use final names for cgroup isolation

[pve-container.git] / src / PVE / LXC.pm

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 38cf8101feb6179cff1a0b1384b53197a37b1ca2..b4ffc9bdc5508c3f058db6330b2bf0971b7c09c3 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -29,10 +29,16 @@ use PVE::AccessControl;
 use PVE::ProcFSTools;
 use PVE::Syscall qw(:fsmount);
 use PVE::LXC::Config;
-use PVE::GuestHelpers;
+use PVE::GuestHelpers qw(safe_string_ne safe_num_ne safe_boolean_ne);
 use PVE::LXC::Tools;
+use PVE::LXC::CGroup;
 
 use Time::HiRes qw (gettimeofday);
+my $have_sdn;
+eval {
+    require PVE::Network::SDN::Zones;
+    $have_sdn = 1;
+};
 
 my $LXC_CONFIG_PATH = '/usr/share/lxc/config';
 
@@ -101,23 +107,6 @@ sub get_container_disk_usage {
 
 my $last_proc_vmid_stat;
 
-my $parse_cpuacct_stat = sub {
-    my ($vmid, $unprivileged) = @_;
-
-    my $raw = read_cgroup_value('cpuacct', $vmid, $unprivileged, 'cpuacct.stat', 1);
-
-    my $stat = {};
-
-    if ($raw =~ m/^user (\d+)\nsystem (\d+)\n/) {
-
-       $stat->{utime} = $1;
-       $stat->{stime} = $2;
-
-    }
-
-    return $stat;
-};
-
 our $vmstatus_return_properties = {
     vmid => get_standard_option('pve-vmid'),
     status => {
@@ -253,55 +242,45 @@ sub vmstatus {
 
        my $unpriv = $unprivileged->{$vmid};
 
-       if (-d '/sys/fs/cgroup/memory') {
-           my $memory_stat = read_cgroup_list('memory', $vmid, $unpriv, 'memory.stat');
-           my $mem_usage_in_bytes = read_cgroup_value('memory', $vmid, $unpriv, 'memory.usage_in_bytes');
+       my $cgroups = PVE::LXC::CGroup->new($vmid);
 
-           $d->{mem} = $mem_usage_in_bytes - $memory_stat->{total_cache};
-           $d->{swap} = read_cgroup_value('memory', $vmid, $unpriv, 'memory.memsw.usage_in_bytes') - $mem_usage_in_bytes;
+       if (defined(my $mem = $cgroups->get_memory_stat())) {
+           $d->{mem} = $mem->{mem};
+           $d->{swap} = $mem->{swap};
        } else {
            $d->{mem} = 0;
            $d->{swap} = 0;
        }
 
-       if (-d '/sys/fs/cgroup/blkio') {
-           my $blkio_bytes = read_cgroup_value('blkio', $vmid, 0, 'blkio.throttle.io_service_bytes', 1); # don't check if unpriv
-           my @bytes = split(/\n/, $blkio_bytes);
-           foreach my $byte (@bytes) {
-               if (my ($key, $value) = $byte =~ /(Read|Write)\s+(\d+)/) {
-                   $d->{diskread} += $2 if $key eq 'Read';
-                   $d->{diskwrite} += $2 if $key eq 'Write';
-               }
-           }
+       if (defined(my $blkio = $cgroups->get_io_stats())) {
+           $d->{diskread} = $blkio->{diskread};
+           $d->{diskwrite} = $blkio->{diskwrite};
        } else {
            $d->{diskread} = 0;
            $d->{diskwrite} = 0;
        }
 
-       if (-d '/sys/fs/cgroup/cpuacct') {
-           my $pstat = $parse_cpuacct_stat->($vmid, $unpriv);
-
-           my $used = $pstat->{utime} + $pstat->{stime};
+       if (defined(my $cpu = $cgroups->get_cpu_stat())) {
+           # Total time (in milliseconds) used up by the cpu.
+           my $used_ms = $cpu->{utime} + $cpu->{stime};
 
            my $old = $last_proc_vmid_stat->{$vmid};
            if (!$old) {
                $last_proc_vmid_stat->{$vmid} = {
                    time => $cdtime,
-                   used => $used,
+                   used => $used_ms,
                    cpu => 0,
                };
                next;
            }
 
-           my $dtime = ