% NBITS
));
161 static void clear_bit(unsigned bit
, uint32_t *bitarr
)
163 bitarr
[bit
/ NBITS
] &= ~(1 << (bit
% NBITS
));
166 static bool is_set(unsigned bit
, uint32_t *bitarr
)
168 return (bitarr
[bit
/ NBITS
] & (1 << (bit
% NBITS
))) != 0;
171 /* Create cpumask from cpulist aka turn:
179 static uint32_t *lxc_cpumask(char *buf
, size_t nbits
)
181 __do_free
uint32_t *bitarr
= NULL
;
185 arrlen
= BITS_TO_LONGS(nbits
);
186 bitarr
= calloc(arrlen
, sizeof(uint32_t));
188 return ret_set_errno(NULL
, ENOMEM
);
190 lxc_iterate_parts(token
, buf
, ",") {
195 start
= strtoul(token
, NULL
, 0);
197 range
= strchr(token
, '-');
199 end
= strtoul(range
+ 1, NULL
, 0);
202 return ret_set_errno(NULL
, EINVAL
);
205 return ret_set_errno(NULL
, EINVAL
);
208 set_bit(start
++, bitarr
);
211 return move_ptr(bitarr
);
214 /* Turn cpumask into simple, comma-separated cpulist. */
215 static char *lxc_cpumask_to_cpulist(uint32_t *bitarr
, size_t nbits
)
217 __do_free_string_list
char **cpulist
= NULL
;
218 char numstr
[INTTYPE_TO_STRLEN(size_t)] = {0};
221 for (size_t i
= 0; i
<= nbits
; i
++) {
222 if (!is_set(i
, bitarr
))
225 ret
= strnprintf(numstr
, sizeof(numstr
), "%zu", i
);
229 ret
= lxc_append_string(&cpulist
, numstr
);
231 return ret_set_errno(NULL
, ENOMEM
);
235 return ret_set_errno(NULL
, ENOMEM
);
237 return lxc_string_join(",", (const char **)cpulist
, false);
240 static ssize_t
get_max_cpus(char *cpulist
)
243 char *maxcpus
= cpulist
;
246 c1
= strrchr(maxcpus
, ',');
250 c2
= strrchr(maxcpus
, '-');
264 cpus
= strtoul(c1
, NULL
, 0);
271 static inline bool is_unified_hierarchy(const struct hierarchy
*h
)
273 return h
->fs_type
== UNIFIED_HIERARCHY
;
276 /* Return true if the controller @entry is found in the null-terminated list of
277 * hierarchies @hlist.
279 static bool controller_available(struct hierarchy
**hlist
, char *entry
)
284 for (int i
= 0; hlist
[i
]; i
++)
285 if (string_in_list(hlist
[i
]->controllers
, entry
))
291 static bool controllers_available(struct cgroup_ops
*ops
)
293 struct hierarchy
**hlist
;
295 if (!ops
->cgroup_use
)
298 hlist
= ops
->hierarchies
;
299 for (char **cur
= ops
->cgroup_use
; cur
&& *cur
; cur
++)
300 if (!controller_available(hlist
, *cur
))
301 return log_error(false, "The %s controller found", *cur
);
306 static char **list_new(void)
308 __do_free_string_list
char **list
= NULL
;
311 idx
= list_add((void ***)&list
);
316 return move_ptr(list
);
319 static int list_add_string(char ***list
, char *entry
)
321 __do_free
char *dup
= NULL
;
326 return ret_errno(ENOMEM
);
328 idx
= list_add((void ***)list
);
332 (*list
)[idx
] = move_ptr(dup
);
336 static char **list_add_controllers(char *controllers
)
338 __do_free_string_list
char **list
= NULL
;
341 lxc_iterate_parts(it
, controllers
, ", \t\n") {
344 ret
= list_add_string(&list
, it
);
349 return move_ptr(list
);
352 static char **unified_controllers(int dfd
, const char *file
)
354 __do_free
char *buf
= NULL
;
356 buf
= read_file_at(dfd
, file
, PROTECT_OPEN
, 0);
360 return list_add_controllers(buf
);
363 static bool skip_hierarchy(const struct cgroup_ops
*ops
, char **controllers
)
365 if (!ops
->cgroup_use
)
368 for (char **cur_ctrl
= controllers
; cur_ctrl
&& *cur_ctrl
; cur_ctrl
++) {
371 for (char **cur_use
= ops
->cgroup_use
; cur_use
&& *cur_use
; cur_use
++) {
372 if (!strequal(*cur_use
, *cur_ctrl
))
388 static int cgroup_hierarchy_add(struct cgroup_ops
*ops
, int dfd_mnt
, char *mnt
,
389 int dfd_base
, char *base_cgroup
,
390 char **controllers
, cgroupfs_type_magic_t fs_type
)
392 __do_free
struct hierarchy
*new = NULL
;
395 if (abspath(base_cgroup
))
396 return syserrno_set(-EINVAL
, "Container base path must be relative to controller mount");
398 new = zalloc(sizeof(*new));
400 return ret_errno(ENOMEM
);
402 new->dfd_con
= -EBADF
;
403 new->dfd_lim
= -EBADF
;
404 new->dfd_mon
= -EBADF
;
406 new->fs_type
= fs_type
;
407 new->controllers
= controllers
;
409 new->at_base
= base_cgroup
;
411 new->dfd_mnt
= dfd_mnt
;
412 new->dfd_base
= dfd_base
;
414 TRACE("Adding cgroup hierarchy mounted at %s and base cgroup %s",
415 mnt
, maybe_empty(base_cgroup
));
416 for (char *const *it
= new->controllers
; it
&& *it
; it
++)
417 TRACE("The hierarchy contains the %s controller", *it
);
419 idx
= list_add((void ***)&ops
->hierarchies
);
421 return ret_errno(idx
);
423 if (fs_type
== UNIFIED_HIERARCHY
)
425 (ops
->hierarchies
)[idx
] = move_ptr(new);
430 static int cgroup_tree_remove(struct hierarchy
**hierarchies
, const char *path_prune
)
432 if (!path_prune
|| !hierarchies
)
435 for (int i
= 0; hierarchies
[i
]; i
++) {
436 struct hierarchy
*h
= hierarchies
[i
];
439 ret
= cgroup_tree_prune(h
->dfd_base
, path_prune
);
441 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, path_prune
);
443 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, path_prune
);
445 free_equal(h
->path_lim
, h
->path_con
);
451 struct generic_userns_exec_data
{
452 struct hierarchy
**hierarchies
;
453 const char *path_prune
;
454 struct lxc_conf
*conf
;
455 uid_t origuid
; /* target uid in parent namespace */
459 static int cgroup_tree_remove_wrapper(void *data
)
461 struct generic_userns_exec_data
*arg
= data
;
462 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
463 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
466 if (!lxc_drop_groups() && errno
!= EPERM
)
467 return log_error_errno(-1, errno
, "Failed to setgroups(0, NULL)");
469 ret
= setresgid(nsgid
, nsgid
, nsgid
);
471 return log_error_errno(-1, errno
, "Failed to setresgid(%d, %d, %d)",
472 (int)nsgid
, (int)nsgid
, (int)nsgid
);
474 ret
= setresuid(nsuid
, nsuid
, nsuid
);
476 return log_error_errno(-1, errno
, "Failed to setresuid(%d, %d, %d)",
477 (int)nsuid
, (int)nsuid
, (int)nsuid
);
479 return cgroup_tree_remove(arg
->hierarchies
, arg
->path_prune
);
482 __cgfsng_ops
static void cgfsng_payload_destroy(struct cgroup_ops
*ops
,
483 struct lxc_handler
*handler
)
488 ERROR("Called with uninitialized cgroup operations");
492 if (!ops
->hierarchies
)
496 ERROR("Called with uninitialized handler");
500 if (!handler
->conf
) {
501 ERROR("Called with uninitialized conf");
505 if (!ops
->container_limit_cgroup
) {
506 WARN("Uninitialized limit cgroup");
510 ret
= bpf_program_cgroup_detach(handler
->cgroup_ops
->cgroup2_devices
);
512 WARN("Failed to detach bpf program from cgroup");
514 if (!lxc_list_empty(&handler
->conf
->id_map
)) {
515 struct generic_userns_exec_data wrap
= {
516 .conf
= handler
->conf
,
517 .path_prune
= ops
->container_limit_cgroup
,
518 .hierarchies
= ops
->hierarchies
,
521 ret
= userns_exec_1(handler
->conf
, cgroup_tree_remove_wrapper
,
522 &wrap
, "cgroup_tree_remove_wrapper");
524 ret
= cgroup_tree_remove(ops
->hierarchies
, ops
->container_limit_cgroup
);
527 SYSWARN("Failed to destroy cgroups");
530 #define __ISOL_CPUS "/sys/devices/system/cpu/isolated"
531 #define __OFFLINE_CPUS "/sys/devices/system/cpu/offline"
532 static bool cpuset1_cpus_initialize(int dfd_parent
, int dfd_child
,
535 __do_free
char *cpulist
= NULL
, *fpath
= NULL
, *isolcpus
= NULL
,
536 *offlinecpus
= NULL
, *posscpus
= NULL
;
537 __do_free
uint32_t *isolmask
= NULL
, *offlinemask
= NULL
,
541 ssize_t maxisol
= 0, maxoffline
= 0, maxposs
= 0;
542 bool flipped_bit
= false;
544 posscpus
= read_file_at(dfd_parent
, "cpuset.cpus", PROTECT_OPEN
, 0);
546 return log_error_errno(false, errno
, "Failed to read file \"%s\"", fpath
);
548 /* Get maximum number of cpus found in possible cpuset. */
549 maxposs
= get_max_cpus(posscpus
);
550 if (maxposs
< 0 || maxposs
>= INT_MAX
- 1)
553 if (file_exists(__ISOL_CPUS
)) {
554 isolcpus
= read_file_at(-EBADF
, __ISOL_CPUS
, PROTECT_OPEN
, 0);
556 return log_error_errno(false, errno
, "Failed to read file \"%s\"", __ISOL_CPUS
);
558 if (isdigit(isolcpus
[0])) {
559 /* Get maximum number of cpus found in isolated cpuset. */
560 maxisol
= get_max_cpus(isolcpus
);
561 if (maxisol
< 0 || maxisol
>= INT_MAX
- 1)
565 if (maxposs
< maxisol
)
569 TRACE("The path \""__ISOL_CPUS
"\" to read isolated cpus from does not exist");
572 if (file_exists(__OFFLINE_CPUS
)) {
573 offlinecpus
= read_file_at(-EBADF
, __OFFLINE_CPUS
, PROTECT_OPEN
, 0);
575 return log_error_errno(false, errno
, "Failed to read file \"%s\"", __OFFLINE_CPUS
);
577 if (isdigit(offlinecpus
[0])) {
578 /* Get maximum number of cpus found in offline cpuset. */
579 maxoffline
= get_max_cpus(offlinecpus
);
580 if (maxoffline
< 0 || maxoffline
>= INT_MAX
- 1)
584 if (maxposs
< maxoffline
)
585 maxposs
= maxoffline
;
588 TRACE("The path \""__OFFLINE_CPUS
"\" to read offline cpus from does not exist");
591 if ((maxisol
== 0) && (maxoffline
== 0)) {
592 cpulist
= move_ptr(posscpus
);
596 possmask
= lxc_cpumask(posscpus
, maxposs
);
598 return log_error_errno(false, errno
, "Failed to create cpumask for possible cpus");
601 isolmask
= lxc_cpumask(isolcpus
, maxposs
);
603 return log_error_errno(false, errno
, "Failed to create cpumask for isolated cpus");
606 if (maxoffline
> 0) {
607 offlinemask
= lxc_cpumask(offlinecpus
, maxposs
);
609 return log_error_errno(false, errno
, "Failed to create cpumask for offline cpus");
612 for (i
= 0; i
<= maxposs
; i
++) {
613 if ((isolmask
&& !is_set(i
, isolmask
)) ||
614 (offlinemask
&& !is_set(i
, offlinemask
)) ||
615 !is_set(i
, possmask
))
619 clear_bit(i
, possmask
);
623 cpulist
= lxc_cpumask_to_cpulist(possmask
, maxposs
);
624 TRACE("No isolated or offline cpus present in cpuset");
626 cpulist
= move_ptr(posscpus
);
627 TRACE("Removed isolated or offline cpus from cpuset");
630 return log_error_errno(false, errno
, "Failed to create cpu list");
633 if (!am_initialized
) {
634 ret
= lxc_writeat(dfd_child
, "cpuset.cpus", cpulist
, strlen(cpulist
));
636 return log_error_errno(false, errno
, "Failed to write cpu list to \"%d/cpuset.cpus\"", dfd_child
);
638 TRACE("Copied cpu settings of parent cgroup");
644 static bool cpuset1_initialize(int dfd_base
, int dfd_next
)
651 * Determine whether the base cgroup has cpuset
652 * inheritance turned on.
654 bytes
= lxc_readat(dfd_base
, "cgroup.clone_children", &v
, 1);
656 return syserrno(false, "Failed to read file %d(cgroup.clone_children)", dfd_base
);
659 * Initialize cpuset.cpus and make remove any isolated
662 if (!cpuset1_cpus_initialize(dfd_base
, dfd_next
, v
== '1'))
663 return syserrno(false, "Failed to initialize cpuset.cpus");
665 /* Read cpuset.mems from parent... */
666 bytes
= lxc_readat(dfd_base
, "cpuset.mems", mems
, sizeof(mems
));
668 return syserrno(false, "Failed to read file %d(cpuset.mems)", dfd_base
);
670 /* ... and copy to first cgroup in the tree... */
671 bytes
= lxc_writeat(dfd_next
, "cpuset.mems", mems
, bytes
);
673 return syserrno(false, "Failed to write %d(cpuset.mems)", dfd_next
);
675 /* ... and finally turn on cpuset inheritance. */
676 bytes
= lxc_writeat(dfd_next
, "cgroup.clone_children", "1", 1);
678 return syserrno(false, "Failed to write %d(cgroup.clone_children)", dfd_next
);
680 return log_trace(true, "Initialized cpuset in the legacy hierarchy");
683 static int __cgroup_tree_create(int dfd_base
, const char *path
, mode_t mode
,
684 bool cpuset_v1
, bool eexist_ignore
)
686 __do_close
int dfd_final
= -EBADF
;
687 int dfd_cur
= dfd_base
;
693 if (is_empty_string(path
))
694 return ret_errno(EINVAL
);
696 len
= strlcpy(buf
, path
, sizeof(buf
));
697 if (len
>= sizeof(buf
))
698 return ret_errno(E2BIG
);
700 lxc_iterate_parts(cur
, buf
, "/") {
702 * Even though we vetted the paths when we parsed the config
703 * we're paranoid here and check that the path is neither
704 * absolute nor walks upwards.
707 return syserrno_set(-EINVAL
, "No absolute paths allowed");
709 if (strnequal(cur
, "..", STRLITERALLEN("..")))
710 return syserrno_set(-EINVAL
, "No upward walking paths allowed");
712 ret
= mkdirat(dfd_cur
, cur
, mode
);
715 return syserrno(-errno
, "Failed to create %d(%s)", dfd_cur
, cur
);
719 TRACE("%s %d(%s) cgroup", !ret
? "Created" : "Reusing", dfd_cur
, cur
);
721 dfd_final
= open_at(dfd_cur
, cur
, PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH
, 0);
723 return syserrno(-errno
, "Fail to open%s directory %d(%s)",
724 !ret
? " newly created" : "", dfd_base
, cur
);
725 if (dfd_cur
!= dfd_base
)
727 else if (cpuset_v1
&& !cpuset1_initialize(dfd_base
, dfd_final
))
728 return syserrno(-EINVAL
, "Failed to initialize cpuset controller in the legacy hierarchy");
730 * Leave dfd_final pointing to the last fd we opened so
731 * it will be automatically zapped if we return early.
736 /* The final cgroup must be succesfully creatd by us. */
738 if (ret
!= -EEXIST
|| !eexist_ignore
)
739 return syserrno_set(ret
, "Creating the final cgroup %d(%s) failed", dfd_base
, path
);
742 return move_fd(dfd_final
);
745 static bool cgroup_tree_create(struct cgroup_ops
*ops
, struct lxc_conf
*conf
,
746 struct hierarchy
*h
, const char *cgroup_limit_dir
,
747 const char *cgroup_leaf
, bool payload
)
749 __do_close
int fd_limit
= -EBADF
, fd_final
= -EBADF
;
750 __do_free
char *path
= NULL
, *limit_path
= NULL
;
751 bool cpuset_v1
= false;
754 * The legacy cpuset controller needs massaging in case inheriting
755 * settings from its immediate ancestor cgroup hasn't been turned on.
757 cpuset_v1
= !is_unified_hierarchy(h
) && string_in_list(h
->controllers
, "cpuset");
759 if (payload
&& cgroup_leaf
) {
760 /* With isolation both parts need to not already exist. */
761 fd_limit
= __cgroup_tree_create(h
->dfd_base
, cgroup_limit_dir
, 0755, cpuset_v1
, false);
763 return syserrno(false, "Failed to create limiting cgroup %d(%s)", h
->dfd_base
, cgroup_limit_dir
);
765 TRACE("Created limit cgroup %d->%d(%s)",
766 fd_limit
, h
->dfd_base
, cgroup_limit_dir
);
769 * With isolation the devices legacy cgroup needs to be
770 * iinitialized early, as it typically contains an 'a' (all)
771 * line, which is not possible once a subdirectory has been
774 if (string_in_list(h
->controllers
, "devices") &&
775 !ops
->setup_limits_legacy(ops
, conf
, true))
776 return log_error(false, "Failed to setup legacy device limits");
778 limit_path
= make_cgroup_path(h
, h
->at_base
, cgroup_limit_dir
, NULL
);
779 path
= must_make_path(limit_path
, cgroup_leaf
, NULL
);
782 * If we use a separate limit cgroup, the leaf cgroup, i.e. the
783 * cgroup the container actually resides in, is below fd_limit.
785 fd_final
= __cgroup_tree_create(fd_limit
, cgroup_leaf
, 0755, cpuset_v1
, false);
787 /* Ensure we don't leave any garbage behind. */
788 if (cgroup_tree_prune(h
->dfd_base
, cgroup_limit_dir
))
789 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, cgroup_limit_dir
);
791 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, cgroup_limit_dir
);
794 path
= make_cgroup_path(h
, h
->at_base
, cgroup_limit_dir
, NULL
);
796 fd_final
= __cgroup_tree_create(h
->dfd_base
, cgroup_limit_dir
, 0755, cpuset_v1
, false);
799 return syserrno(false, "Failed to create %s cgroup %d(%s)", payload
? "payload" : "monitor", h
->dfd_base
, cgroup_limit_dir
);
802 h
->dfd_con
= move_fd(fd_final
);
803 h
->path_con
= move_ptr(path
);
806 h
->dfd_lim
= h
->dfd_con
;
808 h
->dfd_lim
= move_fd(fd_limit
);
811 h
->path_lim
= move_ptr(limit_path
);
813 h
->path_lim
= h
->path_con
;
815 h
->dfd_mon
= move_fd(fd_final
);
821 static void cgroup_tree_prune_leaf(struct hierarchy
*h
, const char *path_prune
,
827 /* Check whether we actually created the cgroup to prune. */
831 free_equal(h
->path_con
, h
->path_lim
);
832 close_equal(h
->dfd_con
, h
->dfd_lim
);
834 /* Check whether we actually created the cgroup to prune. */
838 close_prot_errno_disarm(h
->dfd_mon
);
841 /* We didn't create this cgroup. */
845 if (cgroup_tree_prune(h
->dfd_base
, path_prune
))
846 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, path_prune
);
848 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, path_prune
);
851 __cgfsng_ops
static void cgfsng_monitor_destroy(struct cgroup_ops
*ops
,
852 struct lxc_handler
*handler
)
855 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
856 const struct lxc_conf
*conf
;
859 ERROR("Called with uninitialized cgroup operations");
863 if (!ops
->hierarchies
)
867 ERROR("Called with uninitialized handler");
871 if (!handler
->conf
) {
872 ERROR("Called with uninitialized conf");
875 conf
= handler
->conf
;
877 if (!ops
->monitor_cgroup
) {
878 WARN("Uninitialized monitor cgroup");
882 len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", handler
->monitor_pid
);
886 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
887 __do_close
int fd_pivot
= -EBADF
;
888 __do_free
char *pivot_path
= NULL
;
889 struct hierarchy
*h
= ops
->hierarchies
[i
];
890 bool cpuset_v1
= false;
893 /* Monitor might have died before we entered the cgroup. */
894 if (handler
->monitor_pid
<= 0) {
895 WARN("No valid monitor process found while destroying cgroups");
896 goto cgroup_prune_tree
;
899 if (conf
->cgroup_meta
.monitor_pivot_dir
)
900 pivot_path
= must_make_path(conf
->cgroup_meta
.monitor_pivot_dir
, CGROUP_PIVOT
, NULL
);
901 else if (conf
->cgroup_meta
.dir
)
902 pivot_path
= must_make_path(conf
->cgroup_meta
.dir
, CGROUP_PIVOT
, NULL
);
904 pivot_path
= must_make_path(CGROUP_PIVOT
, NULL
);
906 cpuset_v1
= !is_unified_hierarchy(h
) && string_in_list(h
->controllers
, "cpuset");
908 fd_pivot
= __cgroup_tree_create(h
->dfd_base
, pivot_path
, 0755, cpuset_v1
, true);
910 SYSWARN("Failed to create pivot cgroup %d(%s)", h
->dfd_base
, pivot_path
);
914 ret
= lxc_writeat(fd_pivot
, "cgroup.procs", pidstr
, len
);
916 SYSWARN("Failed to move monitor %s to \"%s\"", pidstr
, pivot_path
);
921 ret
= cgroup_tree_prune(h
->dfd_base
, ops
->monitor_cgroup
);
923 SYSWARN("Failed to destroy %d(%s)", h
->dfd_base
, ops
->monitor_cgroup
);
925 TRACE("Removed cgroup tree %d(%s)", h
->dfd_base
, ops
->monitor_cgroup
);
930 * Check we have no lxc.cgroup.dir, and that lxc.cgroup.dir.limit_prefix is a
931 * proper prefix directory of lxc.cgroup.dir.payload.
933 * Returns the prefix length if it is set, otherwise zero on success.
935 static bool check_cgroup_dir_config(struct lxc_conf
*conf
)
937 const char *monitor_dir
= conf
->cgroup_meta
.monitor_dir
,
938 *container_dir
= conf
->cgroup_meta
.container_dir
,
939 *namespace_dir
= conf
->cgroup_meta
.namespace_dir
;
941 /* none of the new options are set, all is fine */
942 if (!monitor_dir
&& !container_dir
&& !namespace_dir
)
945 /* some are set, make sure lxc.cgroup.dir is not also set*/
946 if (conf
->cgroup_meta
.dir
)
947 return log_error_errno(false, EINVAL
,
948 "lxc.cgroup.dir conflicts with lxc.cgroup.dir.payload/monitor");
950 /* make sure both monitor and payload are set */
951 if (!monitor_dir
|| !container_dir
)
952 return log_error_errno(false, EINVAL
,
953 "lxc.cgroup.dir.payload and lxc.cgroup.dir.monitor must both be set");
955 /* namespace_dir may be empty */
959 __cgfsng_ops
static bool cgfsng_monitor_create(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
961 __do_free
char *monitor_cgroup
= NULL
;
966 struct lxc_conf
*conf
;
969 return ret_set_errno(false, ENOENT
);
971 if (!ops
->hierarchies
)
974 if (ops
->monitor_cgroup
)
975 return ret_set_errno(false, EEXIST
);
977 if (!handler
|| !handler
->conf
)
978 return ret_set_errno(false, EINVAL
);
980 conf
= handler
->conf
;
982 if (!check_cgroup_dir_config(conf
))
985 if (conf
->cgroup_meta
.monitor_dir
) {
986 monitor_cgroup
= strdup(conf
->cgroup_meta
.monitor_dir
);
987 } else if (conf
->cgroup_meta
.dir
) {
988 monitor_cgroup
= must_concat(&len
, conf
->cgroup_meta
.dir
, "/",
989 DEFAULT_MONITOR_CGROUP_PREFIX
,
991 CGROUP_CREATE_RETRY
, NULL
);
992 } else if (ops
->cgroup_pattern
) {
993 __do_free
char *cgroup_tree
= NULL
;
995 cgroup_tree
= lxc_string_replace("%n", handler
->name
, ops
->cgroup_pattern
);
997 return ret_set_errno(false, ENOMEM
);
999 monitor_cgroup
= must_concat(&len
, cgroup_tree
, "/",
1000 DEFAULT_MONITOR_CGROUP
,
1001 CGROUP_CREATE_RETRY
, NULL
);
1003 monitor_cgroup
= must_concat(&len
, DEFAULT_MONITOR_CGROUP_PREFIX
,
1005 CGROUP_CREATE_RETRY
, NULL
);
1007 if (!monitor_cgroup
)
1008 return ret_set_errno(false, ENOMEM
);
1010 if (!conf
->cgroup_meta
.monitor_dir
) {
1011 suffix
= monitor_cgroup
+ len
- CGROUP_CREATE_RETRY_LEN
;
1016 sprintf(suffix
, "-%d", idx
);
1018 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1019 if (cgroup_tree_create(ops
, handler
->conf
,
1020 ops
->hierarchies
[i
],
1021 monitor_cgroup
, NULL
, false))
1024 DEBUG("Failed to create cgroup %s)", monitor_cgroup
);
1025 for (int j
= 0; j
<= i
; j
++)
1026 cgroup_tree_prune_leaf(ops
->hierarchies
[j
],
1027 monitor_cgroup
, false);
1032 } while (ops
->hierarchies
[i
] && idx
> 0 && idx
< 1000 && suffix
);
1034 if (idx
== 1000 || (!suffix
&& idx
!= 0))
1035 return log_error_errno(false, ERANGE
, "Failed to create monitor cgroup");
1037 ops
->monitor_cgroup
= move_ptr(monitor_cgroup
);
1038 return log_info(true, "The monitor process uses \"%s\" as cgroup", ops
->monitor_cgroup
);
1042 * Try to create the same cgroup in all hierarchies. Start with cgroup_pattern;
1043 * next cgroup_pattern-1, -2, ..., -999.
1045 __cgfsng_ops
static bool cgfsng_payload_create(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
1047 __do_free
char *container_cgroup
= NULL
, *__limit_cgroup
= NULL
;
1052 char *suffix
= NULL
;
1053 struct lxc_conf
*conf
;
1056 return ret_set_errno(false, ENOENT
);
1058 if (!ops
->hierarchies
)
1061 if (ops
->container_cgroup
|| ops
->container_limit_cgroup
)
1062 return ret_set_errno(false, EEXIST
);
1064 if (!handler
|| !handler
->conf
)
1065 return ret_set_errno(false, EINVAL
);
1067 conf
= handler
->conf
;
1069 if (!check_cgroup_dir_config(conf
))
1072 if (conf
->cgroup_meta
.container_dir
) {
1073 __limit_cgroup
= strdup(conf
->cgroup_meta
.container_dir
);
1074 if (!__limit_cgroup
)
1075 return ret_set_errno(false, ENOMEM
);
1077 if (conf
->cgroup_meta
.namespace_dir
) {
1078 container_cgroup
= must_make_path(__limit_cgroup
,
1079 conf
->cgroup_meta
.namespace_dir
,
1081 limit_cgroup
= __limit_cgroup
;
1083 /* explicit paths but without isolation */
1084 limit_cgroup
= move_ptr(__limit_cgroup
);
1085 container_cgroup
= limit_cgroup
;
1087 } else if (conf
->cgroup_meta
.dir
) {
1088 limit_cgroup
= must_concat(&len
, conf
->cgroup_meta
.dir
, "/",
1089 DEFAULT_PAYLOAD_CGROUP_PREFIX
,
1091 CGROUP_CREATE_RETRY
, NULL
);
1092 container_cgroup
= limit_cgroup
;
1093 } else if (ops
->cgroup_pattern
) {
1094 __do_free
char *cgroup_tree
= NULL
;
1096 cgroup_tree
= lxc_string_replace("%n", handler
->name
, ops
->cgroup_pattern
);
1098 return ret_set_errno(false, ENOMEM
);
1100 limit_cgroup
= must_concat(&len
, cgroup_tree
, "/",
1101 DEFAULT_PAYLOAD_CGROUP
,
1102 CGROUP_CREATE_RETRY
, NULL
);
1103 container_cgroup
= limit_cgroup
;
1105 limit_cgroup
= must_concat(&len
, DEFAULT_PAYLOAD_CGROUP_PREFIX
,
1107 CGROUP_CREATE_RETRY
, NULL
);
1108 container_cgroup
= limit_cgroup
;
1111 return ret_set_errno(false, ENOMEM
);
1113 if (!conf
->cgroup_meta
.container_dir
) {
1114 suffix
= container_cgroup
+ len
- CGROUP_CREATE_RETRY_LEN
;
1119 sprintf(suffix
, "-%d", idx
);
1121 for (i
= 0; ops
->hierarchies
[i
]; i
++) {
1122 if (cgroup_tree_create(ops
, handler
->conf
,
1123 ops
->hierarchies
[i
], limit_cgroup
,
1124 conf
->cgroup_meta
.namespace_dir
,
1128 DEBUG("Failed to create cgroup \"%s\"", ops
->hierarchies
[i
]->path_con
?: "(null)");
1129 for (int j
= 0; j
<= i
; j
++)
1130 cgroup_tree_prune_leaf(ops
->hierarchies
[j
],
1131 limit_cgroup
, true);
1136 } while (ops
->hierarchies
[i
] && idx
> 0 && idx
< 1000 && suffix
);
1138 if (idx
== 1000 || (!suffix
&& idx
!= 0))
1139 return log_error_errno(false, ERANGE
, "Failed to create container cgroup");
1141 ops
->container_cgroup
= move_ptr(container_cgroup
);
1143 ops
->container_limit_cgroup
= move_ptr(__limit_cgroup
);
1145 ops
->container_limit_cgroup
= ops
->container_cgroup
;
1146 INFO("The container process uses \"%s\" as inner and \"%s\" as limit cgroup",
1147 ops
->container_cgroup
, ops
->container_limit_cgroup
);
1151 __cgfsng_ops
static bool cgfsng_monitor_enter(struct cgroup_ops
*ops
,
1152 struct lxc_handler
*handler
)
1154 int monitor_len
, transient_len
= 0;
1155 char monitor
[INTTYPE_TO_STRLEN(pid_t
)],
1156 transient
[INTTYPE_TO_STRLEN(pid_t
)];
1159 return ret_set_errno(false, ENOENT
);
1161 if (!ops
->hierarchies
)
1164 if (!ops
->monitor_cgroup
)
1165 return ret_set_errno(false, ENOENT
);
1167 if (!handler
|| !handler
->conf
)
1168 return ret_set_errno(false, EINVAL
);
1170 monitor_len
= strnprintf(monitor
, sizeof(monitor
), "%d", handler
->monitor_pid
);
1171 if (monitor_len
< 0)
1174 if (handler
->transient_pid
> 0) {
1175 transient_len
= strnprintf(transient
, sizeof(transient
), "%d", handler
->transient_pid
);
1176 if (transient_len
< 0)
1180 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1181 struct hierarchy
*h
= ops
->hierarchies
[i
];
1184 ret
= lxc_writeat(h
->dfd_mon
, "cgroup.procs", monitor
, monitor_len
);
1186 return log_error_errno(false, errno
, "Failed to enter cgroup %d", h
->dfd_mon
);
1188 TRACE("Moved monitor into cgroup %d", h
->dfd_mon
);
1190 if (handler
->transient_pid
<= 0)
1193 ret
= lxc_writeat(h
->dfd_mon
, "cgroup.procs", transient
, transient_len
);
1195 return log_error_errno(false, errno
, "Failed to enter cgroup %d", h
->dfd_mon
);
1197 TRACE("Moved transient process into cgroup %d", h
->dfd_mon
);
1200 * we don't keep the fds for non-unified hierarchies around
1201 * mainly because we don't make use of them anymore after the
1202 * core cgroup setup is done but also because there are quite a
1205 if (!is_unified_hierarchy(h
))
1206 close_prot_errno_disarm(h
->dfd_mon
);
1208 handler
->transient_pid
= -1;
1213 __cgfsng_ops
static bool cgfsng_payload_enter(struct cgroup_ops
*ops
,
1214 struct lxc_handler
*handler
)
1217 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
1220 return ret_set_errno(false, ENOENT
);
1222 if (!ops
->hierarchies
)
1225 if (!ops
->container_cgroup
)
1226 return ret_set_errno(false, ENOENT
);
1228 if (!handler
|| !handler
->conf
)
1229 return ret_set_errno(false, EINVAL
);
1231 len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", handler
->pid
);
1235 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1236 struct hierarchy
*h
= ops
->hierarchies
[i
];
1239 if (is_unified_hierarchy(h
) &&
1240 (handler
->clone_flags
& CLONE_INTO_CGROUP
))
1243 ret
= lxc_writeat(h
->dfd_con
, "cgroup.procs", pidstr
, len
);
1245 return log_error_errno(false, errno
, "Failed to enter cgroup \"%s\"", h
->path_con
);
1247 TRACE("Moved container into %s cgroup via %d", h
->path_con
, h
->dfd_con
);
1253 static int fchowmodat(int dirfd
, const char *path
, uid_t chown_uid
,
1254 gid_t chown_gid
, mode_t chmod_mode
)
1258 ret
= fchownat(dirfd
, path
, chown_uid
, chown_gid
,
1259 AT_EMPTY_PATH
| AT_SYMLINK_NOFOLLOW
);
1261 return log_warn_errno(-1,
1262 errno
, "Failed to fchownat(%d, %s, %d, %d, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW )",
1263 dirfd
, path
, (int)chown_uid
,
1266 ret
= fchmodat(dirfd
, (*path
!= '\0') ? path
: ".", chmod_mode
, 0);
1268 return log_warn_errno(-1, errno
, "Failed to fchmodat(%d, %s, %d, AT_SYMLINK_NOFOLLOW)",
1269 dirfd
, path
, (int)chmod_mode
);
1274 /* chgrp the container cgroups to container group. We leave
1275 * the container owner as cgroup owner. So we must make the
1276 * directories 775 so that the container can create sub-cgroups.
1278 * Also chown the tasks and cgroup.procs files. Those may not
1279 * exist depending on kernel version.
1281 static int chown_cgroup_wrapper(void *data
)
1285 struct generic_userns_exec_data
*arg
= data
;
1286 uid_t nsuid
= (arg
->conf
->root_nsuid_map
!= NULL
) ? 0 : arg
->conf
->init_uid
;
1287 gid_t nsgid
= (arg
->conf
->root_nsgid_map
!= NULL
) ? 0 : arg
->conf
->init_gid
;
1289 if (!lxc_drop_groups() && errno
!= EPERM
)
1290 return log_error_errno(-1, errno
, "Failed to setgroups(0, NULL)");
1292 ret
= setresgid(nsgid
, nsgid
, nsgid
);
1294 return log_error_errno(-1, errno
, "Failed to setresgid(%d, %d, %d)",
1295 (int)nsgid
, (int)nsgid
, (int)nsgid
);
1297 ret
= setresuid(nsuid
, nsuid
, nsuid
);
1299 return log_error_errno(-1, errno
, "Failed to setresuid(%d, %d, %d)",
1300 (int)nsuid
, (int)nsuid
, (int)nsuid
);
1302 destuid
= get_ns_uid(arg
->origuid
);
1303 if (destuid
== LXC_INVALID_UID
)
1306 for (int i
= 0; arg
->hierarchies
[i
]; i
++) {
1307 int dirfd
= arg
->hierarchies
[i
]->dfd_con
;
1310 return syserrno_set(-EBADF
, "Invalid cgroup file descriptor");
1312 (void)fchowmodat(dirfd
, "", destuid
, nsgid
, 0775);
1315 * Failures to chown() these are inconvenient but not
1316 * detrimental We leave these owned by the container launcher,
1317 * so that container root can write to the files to attach. We
1318 * chmod() them 664 so that container systemd can write to the
1319 * files (which systemd in wily insists on doing).
1322 if (arg
->hierarchies
[i
]->fs_type
== LEGACY_HIERARCHY
)
1323 (void)fchowmodat(dirfd
, "tasks", destuid
, nsgid
, 0664);
1325 (void)fchowmodat(dirfd
, "cgroup.procs", destuid
, nsgid
, 0664);
1327 if (arg
->hierarchies
[i
]->fs_type
!= UNIFIED_HIERARCHY
)
1330 for (char **p
= arg
->hierarchies
[i
]->delegate
; p
&& *p
; p
++)
1331 (void)fchowmodat(dirfd
, *p
, destuid
, nsgid
, 0664);
1337 __cgfsng_ops
static bool cgfsng_chown(struct cgroup_ops
*ops
,
1338 struct lxc_conf
*conf
)
1340 struct generic_userns_exec_data wrap
;
1343 return ret_set_errno(false, ENOENT
);
1345 if (!ops
->hierarchies
)
1348 if (!ops
->container_cgroup
)
1349 return ret_set_errno(false, ENOENT
);
1352 return ret_set_errno(false, EINVAL
);
1354 if (lxc_list_empty(&conf
->id_map
))
1357 wrap
.origuid
= geteuid();
1359 wrap
.hierarchies
= ops
->hierarchies
;
1362 if (userns_exec_1(conf
, chown_cgroup_wrapper
, &wrap
, "chown_cgroup_wrapper") < 0)
1363 return log_error_errno(false, errno
, "Error requesting cgroup chown in new user namespace");
1368 __cgfsng_ops
static void cgfsng_finalize(struct cgroup_ops
*ops
)
1373 if (!ops
->hierarchies
)
1376 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1377 struct hierarchy
*h
= ops
->hierarchies
[i
];
1379 /* Close all monitor cgroup file descriptors. */
1380 close_prot_errno_disarm(h
->dfd_mon
);
1382 /* Close the cgroup root file descriptor. */
1383 close_prot_errno_disarm(ops
->dfd_mnt
);
1386 * The checking for freezer support should obviously be done at cgroup
1387 * initialization time but that doesn't work reliable. The freezer
1388 * controller has been demoted (rightly so) to a simple file located in
1389 * each non-root cgroup. At the time when the container is created we
1390 * might still be located in /sys/fs/cgroup and so checking for
1391 * cgroup.freeze won't tell us anything because this file doesn't exist
1392 * in the root cgroup. We could then iterate through /sys/fs/cgroup and
1393 * find an already existing cgroup and then check within that cgroup
1394 * for the existence of cgroup.freeze but that will only work on
1395 * systemd based hosts. Other init systems might not manage cgroups and
1396 * so no cgroup will exist. So we defer until we have created cgroups
1397 * for our container which means we check here.
1399 if (pure_unified_layout(ops
) &&
1400 !faccessat(ops
->unified
->dfd_con
, "cgroup.freeze", F_OK
,
1401 AT_SYMLINK_NOFOLLOW
)) {
1402 TRACE("Unified hierarchy supports freezer");
1403 ops
->unified
->utilities
|= FREEZER_CONTROLLER
;
1407 /* cgroup-full:* is done, no need to create subdirs */
1408 static inline bool cg_mount_needs_subdirs(int cgroup_automount_type
)
1410 switch (cgroup_automount_type
) {
1411 case LXC_AUTO_CGROUP_RO
:
1413 case LXC_AUTO_CGROUP_RW
:
1415 case LXC_AUTO_CGROUP_MIXED
:
1422 /* After $rootfs/sys/fs/container/controller/the/cg/path has been created,
1423 * remount controller ro if needed and bindmount the cgroupfs onto
1424 * control/the/cg/path.
1426 static int cg_legacy_mount_controllers(int cgroup_automount_type
, struct hierarchy
*h
,
1427 char *hierarchy_mnt
, char *cgpath
,
1428 const char *container_cgroup
)
1430 __do_free
char *sourcepath
= NULL
;
1431 int ret
, remount_flags
;
1432 int flags
= MS_BIND
;
1434 if ((cgroup_automount_type
== LXC_AUTO_CGROUP_RO
) ||
1435 (cgroup_automount_type
== LXC_AUTO_CGROUP_MIXED
)) {
1436 ret
= mount(hierarchy_mnt
, hierarchy_mnt
, "cgroup", MS_BIND
, NULL
);
1438 return log_error_errno(-1, errno
, "Failed to bind mount \"%s\" onto \"%s\"",
1439 hierarchy_mnt
, hierarchy_mnt
);
1441 remount_flags
= add_required_remount_flags(hierarchy_mnt
,
1443 flags
| MS_REMOUNT
);
1444 ret
= mount(hierarchy_mnt
, hierarchy_mnt
, "cgroup",
1445 remount_flags
| MS_REMOUNT
| MS_BIND
| MS_RDONLY
,
1448 return log_error_errno(-1, errno
, "Failed to remount \"%s\" ro", hierarchy_mnt
);
1450 INFO("Remounted %s read-only", hierarchy_mnt
);
1453 sourcepath
= make_cgroup_path(h
, h
->at_base
, container_cgroup
, NULL
);
1454 if (cgroup_automount_type
== LXC_AUTO_CGROUP_RO
)
1457 ret
= mount(sourcepath
, cgpath
, "cgroup", flags
, NULL
);
1459 return log_error_errno(-1, errno
, "Failed to mount \"%s\" onto \"%s\"",
1460 h
->controllers
[0], cgpath
);
1461 INFO("Mounted \"%s\" onto \"%s\"", h
->controllers
[0], cgpath
);
1463 if (flags
& MS_RDONLY
) {
1464 remount_flags
= add_required_remount_flags(sourcepath
, cgpath
,
1465 flags
| MS_REMOUNT
);
1466 ret
= mount(sourcepath
, cgpath
, "cgroup", remount_flags
, NULL
);
1468 return log_error_errno(-1, errno
, "Failed to remount \"%s\" ro", cgpath
);
1469 INFO("Remounted %s read-only", cgpath
);
1472 INFO("Completed second stage cgroup automounts for \"%s\"", cgpath
);
1478 * Mount cgroup hierarchies directly without using bind-mounts. The main
1479 * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting
1480 * cgroups for the LXC_AUTO_CGROUP_FULL option.
1482 static int __cgroupfs_mount(int cgroup_automount_type
, struct hierarchy
*h
,
1483 struct lxc_rootfs
*rootfs
, int dfd_mnt_cgroupfs
,
1484 const char *hierarchy_mnt
)
1486 __do_close
int fd_fs
= -EBADF
;
1487 unsigned int flags
= 0;
1491 if (dfd_mnt_cgroupfs
< 0)
1492 return ret_errno(EINVAL
);
1494 flags
|= MOUNT_ATTR_NOSUID
;
1495 flags
|= MOUNT_ATTR_NOEXEC
;
1496 flags
|= MOUNT_ATTR_NODEV
;
1497 flags
|= MOUNT_ATTR_RELATIME
;
1499 if ((cgroup_automount_type
== LXC_AUTO_CGROUP_RO
) ||
1500 (cgroup_automount_type
== LXC_AUTO_CGROUP_FULL_RO
))
1501 flags
|= MOUNT_ATTR_RDONLY
;
1503 if (is_unified_hierarchy(h
))
1508 if (can_use_mount_api()) {
1509 fd_fs
= fs_prepare(fstype
, -EBADF
, "", 0, 0);
1511 return log_error_errno(-errno
, errno
, "Failed to prepare filesystem context for %s", fstype
);
1513 if (!is_unified_hierarchy(h
)) {
1514 for (const char **it
= (const char **)h
->controllers
; it
&& *it
; it
++) {
1515 if (strnequal(*it
, "name=", STRLITERALLEN("name=")))
1516 ret
= fs_set_property(fd_fs
, "name", *it
+ STRLITERALLEN("name="));
1518 ret
= fs_set_property(fd_fs
, *it
, "");
1520 return log_error_errno(-errno
, errno
, "Failed to add %s controller to cgroup filesystem context %d(dev)", *it
, fd_fs
);
1524 ret
= fs_attach(fd_fs
, dfd_mnt_cgroupfs
, hierarchy_mnt
,
1525 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH
,
1528 __do_free
char *controllers
= NULL
, *target
= NULL
;
1529 unsigned int old_flags
= 0;
1530 const char *rootfs_mnt
;
1532 if (!is_unified_hierarchy(h
)) {
1533 controllers
= lxc_string_join(",", (const char **)h
->controllers
, false);
1535 return ret_errno(ENOMEM
);
1538 rootfs_mnt
= get_rootfs_mnt(rootfs
);
1539 ret
= mnt_attributes_old(flags
, &old_flags
);
1541 return log_error_errno(-EINVAL
, EINVAL
, "Unsupported mount properties specified");
1543 target
= must_make_path(rootfs_mnt
, DEFAULT_CGROUP_MOUNTPOINT
, hierarchy_mnt
, NULL
);
1544 ret
= safe_mount(NULL
, target
, fstype
, old_flags
, controllers
, rootfs_mnt
);
1547 return log_error_errno(ret
, errno
, "Failed to mount %s filesystem onto %d(%s)",
1548 fstype
, dfd_mnt_cgroupfs
, maybe_empty(hierarchy_mnt
));
1550 DEBUG("Mounted cgroup filesystem %s onto %d(%s)",
1551 fstype
, dfd_mnt_cgroupfs
, maybe_empty(hierarchy_mnt
));
1555 static inline int cgroupfs_mount(int cgroup_automount_type
, struct hierarchy
*h
,
1556 struct lxc_rootfs
*rootfs
,
1557 int dfd_mnt_cgroupfs
, const char *hierarchy_mnt
)
1559 return __cgroupfs_mount(cgroup_automount_type
, h
, rootfs
,
1560 dfd_mnt_cgroupfs
, hierarchy_mnt
);
1563 static inline int cgroupfs_bind_mount(int cgroup_automount_type
, struct hierarchy
*h
,
1564 struct lxc_rootfs
*rootfs
,
1565 int dfd_mnt_cgroupfs
,
1566 const char *hierarchy_mnt
)
1568 switch (cgroup_automount_type
) {
1569 case LXC_AUTO_CGROUP_FULL_RO
:
1571 case LXC_AUTO_CGROUP_FULL_RW
:
1573 case LXC_AUTO_CGROUP_FULL_MIXED
:
1579 return __cgroupfs_mount(cgroup_automount_type
, h
, rootfs
,
1580 dfd_mnt_cgroupfs
, hierarchy_mnt
);
1583 __cgfsng_ops
static bool cgfsng_mount(struct cgroup_ops
*ops
,
1584 struct lxc_handler
*handler
, int cg_flags
)
1586 __do_close
int dfd_mnt_tmpfs
= -EBADF
, fd_fs
= -EBADF
;
1587 __do_free
char *cgroup_root
= NULL
;
1588 int cgroup_automount_type
;
1589 bool in_cgroup_ns
= false, wants_force_mount
= false;
1590 struct lxc_conf
*conf
= handler
->conf
;
1591 struct lxc_rootfs
*rootfs
= &conf
->rootfs
;
1592 const char *rootfs_mnt
= get_rootfs_mnt(rootfs
);
1596 return ret_set_errno(false, ENOENT
);
1598 if (!ops
->hierarchies
)
1602 return ret_set_errno(false, EINVAL
);
1604 if ((cg_flags
& LXC_AUTO_CGROUP_MASK
) == 0)
1605 return log_trace(true, "No cgroup mounts requested");
1607 if (cg_flags
& LXC_AUTO_CGROUP_FORCE
) {
1608 cg_flags
&= ~LXC_AUTO_CGROUP_FORCE
;
1609 wants_force_mount
= true;
1613 case LXC_AUTO_CGROUP_RO
:
1614 TRACE("Read-only cgroup mounts requested");
1616 case LXC_AUTO_CGROUP_RW
:
1617 TRACE("Read-write cgroup mounts requested");
1619 case LXC_AUTO_CGROUP_MIXED
:
1620 TRACE("Mixed cgroup mounts requested");
1622 case LXC_AUTO_CGROUP_FULL_RO
:
1623 TRACE("Full read-only cgroup mounts requested");
1625 case LXC_AUTO_CGROUP_FULL_RW
:
1626 TRACE("Full read-write cgroup mounts requested");
1628 case LXC_AUTO_CGROUP_FULL_MIXED
:
1629 TRACE("Full mixed cgroup mounts requested");
1632 return log_error_errno(false, EINVAL
, "Invalid cgroup mount options specified");
1634 cgroup_automount_type
= cg_flags
;
1636 if (!wants_force_mount
) {
1637 wants_force_mount
= !lxc_wants_cap(CAP_SYS_ADMIN
, conf
);
1640 * Most recent distro versions currently have init system that
1641 * do support cgroup2 but do not mount it by default unless
1642 * explicitly told so even if the host is cgroup2 only. That
1643 * means they often will fail to boot. Fix this by pre-mounting
1644 * cgroup2 by default. We will likely need to be doing this a
1645 * few years until all distros have switched over to cgroup2 at
1646 * which point we can safely assume that their init systems
1647 * will mount it themselves.
1649 if (pure_unified_layout(ops
))
1650 wants_force_mount
= true;
1653 if (cgns_supported() && container_uses_namespace(handler
, CLONE_NEWCGROUP
))
1654 in_cgroup_ns
= true;
1656 if (in_cgroup_ns
&& !wants_force_mount
)
1657 return log_trace(true, "Mounting cgroups not requested or needed");
1659 /* This is really the codepath that we want. */
1660 if (pure_unified_layout(ops
)) {
1661 __do_close
int dfd_mnt_unified
= -EBADF
;
1663 dfd_mnt_unified
= open_at(rootfs
->dfd_mnt
, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
,
1664 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH_XDEV
, 0);
1665 if (dfd_mnt_unified
< 0)
1666 return syserrno(-errno
, "Failed to open %d(%s)", rootfs
->dfd_mnt
,
1667 DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
);
1669 * If cgroup namespaces are supported but the container will
1670 * not have CAP_SYS_ADMIN after it has started we need to mount
1671 * the cgroups manually.
1673 * Note that here we know that wants_force_mount is true.
1674 * Otherwise we would've returned early above.
1678 * 1. cgroup:rw:force -> Mount the cgroup2 filesystem.
1679 * 2. cgroup:ro:force -> Mount the cgroup2 filesystem read-only.
1680 * 3. cgroup:mixed:force -> See comment above how this
1682 * cgroup:mixed is equal to
1683 * cgroup:rw when cgroup
1684 * namespaces are supported.
1686 * 4. cgroup:rw -> No-op; init system responsible for mounting.
1687 * 5. cgroup:ro -> No-op; init system responsible for mounting.
1688 * 6. cgroup:mixed -> No-op; init system responsible for mounting.
1690 * 7. cgroup-full:rw -> Not supported.
1691 * 8. cgroup-full:ro -> Not supported.
1692 * 9. cgroup-full:mixed -> Not supported.
1694 * 10. cgroup-full:rw:force -> Not supported.
1695 * 11. cgroup-full:ro:force -> Not supported.
1696 * 12. cgroup-full:mixed:force -> Not supported.
1698 ret
= cgroupfs_mount(cgroup_automount_type
, ops
->unified
, rootfs
, dfd_mnt_unified
, "");
1700 return syserrno(false, "Failed to force mount cgroup filesystem in cgroup namespace");
1702 return log_trace(true, "Force mounted cgroup filesystem in new cgroup namespace");
1705 * Either no cgroup namespace supported (highly
1706 * unlikely unless we're dealing with a Frankenkernel.
1707 * Or the user requested to keep the cgroup namespace
1708 * of the host or another container.
1710 if (wants_force_mount
) {
1712 * 1. cgroup:rw:force -> Bind-mount the cgroup2 filesystem writable.
1713 * 2. cgroup:ro:force -> Bind-mount the cgroup2 filesystem read-only.
1714 * 3. cgroup:mixed:force -> bind-mount the cgroup2 filesystem and
1715 * and make the parent directory of the
1716 * container's cgroup read-only but the
1717 * container's cgroup writable.
1719 * 10. cgroup-full:rw:force ->
1720 * 11. cgroup-full:ro:force ->
1721 * 12. cgroup-full:mixed:force ->
1724 SYSWARN("Force-mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
1727 SYSWARN("Mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
1731 return syserrno(false, "Failed to mount cgroups");
1735 * Mount a tmpfs over DEFAULT_CGROUP_MOUNTPOINT. Note that we're
1736 * relying on RESOLVE_BENEATH so we need to skip the leading "/" in the
1737 * DEFAULT_CGROUP_MOUNTPOINT define.
1739 if (can_use_mount_api()) {
1740 fd_fs
= fs_prepare("tmpfs", -EBADF
, "", 0, 0);
1742 return log_error_errno(-errno
, errno
, "Failed to create new filesystem context for tmpfs");
1744 ret
= fs_set_property(fd_fs
, "mode", "0755");
1746 return log_error_errno(-errno
, errno
, "Failed to mount tmpfs onto %d(dev)", fd_fs
);
1748 ret
= fs_set_property(fd_fs
, "size", "10240k");
1750 return log_error_errno(-errno
, errno
, "Failed to mount tmpfs onto %d(dev)", fd_fs
);
1752 ret
= fs_attach(fd_fs
, rootfs
->dfd_mnt
, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
,
1753 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH_XDEV
,
1754 MOUNT_ATTR_NOSUID
| MOUNT_ATTR_NODEV
|
1755 MOUNT_ATTR_NOEXEC
| MOUNT_ATTR_RELATIME
);
1757 cgroup_root
= must_make_path(rootfs_mnt
, DEFAULT_CGROUP_MOUNTPOINT
, NULL
);
1758 ret
= safe_mount(NULL
, cgroup_root
, "tmpfs",
1759 MS_NOSUID
| MS_NODEV
| MS_NOEXEC
| MS_RELATIME
,
1760 "size=10240k,mode=755", rootfs_mnt
);
1763 return log_error_errno(false, errno
, "Failed to mount tmpfs on %s",
1764 DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
);
1766 dfd_mnt_tmpfs
= open_at(rootfs
->dfd_mnt
, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
,
1767 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH_XDEV
, 0);
1768 if (dfd_mnt_tmpfs
< 0)
1769 return syserrno(-errno
, "Failed to open %d(%s)", rootfs
->dfd_mnt
,
1770 DEFAULT_CGROUP_MOUNTPOINT_RELATIVE
);
1772 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1773 __do_free
char *hierarchy_mnt
= NULL
, *path2
= NULL
;
1774 struct hierarchy
*h
= ops
->hierarchies
[i
];
1776 ret
= mkdirat(dfd_mnt_tmpfs
, h
->at_mnt
, 0000);
1778 return syserrno(false, "Failed to create cgroup at_mnt %d(%s)", dfd_mnt_tmpfs
, h
->at_mnt
);
1780 if (in_cgroup_ns
&& wants_force_mount
) {
1782 * If cgroup namespaces are supported but the container
1783 * will not have CAP_SYS_ADMIN after it has started we
1784 * need to mount the cgroups manually.
1786 ret
= cgroupfs_mount(cgroup_automount_type
, h
, rootfs
,
1787 dfd_mnt_tmpfs
, h
->at_mnt
);
1794 /* Here is where the ancient kernel section begins. */
1795 ret
= cgroupfs_bind_mount(cgroup_automount_type
, h
, rootfs
,
1796 dfd_mnt_tmpfs
, h
->at_mnt
);
1800 if (!cg_mount_needs_subdirs(cgroup_automount_type
))
1804 cgroup_root
= must_make_path(rootfs_mnt
, DEFAULT_CGROUP_MOUNTPOINT
, NULL
);
1806 hierarchy_mnt
= must_make_path(cgroup_root
, h
->at_mnt
, NULL
);
1807 path2
= must_make_path(hierarchy_mnt
, h
->at_base
,
1808 ops
->container_cgroup
, NULL
);
1809 ret
= mkdir_p(path2
, 0755);
1810 if (ret
< 0 && (errno
!= EEXIST
))
1813 ret
= cg_legacy_mount_controllers(cgroup_automount_type
, h
,
1814 hierarchy_mnt
, path2
,
1815 ops
->container_cgroup
);
1823 /* Only root needs to escape to the cgroup of its init. */
1824 __cgfsng_ops
static bool cgfsng_criu_escape(const struct cgroup_ops
*ops
,
1825 struct lxc_conf
*conf
)
1828 return ret_set_errno(false, ENOENT
);
1830 if (!ops
->hierarchies
)
1834 return ret_set_errno(false, EINVAL
);
1836 if (conf
->cgroup_meta
.relative
|| geteuid())
1839 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
1840 __do_free
char *fullpath
= NULL
;
1843 fullpath
= make_cgroup_path(ops
->hierarchies
[i
],
1844 ops
->hierarchies
[i
]->at_base
,
1845 "cgroup.procs", NULL
);
1846 ret
= lxc_write_to_file(fullpath
, "0", 2, false, 0666);
1848 return log_error_errno(false, errno
, "Failed to escape to cgroup \"%s\"", fullpath
);
1854 __cgfsng_ops
static int cgfsng_criu_num_hierarchies(struct cgroup_ops
*ops
)
1859 return ret_set_errno(-1, ENOENT
);
1861 if (!ops
->hierarchies
)
1864 for (; ops
->hierarchies
[i
]; i
++)
1870 __cgfsng_ops
static bool cgfsng_criu_get_hierarchies(struct cgroup_ops
*ops
,
1876 return ret_set_errno(false, ENOENT
);
1878 if (!ops
->hierarchies
)
1879 return ret_set_errno(false, ENOENT
);
1881 /* sanity check n */
1882 for (i
= 0; i
< n
; i
++)
1883 if (!ops
->hierarchies
[i
])
1884 return ret_set_errno(false, ENOENT
);
1886 *out
= ops
->hierarchies
[i
]->controllers
;
1891 static int cg_legacy_freeze(struct cgroup_ops
*ops
)
1893 struct hierarchy
*h
;
1895 h
= get_hierarchy(ops
, "freezer");
1897 return ret_set_errno(-1, ENOENT
);
1899 return lxc_write_openat(h
->path_con
, "freezer.state",
1900 "FROZEN", STRLITERALLEN("FROZEN"));
1903 static int freezer_cgroup_events_cb(int fd
, uint32_t events
, void *cbdata
,
1904 struct lxc_epoll_descr
*descr
)
1906 __do_free
char *line
= NULL
;
1907 __do_fclose
FILE *f
= NULL
;
1908 int state
= PTR_TO_INT(cbdata
);
1910 const char *state_string
;
1912 f
= fdopen_at(fd
, "", "re", PROTECT_OPEN
, PROTECT_LOOKUP_BENEATH
);
1914 return LXC_MAINLOOP_ERROR
;
1917 state_string
= "frozen 1";
1919 state_string
= "frozen 0";
1921 while (getline(&line
, &len
, f
) != -1)
1922 if (strnequal(line
, state_string
, STRLITERALLEN("frozen") + 2))
1923 return LXC_MAINLOOP_CLOSE
;
1927 return LXC_MAINLOOP_CONTINUE
;
1930 static int cg_unified_freeze_do(struct cgroup_ops
*ops
, int timeout
,
1931 const char *state_string
,
1933 const char *epoll_error
,
1934 const char *wait_error
)
1936 __do_close
int fd
= -EBADF
;
1937 call_cleaner(lxc_mainloop_close
) struct lxc_epoll_descr
*descr_ptr
= NULL
;
1939 struct lxc_epoll_descr descr
;
1940 struct hierarchy
*h
;
1944 return ret_set_errno(-1, ENOENT
);
1947 return ret_set_errno(-1, EEXIST
);
1950 __do_free
char *events_file
= NULL
;
1952 events_file
= must_make_path(h
->path_con
, "cgroup.events", NULL
);
1953 fd
= open(events_file
, O_RDONLY
| O_CLOEXEC
);
1955 return log_error_errno(-1, errno
, "Failed to open cgroup.events file");
1957 ret
= lxc_mainloop_open(&descr
);
1959 return log_error_errno(-1, errno
, "%s", epoll_error
);
1961 /* automatically cleaned up now */
1964 ret
= lxc_mainloop_add_handler_events(&descr
, fd
, EPOLLPRI
, freezer_cgroup_events_cb
, INT_TO_PTR(state_num
));
1966 return log_error_errno(-1, errno
, "Failed to add cgroup.events fd handler to mainloop");
1969 ret
= lxc_write_openat(h
->path_con
, "cgroup.freeze", state_string
, 1);
1971 return log_error_errno(-1, errno
, "Failed to open cgroup.freeze file");
1973 if (timeout
!= 0 && lxc_mainloop(&descr
, timeout
))
1974 return log_error_errno(-1, errno
, "%s", wait_error
);
1979 static int cg_unified_freeze(struct cgroup_ops
*ops
, int timeout
)
1981 return cg_unified_freeze_do(ops
, timeout
, "1", 1,
1982 "Failed to create epoll instance to wait for container freeze",
1983 "Failed to wait for container to be frozen");
1986 __cgfsng_ops
static int cgfsng_freeze(struct cgroup_ops
*ops
, int timeout
)
1988 if (!ops
->hierarchies
)
1989 return ret_set_errno(-1, ENOENT
);
1991 if (ops
->cgroup_layout
!= CGROUP_LAYOUT_UNIFIED
)
1992 return cg_legacy_freeze(ops
);
1994 return cg_unified_freeze(ops
, timeout
);
1997 static int cg_legacy_unfreeze(struct cgroup_ops
*ops
)
1999 struct hierarchy
*h
;
2001 h
= get_hierarchy(ops
, "freezer");
2003 return ret_set_errno(-1, ENOENT
);
2005 return lxc_write_openat(h
->path_con
, "freezer.state",
2006 "THAWED", STRLITERALLEN("THAWED"));
2009 static int cg_unified_unfreeze(struct cgroup_ops
*ops
, int timeout
)
2011 return cg_unified_freeze_do(ops
, timeout
, "0", 0,
2012 "Failed to create epoll instance to wait for container unfreeze",
2013 "Failed to wait for container to be unfrozen");
2016 __cgfsng_ops
static int cgfsng_unfreeze(struct cgroup_ops
*ops
, int timeout
)
2018 if (!ops
->hierarchies
)
2019 return ret_set_errno(-1, ENOENT
);
2021 if (ops
->cgroup_layout
!= CGROUP_LAYOUT_UNIFIED
)
2022 return cg_legacy_unfreeze(ops
);
2024 return cg_unified_unfreeze(ops
, timeout
);
2027 static const char *cgfsng_get_cgroup_do(struct cgroup_ops
*ops
,
2028 const char *controller
, bool limiting
)
2030 struct hierarchy
*h
;
2034 h
= get_hierarchy(ops
, controller
);
2036 return log_warn_errno(NULL
, ENOENT
,
2037 "Failed to find hierarchy for controller \"%s\"", maybe_empty(controller
));
2046 len
= strlen(h
->at_mnt
);
2047 if (!strnequal(h
->at_mnt
, DEFAULT_CGROUP_MOUNTPOINT
,
2048 STRLITERALLEN(DEFAULT_CGROUP_MOUNTPOINT
))) {
2049 path
+= STRLITERALLEN(DEFAULT_CGROUP_MOUNTPOINT
);
2050 path
+= strspn(path
, "/");
2055 __cgfsng_ops
static const char *cgfsng_get_cgroup(struct cgroup_ops
*ops
,
2056 const char *controller
)
2058 return cgfsng_get_cgroup_do(ops
, controller
, false);
2061 __cgfsng_ops
static const char *cgfsng_get_limit_cgroup(struct cgroup_ops
*ops
,
2062 const char *controller
)
2064 return cgfsng_get_cgroup_do(ops
, controller
, true);
2067 /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path,
2068 * which must be freed by the caller.
2070 static inline char *build_full_cgpath_from_monitorpath(struct hierarchy
*h
,
2072 const char *filename
)
2074 return make_cgroup_path(h
, inpath
, filename
, NULL
);
2077 static int cgroup_attach_leaf(const struct lxc_conf
*conf
, int unified_fd
, pid_t pid
)
2081 char pidstr
[INTTYPE_TO_STRLEN(int64_t) + 1];
2084 /* Create leaf cgroup. */
2085 ret
= mkdirat(unified_fd
, ".lxc", 0755);
2086 if (ret
< 0 && errno
!= EEXIST
)
2087 return log_error_errno(-errno
, errno
, "Failed to create leaf cgroup \".lxc\"");
2089 pidstr_len
= strnprintf(pidstr
, sizeof(pidstr
), INT64_FMT
, (int64_t)pid
);
2093 ret
= lxc_writeat(unified_fd
, ".lxc/cgroup.procs", pidstr
, pidstr_len
);
2095 ret
= lxc_writeat(unified_fd
, "cgroup.procs", pidstr
, pidstr_len
);
2097 return log_trace(0, "Moved process %s into cgroup %d(.lxc)", pidstr
, unified_fd
);
2099 /* this is a non-leaf node */
2101 return log_error_errno(-errno
, errno
, "Failed to attach to unified cgroup");
2105 char attach_cgroup
[STRLITERALLEN(".lxc-/cgroup.procs") + INTTYPE_TO_STRLEN(int) + 1];
2106 char *slash
= attach_cgroup
;
2108 ret
= strnprintf(attach_cgroup
, sizeof(attach_cgroup
), ".lxc-%d/cgroup.procs", idx
);
2113 * This shouldn't really happen but the compiler might complain
2114 * that a short write would cause a buffer overrun. So be on
2117 if (ret
< STRLITERALLEN(".lxc-/cgroup.procs"))
2118 return log_error_errno(-EINVAL
, EINVAL
, "Unexpected short write would cause buffer-overrun");
2120 slash
+= (ret
- STRLITERALLEN("/cgroup.procs"));
2123 ret
= mkdirat(unified_fd
, attach_cgroup
, 0755);
2124 if (ret
< 0 && errno
!= EEXIST
)
2125 return log_error_errno(-1, errno
, "Failed to create cgroup %s", attach_cgroup
);
2131 ret
= lxc_writeat(unified_fd
, attach_cgroup
, pidstr
, pidstr_len
);
2133 return log_trace(0, "Moved process %s into cgroup %d(%s)", pidstr
, unified_fd
, attach_cgroup
);
2135 if (rm
&& unlinkat(unified_fd
, attach_cgroup
, AT_REMOVEDIR
))
2136 SYSERROR("Failed to remove cgroup \"%d(%s)\"", unified_fd
, attach_cgroup
);
2138 /* this is a non-leaf node */
2140 return log_error_errno(-1, errno
, "Failed to attach to unified cgroup");
2143 } while (idx
< 1000);
2145 return log_error_errno(-1, errno
, "Failed to attach to unified cgroup");
2148 static int cgroup_attach_create_leaf(const struct lxc_conf
*conf
,
2149 int unified_fd
, int *sk_fd
)
2151 __do_close
int sk
= *sk_fd
, target_fd0
= -EBADF
, target_fd1
= -EBADF
;
2155 /* Create leaf cgroup. */
2156 ret
= mkdirat(unified_fd
, ".lxc", 0755);
2157 if (ret
< 0 && errno
!= EEXIST
)
2158 return log_error_errno(-1, errno
, "Failed to create leaf cgroup \".lxc\"");
2160 target_fd0
= open_at(unified_fd
, ".lxc/cgroup.procs", PROTECT_OPEN_W
, PROTECT_LOOKUP_BENEATH
, 0);
2162 return log_error_errno(-errno
, errno
, "Failed to open \".lxc/cgroup.procs\"");
2163 target_fds
[0] = target_fd0
;
2165 target_fd1
= open_at(unified_fd
, "cgroup.procs", PROTECT_OPEN_W
, PROTECT_LOOKUP_BENEATH
, 0);
2167 return log_error_errno(-errno
, errno
, "Failed to open \".lxc/cgroup.procs\"");
2168 target_fds
[1] = target_fd1
;
2170 ret
= lxc_abstract_unix_send_fds(sk
, target_fds
, 2, NULL
, 0);
2172 return log_error_errno(-errno
, errno
, "Failed to send \".lxc/cgroup.procs\" fds %d and %d",
2173 target_fd0
, target_fd1
);
2175 return log_debug(0, "Sent target cgroup fds %d and %d", target_fd0
, target_fd1
);
2178 static int cgroup_attach_move_into_leaf(const struct lxc_conf
*conf
,
2179 int *sk_fd
, pid_t pid
)
2181 __do_close
int sk
= *sk_fd
, target_fd0
= -EBADF
, target_fd1
= -EBADF
;
2183 char pidstr
[INTTYPE_TO_STRLEN(int64_t) + 1];
2187 ret
= lxc_abstract_unix_recv_two_fds(sk
, target_fds
);
2189 return log_error_errno(-1, errno
, "Failed to receive target cgroup fd");
2190 target_fd0
= target_fds
[0];
2191 target_fd1
= target_fds
[1];
2193 pidstr_len
= sprintf(pidstr
, INT64_FMT
, (int64_t)pid
);
2195 ret
= lxc_write_nointr(target_fd0
, pidstr
, pidstr_len
);
2196 if (ret
> 0 && ret
== pidstr_len
)
2197 return log_debug(0, "Moved process into target cgroup via fd %d", target_fd0
);
2199 ret
= lxc_write_nointr(target_fd1
, pidstr
, pidstr_len
);
2200 if (ret
> 0 && ret
== pidstr_len
)
2201 return log_debug(0, "Moved process into target cgroup via fd %d", target_fd1
);
2203 return log_debug_errno(-1, errno
, "Failed to move process into target cgroup via fd %d and %d",
2204 target_fd0
, target_fd1
);
2207 struct userns_exec_unified_attach_data
{
2208 const struct lxc_conf
*conf
;
2214 static int cgroup_unified_attach_child_wrapper(void *data
)
2216 struct userns_exec_unified_attach_data
*args
= data
;
2218 if (!args
->conf
|| args
->unified_fd
< 0 || args
->pid
<= 0 ||
2219 args
->sk_pair
[0] < 0 || args
->sk_pair
[1] < 0)
2220 return ret_errno(EINVAL
);
2222 close_prot_errno_disarm(args
->sk_pair
[0]);
2223 return cgroup_attach_create_leaf(args
->conf
, args
->unified_fd
,
2227 static int cgroup_unified_attach_parent_wrapper(void *data
)
2229 struct userns_exec_unified_attach_data
*args
= data
;
2231 if (!args
->conf
|| args
->unified_fd
< 0 || args
->pid
<= 0 ||
2232 args
->sk_pair
[0] < 0 || args
->sk_pair
[1] < 0)
2233 return ret_errno(EINVAL
);
2235 close_prot_errno_disarm(args
->sk_pair
[1]);
2236 return cgroup_attach_move_into_leaf(args
->conf
, &args
->sk_pair
[0],
2240 /* Technically, we're always at a delegation boundary here (This is especially
2241 * true when cgroup namespaces are available.). The reasoning is that in order
2242 * for us to have been able to start a container in the first place the root
2243 * cgroup must have been a leaf node. Now, either the container's init system
2244 * has populated the cgroup and kept it as a leaf node or it has created
2245 * subtrees. In the former case we will simply attach to the leaf node we
2246 * created when we started the container in the latter case we create our own
2247 * cgroup for the attaching process.
2249 static int __cg_unified_attach(const struct hierarchy
*h
,
2250 const struct lxc_conf
*conf
, const char *name
,
2251 const char *lxcpath
, pid_t pid
,
2252 const char *controller
)
2254 __do_close
int unified_fd
= -EBADF
;
2255 __do_free
char *path
= NULL
, *cgroup
= NULL
;
2258 if (!conf
|| !name
|| !lxcpath
|| pid
<= 0)
2259 return ret_errno(EINVAL
);
2261 ret
= cgroup_attach(conf
, name
, lxcpath
, pid
);
2263 return log_trace(0, "Attached to unified cgroup via command handler");
2264 if (ret
!= -ENOCGROUP2
)
2265 return log_error_errno(ret
, errno
, "Failed to attach to unified cgroup");
2267 /* Fall back to retrieving the path for the unified cgroup. */
2268 cgroup
= lxc_cmd_get_cgroup_path(name
, lxcpath
, controller
);
2273 path
= make_cgroup_path(h
, cgroup
, NULL
);
2275 unified_fd
= open(path
, O_PATH
| O_DIRECTORY
| O_CLOEXEC
);
2277 return ret_errno(EBADF
);
2279 if (!lxc_list_empty(&conf
->id_map
)) {
2280 struct userns_exec_unified_attach_data args
= {
2282 .unified_fd
= unified_fd
,
2286 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, args
.sk_pair
);
2290 ret
= userns_exec_minimal(conf
,
2291 cgroup_unified_attach_parent_wrapper
,
2293 cgroup_unified_attach_child_wrapper
,
2296 ret
= cgroup_attach_leaf(conf
, unified_fd
, pid
);
2302 __cgfsng_ops
static bool cgfsng_attach(struct cgroup_ops
*ops
,
2303 const struct lxc_conf
*conf
,
2304 const char *name
, const char *lxcpath
,
2308 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
2311 return ret_set_errno(false, ENOENT
);
2313 if (!ops
->hierarchies
)
2316 len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", pid
);
2320 for (int i
= 0; ops
->hierarchies
[i
]; i
++) {
2321 __do_free
char *fullpath
= NULL
, *path
= NULL
;
2322 struct hierarchy
*h
= ops
->hierarchies
[i
];
2324 if (h
->fs_type
== UNIFIED_HIERARCHY
) {
2325 ret
= __cg_unified_attach(h
, conf
, name
, lxcpath
, pid
,
2333 path
= lxc_cmd_get_cgroup_path(name
, lxcpath
, h
->controllers
[0]);
2338 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, "cgroup.procs");
2339 ret
= lxc_write_to_file(fullpath
, pidstr
, len
, false, 0666);
2341 return log_error_errno(false, errno
, "Failed to attach %d to %s",
2342 (int)pid
, fullpath
);
2348 /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we
2349 * don't have a cgroup_data set up, so we ask the running container through the
2350 * commands API for the cgroup path.
2352 __cgfsng_ops
static int cgfsng_get(struct cgroup_ops
*ops
, const char *filename
,
2353 char *value
, size_t len
, const char *name
,
2354 const char *lxcpath
)
2356 __do_free
char *path
= NULL
;
2357 __do_free
char *controller
= NULL
;
2359 struct hierarchy
*h
;
2363 return ret_set_errno(-1, ENOENT
);
2365 controller
= strdup(filename
);
2367 return ret_errno(ENOMEM
);
2369 p
= strchr(controller
, '.');
2373 path
= lxc_cmd_get_limit_cgroup_path(name
, lxcpath
, controller
);
2378 h
= get_hierarchy(ops
, controller
);
2380 __do_free
char *fullpath
= NULL
;
2382 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, filename
);
2383 ret
= lxc_read_from_file(fullpath
, value
, len
);
2389 static int device_cgroup_parse_access(struct device_item
*device
, const char *val
)
2391 for (int count
= 0; count
< 3; count
++, val
++) {
2394 device
->access
[count
] = *val
;
2397 device
->access
[count
] = *val
;
2400 device
->access
[count
] = *val
;
2407 return ret_errno(EINVAL
);
2414 static int device_cgroup_rule_parse(struct device_item
*device
, const char *key
,
2420 if (strequal("devices.allow", key
))
2421 device
->allow
= 1; /* allow the device */
2423 device
->allow
= 0; /* deny the device */
2425 if (strequal(val
, "a")) {
2439 device
->type
= *val
;
2452 } else if (isdigit(*val
)) {
2453 memset(temp
, 0, sizeof(temp
));
2454 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
2460 ret
= lxc_safe_int(temp
, &device
->major
);
2474 } else if (isdigit(*val
)) {
2475 memset(temp
, 0, sizeof(temp
));
2476 for (count
= 0; count
< sizeof(temp
) - 1; count
++) {
2482 ret
= lxc_safe_int(temp
, &device
->minor
);
2491 return device_cgroup_parse_access(device
, ++val
);
2494 /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we
2495 * don't have a cgroup_data set up, so we ask the running container through the
2496 * commands API for the cgroup path.
2498 __cgfsng_ops
static int cgfsng_set(struct cgroup_ops
*ops
,
2499 const char *key
, const char *value
,
2500 const char *name
, const char *lxcpath
)
2502 __do_free
char *path
= NULL
;
2503 __do_free
char *controller
= NULL
;
2505 struct hierarchy
*h
;
2508 if (!ops
|| is_empty_string(key
) || is_empty_string(value
) ||
2509 is_empty_string(name
) || is_empty_string(lxcpath
))
2510 return ret_errno(EINVAL
);
2512 controller
= strdup(key
);
2514 return ret_errno(ENOMEM
);
2516 p
= strchr(controller
, '.');
2520 if (pure_unified_layout(ops
) && strequal(controller
, "devices")) {
2521 struct device_item device
= {};
2523 ret
= device_cgroup_rule_parse(&device
, key
, value
);
2525 return log_error_errno(-1, EINVAL
, "Failed to parse device string %s=%s",
2528 ret
= lxc_cmd_add_bpf_device_cgroup(name
, lxcpath
, &device
);
2535 path
= lxc_cmd_get_limit_cgroup_path(name
, lxcpath
, controller
);
2540 h
= get_hierarchy(ops
, controller
);
2542 __do_free
char *fullpath
= NULL
;
2544 fullpath
= build_full_cgpath_from_monitorpath(h
, path
, key
);
2545 ret
= lxc_write_to_file(fullpath
, value
, strlen(value
), false, 0666);
2551 /* take devices cgroup line
2553 * and convert it to a valid
2554 * type major:minor mode
2555 * line. Return <0 on error. Dest is a preallocated buffer long enough to hold
2558 static int device_cgroup_rule_parse_devpath(struct device_item
*device
,
2559 const char *devpath
)
2561 __do_free
char *path
= NULL
;
2567 path
= strdup(devpath
);
2569 return ret_errno(ENOMEM
);
2572 * Read path followed by mode. Ignore any trailing text.
2573 * A ' # comment' would be legal. Technically other text is not
2574 * legal, we could check for that if we cared to.
2576 for (n_parts
= 1, p
= path
; *p
; p
++) {
2592 return ret_set_errno(-1, EINVAL
);
2596 return ret_errno(EINVAL
);
2598 if (device_cgroup_parse_access(device
, mode
) < 0)
2601 ret
= stat(path
, &sb
);
2603 return ret_set_errno(-1, errno
);
2605 mode_t m
= sb
.st_mode
& S_IFMT
;
2614 return log_error_errno(-1, EINVAL
, "Unsupported device type %i for \"%s\"", m
, path
);
2617 device
->major
= MAJOR(sb
.st_rdev
);
2618 device
->minor
= MINOR(sb
.st_rdev
);
2624 static int convert_devpath(const char *invalue
, char *dest
)
2626 struct device_item device
= {};
2629 ret
= device_cgroup_rule_parse_devpath(&device
, invalue
);
2633 ret
= strnprintf(dest
, 50, "%c %d:%d %s", device
.type
, device
.major
,
2634 device
.minor
, device
.access
);
2636 return log_error_errno(ret
, -ret
,
2637 "Error on configuration value \"%c %d:%d %s\" (max 50 chars)",
2638 device
.type
, device
.major
, device
.minor
,
2644 /* Called from setup_limits - here we have the container's cgroup_data because
2645 * we created the cgroups.
2647 static int cg_legacy_set_data(struct cgroup_ops
*ops
, const char *filename
,
2648 const char *value
, bool is_cpuset
)
2650 __do_free
char *controller
= NULL
;
2652 /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */
2653 char converted_value
[50];
2654 struct hierarchy
*h
;
2656 controller
= strdup(filename
);
2658 return ret_errno(ENOMEM
);
2660 p
= strchr(controller
, '.');
2664 if (strequal("devices.allow", filename
) && value
[0] == '/') {
2667 ret
= convert_devpath(value
, converted_value
);
2670 value
= converted_value
;
2673 h
= get_hierarchy(ops
, controller
);
2675 return log_error_errno(-ENOENT
, ENOENT
, "Failed to setup limits for the \"%s\" controller. The controller seems to be unused by \"cgfsng\" cgroup driver or not enabled on the cgroup hierarchy", controller
);
2678 int ret
= lxc_write_openat(h
->path_con
, filename
, value
, strlen(value
));
2682 return lxc_write_openat(h
->path_lim
, filename
, value
, strlen(value
));
2685 __cgfsng_ops
static bool cgfsng_setup_limits_legacy(struct cgroup_ops
*ops
,
2686 struct lxc_conf
*conf
,
2689 __do_free
struct lxc_list
*sorted_cgroup_settings
= NULL
;
2690 struct lxc_list
*cgroup_settings
= &conf
->cgroup
;
2691 struct lxc_list
*iterator
, *next
;
2692 struct lxc_cgroup
*cg
;
2696 return ret_set_errno(false, ENOENT
);
2699 return ret_set_errno(false, EINVAL
);
2701 cgroup_settings
= &conf
->cgroup
;
2702 if (lxc_list_empty(cgroup_settings
))
2705 if (!ops
->hierarchies
)
2706 return ret_set_errno(false, EINVAL
);
2708 if (pure_unified_layout(ops
))
2709 return log_warn_errno(true, EINVAL
, "Ignoring legacy cgroup limits on pure cgroup2 system");
2711 sorted_cgroup_settings
= sort_cgroup_settings(cgroup_settings
);
2712 if (!sorted_cgroup_settings
)
2715 lxc_list_for_each(iterator
, sorted_cgroup_settings
) {
2716 cg
= iterator
->elem
;
2718 if (do_devices
== strnequal("devices", cg
->subsystem
, 7)) {
2719 if (cg_legacy_set_data(ops
, cg
->subsystem
, cg
->value
, strnequal("cpuset", cg
->subsystem
, 6))) {
2720 if (do_devices
&& (errno
== EACCES
|| errno
== EPERM
)) {
2721 SYSWARN("Failed to set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
2724 SYSERROR("Failed to set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
2727 DEBUG("Set controller \"%s\" set to \"%s\"", cg
->subsystem
, cg
->value
);
2732 INFO("Limits for the legacy cgroup hierarchies have been setup");
2734 lxc_list_for_each_safe(iterator
, sorted_cgroup_settings
, next
) {
2735 lxc_list_del(iterator
);
2743 * Some of the parsing logic comes from the original cgroup device v1
2744 * implementation in the kernel.
2746 static int bpf_device_cgroup_prepare(struct cgroup_ops
*ops
,
2747 struct lxc_conf
*conf
, const char *key
,
2750 struct device_item device_item
= {};
2753 if (strequal("devices.allow", key
) && abspath(val
))
2754 ret
= device_cgroup_rule_parse_devpath(&device_item
, val
);
2756 ret
= device_cgroup_rule_parse(&device_item
, key
, val
);
2758 return syserrno_set(EINVAL
, "Failed to parse device rule %s=%s", key
, val
);
2761 * Note that bpf_list_add_device() returns 1 if it altered the device
2762 * list and 0 if it didn't; both return values indicate success.
2763 * Only a negative return value indicates an error.
2765 ret
= bpf_list_add_device(&conf
->bpf_devices
, &device_item
);
2772 __cgfsng_ops
static bool cgfsng_setup_limits(struct cgroup_ops
*ops
,
2773 struct lxc_handler
*handler
)
2775 struct lxc_list
*cgroup_settings
, *iterator
;
2776 struct hierarchy
*h
;
2777 struct lxc_conf
*conf
;
2780 return ret_set_errno(false, ENOENT
);
2782 if (!ops
->hierarchies
)
2785 if (!ops
->container_cgroup
)
2786 return ret_set_errno(false, EINVAL
);
2788 if (!handler
|| !handler
->conf
)
2789 return ret_set_errno(false, EINVAL
);
2790 conf
= handler
->conf
;
2792 cgroup_settings
= &conf
->cgroup2
;
2793 if (lxc_list_empty(cgroup_settings
))
2796 if (!pure_unified_layout(ops
))
2797 return log_warn_errno(true, EINVAL
, "Ignoring cgroup2 limits on legacy cgroup system");
2803 lxc_list_for_each (iterator
, cgroup_settings
) {
2804 struct lxc_cgroup
*cg
= iterator
->elem
;
2807 if (strnequal("devices", cg
->subsystem
, 7))
2808 ret
= bpf_device_cgroup_prepare(ops
, conf
, cg
->subsystem
, cg
->value
);
2810 ret
= lxc_write_openat(h
->path_lim
, cg
->subsystem
, cg
->value
, strlen(cg
->value
));
2812 return log_error_errno(false, errno
, "Failed to set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
2814 TRACE("Set \"%s\" to \"%s\"", cg
->subsystem
, cg
->value
);
2817 return log_info(true, "Limits for the unified cgroup hierarchy have been setup");
2820 __cgfsng_ops
static bool cgfsng_devices_activate(struct cgroup_ops
*ops
, struct lxc_handler
*handler
)
2822 struct lxc_conf
*conf
;
2823 struct hierarchy
*unified
;
2826 return ret_set_errno(false, ENOENT
);
2828 if (!ops
->hierarchies
)
2831 if (!ops
->container_cgroup
)
2832 return ret_set_errno(false, EEXIST
);
2834 if (!handler
|| !handler
->conf
)
2835 return ret_set_errno(false, EINVAL
);
2836 conf
= handler
->conf
;
2838 unified
= ops
->unified
;
2839 if (!unified
|| !device_utility_controller(unified
) ||
2840 !unified
->path_con
||
2841 lxc_list_empty(&(conf
->bpf_devices
).device_item
))
2844 return bpf_cgroup_devices_attach(ops
, &conf
->bpf_devices
);
2847 static bool __cgfsng_delegate_controllers(struct cgroup_ops
*ops
, const char *cgroup
)
2849 __do_close
int dfd_final
= -EBADF
;
2850 __do_free
char *add_controllers
= NULL
, *copy
= NULL
;
2851 size_t full_len
= 0;
2852 struct hierarchy
*unified
;
2857 if (!ops
->hierarchies
|| !pure_unified_layout(ops
))
2860 unified
= ops
->unified
;
2861 if (!unified
->controllers
[0])
2864 /* For now we simply enable all controllers that we have detected by
2865 * creating a string like "+memory +pids +cpu +io".
2866 * TODO: In the near future we might want to support "-<controller>"
2867 * etc. but whether supporting semantics like this make sense will need
2870 for (it
= unified
->controllers
; it
&& *it
; it
++) {
2871 full_len
+= strlen(*it
) + 2;
2872 add_controllers
= must_realloc(add_controllers
, full_len
+ 1);
2874 if (unified
->controllers
[0] == *it
)
2875 add_controllers
[0] = '\0';
2877 (void)strlcat(add_controllers
, "+", full_len
+ 1);
2878 (void)strlcat(add_controllers
, *it
, full_len
+ 1);
2880 if ((it
+ 1) && *(it
+ 1))
2881 (void)strlcat(add_controllers
, " ", full_len
+ 1);
2884 copy
= strdup(cgroup
);
2889 * Placing the write to cgroup.subtree_control before the open() is
2890 * intentional because of the cgroup2 delegation model. It enforces
2891 * that leaf cgroups don't have any controllers enabled for delegation.
2893 dfd_cur
= unified
->dfd_base
;
2894 lxc_iterate_parts(cur
, copy
, "/") {
2896 * Even though we vetted the paths when we parsed the config
2897 * we're paranoid here and check that the path is neither
2898 * absolute nor walks upwards.
2901 return syserrno_set(-EINVAL
, "No absolute paths allowed");
2903 if (strnequal(cur
, "..", STRLITERALLEN("..")))
2904 return syserrno_set(-EINVAL
, "No upward walking paths allowed");
2906 ret
= lxc_writeat(dfd_cur
, "cgroup.subtree_control", add_controllers
, full_len
);
2908 return syserrno(-errno
, "Could not enable \"%s\" controllers in the unified cgroup %d", add_controllers
, dfd_cur
);
2910 TRACE("Enabled \"%s\" controllers in the unified cgroup %d", add_controllers
, dfd_cur
);
2912 dfd_final
= open_at(dfd_cur
, cur
, PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_BENEATH
, 0);
2914 return syserrno(-errno
, "Fail to open directory %d(%s)", dfd_cur
, cur
);
2915 if (dfd_cur
!= unified
->dfd_base
)
2918 * Leave dfd_final pointing to the last fd we opened so
2919 * it will be automatically zapped if we return early.
2921 dfd_cur
= dfd_final
;
2927 __cgfsng_ops
static bool cgfsng_monitor_delegate_controllers(struct cgroup_ops
*ops
)
2930 return ret_set_errno(false, ENOENT
);
2932 return __cgfsng_delegate_controllers(ops
, ops
->monitor_cgroup
);
2935 __cgfsng_ops
static bool cgfsng_payload_delegate_controllers(struct cgroup_ops
*ops
)
2938 return ret_set_errno(false, ENOENT
);
2940 return __cgfsng_delegate_controllers(ops
, ops
->container_cgroup
);
2943 static inline bool unified_cgroup(const char *line
)
2945 return *line
== '0';
2948 static inline char *current_unified_cgroup(bool relative
, char *line
)
2950 char *current_cgroup
;
2952 line
+= STRLITERALLEN("0::");
2955 return ERR_PTR(-EINVAL
);
2957 /* remove init.scope */
2959 line
= prune_init_scope(line
);
2961 /* create a relative path */
2964 current_cgroup
= strdup(line
);
2965 if (!current_cgroup
)
2966 return ERR_PTR(-ENOMEM
);
2968 return current_cgroup
;
2971 static inline const char *unprefix(const char *controllers
)
2973 if (strnequal(controllers
, "name=", STRLITERALLEN("name=")))
2974 return controllers
+ STRLITERALLEN("name=");
2978 static int __list_cgroup_delegate(char ***delegate
)
2980 __do_free
char **list
= NULL
;
2981 __do_free
char *buf
= NULL
;
2982 char *standard
[] = {
2985 "cgroup.subtree_control",
2992 buf
= read_file_at(-EBADF
, "/sys/kernel/cgroup/delegate", PROTECT_OPEN
, 0);
2994 for (char **p
= standard
; p
&& *p
; p
++) {
2995 ret
= list_add_string(&list
, *p
);
3000 *delegate
= move_ptr(list
);
3001 return syswarn(0, "Failed to read /sys/kernel/cgroup/delegate");
3004 lxc_iterate_parts(token
, buf
, " \t\n") {
3006 * We always need to chown this for both cgroup and
3009 if (strequal(token
, "cgroup.procs"))
3012 ret
= list_add_string(&list
, token
);
3017 *delegate
= move_ptr(list
);
3021 static bool unified_hierarchy_delegated(int dfd_base
, char ***ret_files
)
3023 __do_free_string_list
char **list
= NULL
;
3026 ret
= __list_cgroup_delegate(&list
);
3028 return syserrno(ret
, "Failed to determine unified cgroup delegation requirements");
3030 for (char *const *s
= list
; s
&& *s
; s
++) {
3031 if (!faccessat(dfd_base
, *s
, W_OK
, 0) || errno
== ENOENT
)
3034 return sysinfo(false, "The %s file is not writable, skipping unified hierarchy", *s
);
3037 *ret_files
= move_ptr(list
);
3041 static bool legacy_hierarchy_delegated(int dfd_base
)
3043 if (faccessat(dfd_base
, "cgroup.procs", W_OK
, 0) && errno
!= ENOENT
)
3044 return sysinfo(false, "The cgroup.procs file is not writable, skipping legacy hierarchy");
3049 static int __initialize_cgroups(struct cgroup_ops
*ops
, bool relative
,
3052 __do_free
char *cgroup_info
= NULL
;
3056 * Root spawned containers escape the current cgroup, so use init's
3057 * cgroups as our base in that case.
3059 if (!relative
&& (geteuid() == 0))
3060 cgroup_info
= read_file_at(-EBADF
, "/proc/1/cgroup", PROTECT_OPEN
, 0);
3062 cgroup_info
= read_file_at(-EBADF
, "/proc/self/cgroup", PROTECT_OPEN
, 0);
3064 return ret_errno(ENOMEM
);
3066 lxc_iterate_parts(it
, cgroup_info
, "\n") {
3067 __do_close
int dfd_base
= -EBADF
, dfd_mnt
= -EBADF
;
3068 __do_free
char *controllers
= NULL
, *current_cgroup
= NULL
;
3069 __do_free_string_list
char **controller_list
= NULL
,
3074 /* Handle the unified cgroup hierarchy. */
3076 if (unified_cgroup(line
)) {
3079 type
= UNIFIED_HIERARCHY
;
3081 current_cgroup
= current_unified_cgroup(relative
, line
);
3082 if (IS_ERR(current_cgroup
))
3083 return PTR_ERR(current_cgroup
);
3085 if (unified_cgroup_fd(ops
->dfd_mnt
)) {
3086 dfd_mnt
= dup_cloexec(ops
->dfd_mnt
);
3089 dfd_mnt
= open_at(ops
->dfd_mnt
,
3091 PROTECT_OPATH_DIRECTORY
,
3092 PROTECT_LOOKUP_ABSOLUTE_XDEV
, 0);
3093 unified_mnt
= "unified";
3096 if (errno
!= ENOENT
)
3097 return syserrno(-errno
, "Failed to open %d/unified", ops
->dfd_mnt
);
3099 SYSTRACE("Unified cgroup not mounted");
3104 if (!is_empty_string(current_cgroup
)) {
3105 dfd_base
= open_at(dfd_mnt
, current_cgroup
,
3106 PROTECT_OPATH_DIRECTORY
,
3107 PROTECT_LOOKUP_BENEATH_XDEV
, 0);
3109 return syserrno(-errno
, "Failed to open %d/%s", dfd_mnt
, current_cgroup
);
3113 if (!unified_hierarchy_delegated(dfd
, &delegate
))
3116 controller_list
= unified_controllers(dfd
, "cgroup.controllers");
3117 if (!controller_list
) {
3118 TRACE("No controllers are enabled for delegation in the unified hierarchy");
3119 controller_list
= list_new();
3120 if (!controller_list
)
3121 return syserrno(-ENOMEM
, "Failed to create empty controller list");
3124 controllers
= strdup(unified_mnt
);
3126 return ret_errno(ENOMEM
);
3128 char *__controllers
, *__current_cgroup
;
3130 type
= LEGACY_HIERARCHY
;
3132 __controllers
= strchr(line
, ':');
3134 return ret_errno(EINVAL
);
3137 __current_cgroup
= strchr(__controllers
, ':');
3138 if (!__current_cgroup
)
3139 return ret_errno(EINVAL
);
3140 *__current_cgroup
= '\0';
3143 controllers
= strdup(unprefix(__controllers
));
3145 return ret_errno(ENOMEM
);
3147 dfd_mnt
= open_at(ops
->dfd_mnt
,
3148 controllers
, PROTECT_OPATH_DIRECTORY
,
3149 PROTECT_LOOKUP_ABSOLUTE_XDEV
, 0);
3151 if (errno
!= ENOENT
)
3152 return syserrno(-errno
, "Failed to open %d/%s",
3153 ops
->dfd_mnt
, controllers
);
3155 SYSTRACE("%s not mounted", controllers
);
3160 if (!abspath(__current_cgroup
))
3161 return ret_errno(EINVAL
);
3163 /* remove init.scope */
3165 __current_cgroup
= prune_init_scope(__current_cgroup
);
3167 /* create a relative path */
3168 __current_cgroup
= deabs(__current_cgroup
);
3170 current_cgroup
= strdup(__current_cgroup
);
3171 if (!current_cgroup
)
3172 return ret_errno(ENOMEM
);
3174 if (!is_empty_string(current_cgroup
)) {
3175 dfd_base
= open_at(dfd_mnt
, current_cgroup
,
3176 PROTECT_OPATH_DIRECTORY
,
3177 PROTECT_LOOKUP_BENEATH_XDEV
, 0);
3179 return syserrno(-errno
, "Failed to open %d/%s",
3180 dfd_mnt
, current_cgroup
);
3184 if (!legacy_hierarchy_delegated(dfd
))
3188 * We intentionally pass __current_cgroup here and not
3189 * controllers because we would otherwise chop the
3192 controller_list
= list_add_controllers(__controllers
);
3193 if (!controller_list
)
3194 return syserrno(-ENOMEM
, "Failed to create controller list from %s", __controllers
);
3196 if (skip_hierarchy(ops
, controller_list
))
3199 ops
->cgroup_layout
= CGROUP_LAYOUT_LEGACY
;
3202 ret
= cgroup_hierarchy_add(ops
, dfd_mnt
, controllers
, dfd
,
3203 current_cgroup
, controller_list
, type
);
3205 return syserrno(ret
, "Failed to add %s hierarchy", controllers
);
3207 /* Transfer ownership. */
3210 move_ptr(current_cgroup
);
3211 move_ptr(controllers
);
3212 move_ptr(controller_list
);
3213 if (type
== UNIFIED_HIERARCHY
)
3214 ops
->unified
->delegate
= move_ptr(delegate
);
3217 /* determine cgroup layout */
3219 if (ops
->cgroup_layout
== CGROUP_LAYOUT_LEGACY
) {
3220 ops
->cgroup_layout
= CGROUP_LAYOUT_HYBRID
;
3222 if (bpf_devices_cgroup_supported())
3223 ops
->unified
->utilities
|= DEVICES_CONTROLLER
;
3224 ops
->cgroup_layout
= CGROUP_LAYOUT_UNIFIED
;
3228 if (!controllers_available(ops
))
3229 return syserrno_set(-ENOENT
, "One or more requested controllers unavailable or not delegated");
3234 static int initialize_cgroups(struct cgroup_ops
*ops
, struct lxc_conf
*conf
)
3236 __do_close
int dfd
= -EBADF
;
3238 const char *controllers_use
;
3240 if (ops
->dfd_mnt
>= 0)
3241 return ret_errno(EBUSY
);
3244 * I don't see the need for allowing symlinks here. If users want to
3245 * have their hierarchy available in different locations I strongly
3246 * suggest bind-mounts.
3248 dfd
= open_at(-EBADF
, DEFAULT_CGROUP_MOUNTPOINT
,
3249 PROTECT_OPATH_DIRECTORY
, PROTECT_LOOKUP_ABSOLUTE_XDEV
, 0);
3251 return syserrno(-errno
, "Failed to open " DEFAULT_CGROUP_MOUNTPOINT
);
3253 controllers_use
= lxc_global_config_value("lxc.cgroup.use");
3254 if (controllers_use
) {
3255 __do_free
char *dup
= NULL
;
3258 dup
= strdup(controllers_use
);
3262 lxc_iterate_parts(it
, dup
, ",") {
3263 ret
= list_add_string(&ops
->cgroup_use
, it
);
3270 * Keep dfd referenced by the cleanup function and actually move the fd
3271 * once we know the initialization succeeded. So if we fail we clean up
3276 ret
= __initialize_cgroups(ops
, conf
->cgroup_meta
.relative
, !lxc_list_empty(&conf
->id_map
));
3278 return syserrno(ret
, "Failed to initialize cgroups");
3280 /* Transfer ownership to cgroup_ops. */
3285 __cgfsng_ops
static int cgfsng_data_init(struct cgroup_ops
*ops
)
3287 const char *cgroup_pattern
;
3290 return ret_set_errno(-1, ENOENT
);
3292 /* copy system-wide cgroup information */
3293 cgroup_pattern
= lxc_global_config_value("lxc.cgroup.pattern");
3294 if (cgroup_pattern
&& !strequal(cgroup_pattern
, "")) {
3295 ops
->cgroup_pattern
= strdup(cgroup_pattern
);
3296 if (!ops
->cgroup_pattern
)
3297 return ret_errno(ENOMEM
);
3303 struct cgroup_ops
*cgroup_ops_init(struct lxc_conf
*conf
)
3305 __do_free
struct cgroup_ops
*cgfsng_ops
= NULL
;
3307 cgfsng_ops
= zalloc(sizeof(struct cgroup_ops
));
3309 return ret_set_errno(NULL
, ENOMEM
);
3311 cgfsng_ops
->cgroup_layout
= CGROUP_LAYOUT_UNKNOWN
;
3312 cgfsng_ops
->dfd_mnt
= -EBADF
;
3314 if (initialize_cgroups(cgfsng_ops
, conf
))
3317 cgfsng_ops
->data_init
= cgfsng_data_init
;
3318 cgfsng_ops
->payload_destroy
= cgfsng_payload_destroy
;
3319 cgfsng_ops
->monitor_destroy
= cgfsng_monitor_destroy
;
3320 cgfsng_ops
->monitor_create
= cgfsng_monitor_create
;
3321 cgfsng_ops
->monitor_enter
= cgfsng_monitor_enter
;
3322 cgfsng_ops
->monitor_delegate_controllers
= cgfsng_monitor_delegate_controllers
;
3323 cgfsng_ops
->payload_delegate_controllers
= cgfsng_payload_delegate_controllers
;
3324 cgfsng_ops
->payload_create
= cgfsng_payload_create
;
3325 cgfsng_ops
->payload_enter
= cgfsng_payload_enter
;
3326 cgfsng_ops
->finalize
= cgfsng_finalize
;
3327 cgfsng_ops
->get_cgroup
= cgfsng_get_cgroup
;
3328 cgfsng_ops
->get
= cgfsng_get
;
3329 cgfsng_ops
->set
= cgfsng_set
;
3330 cgfsng_ops
->freeze
= cgfsng_freeze
;
3331 cgfsng_ops
->unfreeze
= cgfsng_unfreeze
;
3332 cgfsng_ops
->setup_limits_legacy
= cgfsng_setup_limits_legacy
;
3333 cgfsng_ops
->setup_limits
= cgfsng_setup_limits
;
3334 cgfsng_ops
->driver
= "cgfsng";
3335 cgfsng_ops
->version
= "1.0.0";
3336 cgfsng_ops
->attach
= cgfsng_attach
;
3337 cgfsng_ops
->chown
= cgfsng_chown
;
3338 cgfsng_ops
->mount
= cgfsng_mount
;
3339 cgfsng_ops
->devices_activate
= cgfsng_devices_activate
;
3340 cgfsng_ops
->get_limit_cgroup
= cgfsng_get_limit_cgroup
;
3342 cgfsng_ops
->criu_escape
= cgfsng_criu_escape
;
3343 cgfsng_ops
->criu_num_hierarchies
= cgfsng_criu_num_hierarchies
;
3344 cgfsng_ops
->criu_get_hierarchies
= cgfsng_criu_get_hierarchies
;
3346 return move_ptr(cgfsng_ops
);
3349 static int __unified_attach_fd(const struct lxc_conf
*conf
, int fd_unified
, pid_t pid
)
3353 if (!lxc_list_empty(&conf
->id_map
)) {
3354 struct userns_exec_unified_attach_data args
= {
3356 .unified_fd
= fd_unified
,
3360 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, args
.sk_pair
);
3364 ret
= userns_exec_minimal(conf
,
3365 cgroup_unified_attach_parent_wrapper
,
3367 cgroup_unified_attach_child_wrapper
,
3370 ret
= cgroup_attach_leaf(conf
, fd_unified
, pid
);
3376 static int __cgroup_attach_many(const struct lxc_conf
*conf
, const char *name
,
3377 const char *lxcpath
, pid_t pid
)
3379 call_cleaner(put_cgroup_ctx
) struct cgroup_ctx
*ctx
= &(struct cgroup_ctx
){};
3383 char pidstr
[INTTYPE_TO_STRLEN(pid_t
)];
3385 ret
= lxc_cmd_get_cgroup_ctx(name
, lxcpath
, sizeof(struct cgroup_ctx
), ctx
);
3387 return ret_errno(ENOSYS
);
3389 pidstr_len
= strnprintf(pidstr
, sizeof(pidstr
), "%d", pid
);
3393 for (idx
= 0; idx
< ctx
->fd_len
; idx
++) {
3394 int dfd_con
= ctx
->fd
[idx
];
3396 if (unified_cgroup_fd(dfd_con
))
3397 ret
= __unified_attach_fd(conf
, dfd_con
, pid
);
3399 ret
= lxc_writeat(dfd_con
, "cgroup.procs", pidstr
, pidstr_len
);
3401 return syserrno(ret
, "Failed to attach to cgroup fd %d", dfd_con
);
3403 TRACE("Attached to cgroup fd %d", dfd_con
);
3407 return syserrno_set(-ENOENT
, "Failed to attach to cgroups");
3409 TRACE("Attached to %s cgroup layout", cgroup_layout_name(ctx
->cgroup_layout
));
3413 static int __cgroup_attach_unified(const struct lxc_conf
*conf
, const char *name
,
3414 const char *lxcpath
, pid_t pid
)
3416 __do_close
int dfd_unified
= -EBADF
;
3418 if (!conf
|| is_empty_string(name
) || is_empty_string(lxcpath
) || pid
<= 0)
3419 return ret_errno(EINVAL
);
3421 dfd_unified
= lxc_cmd_get_cgroup2_fd(name
, lxcpath
);
3422 if (dfd_unified
< 0)
3423 return ret_errno(ENOSYS
);
3425 return __unified_attach_fd(conf
, dfd_unified
, pid
);
3428 int cgroup_attach(const struct lxc_conf
*conf
, const char *name
,
3429 const char *lxcpath
, pid_t pid
)
3433 ret
= __cgroup_attach_many(conf
, name
, lxcpath
, pid
);
3435 if (!ERRNO_IS_NOT_SUPPORTED(ret
))
3438 ret
= __cgroup_attach_unified(conf
, name
, lxcpath
, pid
);
3439 if (ret
< 0 && ERRNO_IS_NOT_SUPPORTED(ret
))
3440 return ret_errno(ENOSYS
);
3446 /* Connects to command socket therefore isn't callable from command handler. */
3447 int cgroup_get(const char *name
, const char *lxcpath
,
3448 const char *filename
, char *buf
, size_t len
)
3450 __do_close
int unified_fd
= -EBADF
;
3453 if (is_empty_string(filename
) || is_empty_string(name
) ||
3454 is_empty_string(lxcpath
))
3455 return ret_errno(EINVAL
);
3457 if ((buf
&& !len
) || (len
&& !buf
))
3458 return ret_errno(EINVAL
);
3460 unified_fd
= lxc_cmd_get_limit_cgroup2_fd(name
, lxcpath
);
3462 return ret_errno(ENOSYS
);
3464 ret
= lxc_read_try_buf_at(unified_fd
, filename
, buf
, len
);
3466 SYSERROR("Failed to read cgroup value");
3471 /* Connects to command socket therefore isn't callable from command handler. */
3472 int cgroup_set(const char *name
, const char *lxcpath
,
3473 const char *filename
, const char *value
)
3475 __do_close
int unified_fd
= -EBADF
;
3478 if (is_empty_string(filename
) || is_empty_string(value
) ||
3479 is_empty_string(name
) || is_empty_string(lxcpath
))
3480 return ret_errno(EINVAL
);
3482 unified_fd
= lxc_cmd_get_limit_cgroup2_fd(name
, lxcpath
);
3484 return ret_errno(ENOSYS
);
3486 if (strnequal(filename
, "devices.", STRLITERALLEN("devices."))) {
3487 struct device_item device
= {};
3489 ret
= device_cgroup_rule_parse(&device
, filename
, value
);
3491 return log_error_errno(-1, EINVAL
, "Failed to parse device string %s=%s", filename
, value
);
3493 ret
= lxc_cmd_add_bpf_device_cgroup(name
, lxcpath
, &device
);
3495 ret
= lxc_writeat(unified_fd
, filename
, value
, strlen(value
));
3501 static int do_cgroup_freeze(int unified_fd
,
3502 const char *state_string
,
3505 const char *epoll_error
,
3506 const char *wait_error
)
3508 __do_close
int events_fd
= -EBADF
;
3509 call_cleaner(lxc_mainloop_close
) struct lxc_epoll_descr
*descr_ptr
= NULL
;
3511 struct lxc_epoll_descr descr
= {};
3514 ret
= lxc_mainloop_open(&descr
);
3516 return log_error_errno(-1, errno
, "%s", epoll_error
);
3518 /* automatically cleaned up now */
3521 events_fd
= open_at(unified_fd
, "cgroup.events", PROTECT_OPEN
, PROTECT_LOOKUP_BENEATH
, 0);
3523 return log_error_errno(-errno
, errno
, "Failed to open cgroup.events file");
3525 ret
= lxc_mainloop_add_handler_events(&descr
, events_fd
, EPOLLPRI
, freezer_cgroup_events_cb
, INT_TO_PTR(state_num
));
3527 return log_error_errno(-1, errno
, "Failed to add cgroup.events fd handler to mainloop");
3530 ret
= lxc_writeat(unified_fd
, "cgroup.freeze", state_string
, 1);
3532 return log_error_errno(-1, errno
, "Failed to open cgroup.freeze file");
3535 ret
= lxc_mainloop(&descr
, timeout
);
3537 return log_error_errno(-1, errno
, "%s", wait_error
);
3540 return log_trace(0, "Container now %s", (state_num
== 1) ? "frozen" : "unfrozen");
3543 static inline int __cgroup_freeze(int unified_fd
, int timeout
)
3545 return do_cgroup_freeze(unified_fd
, "1", 1, timeout
,
3546 "Failed to create epoll instance to wait for container freeze",
3547 "Failed to wait for container to be frozen");
3550 int cgroup_freeze(const char *name
, const char *lxcpath
, int timeout
)
3552 __do_close
int unified_fd
= -EBADF
;
3555 if (is_empty_string(name
) || is_empty_string(lxcpath
))
3556 return ret_errno(EINVAL
);
3558 unified_fd
= lxc_cmd_get_limit_cgroup2_fd(name
, lxcpath
);
3560 return ret_errno(ENOCGROUP2
);
3562 lxc_cmd_notify_state_listeners(name
, lxcpath
, FREEZING
);
3563 ret
= __cgroup_freeze(unified_fd
, timeout
);
3564 lxc_cmd_notify_state_listeners(name
, lxcpath
, !ret
? FROZEN
: RUNNING
);
3568 int __cgroup_unfreeze(int unified_fd
, int timeout
)
3570 return do_cgroup_freeze(unified_fd
, "0", 0, timeout
,
3571 "Failed to create epoll instance to wait for container freeze",
3572 "Failed to wait for container to be frozen");
3575 int cgroup_unfreeze(const char *name
, const char *lxcpath
, int timeout
)
3577 __do_close
int unified_fd
= -EBADF
;
3580 if (is_empty_string(name
) || is_empty_string(lxcpath
))
3581 return ret_errno(EINVAL
);
3583 unified_fd
= lxc_cmd_get_limit_cgroup2_fd(name
, lxcpath
);
3585 return ret_errno(ENOCGROUP2
);
3587 lxc_cmd_notify_state_listeners(name
, lxcpath
, THAWED
);
3588 ret
= __cgroup_unfreeze(unified_fd
, timeout
);
3589 lxc_cmd_notify_state_listeners(name
, lxcpath
, !ret
? RUNNING
: FROZEN
);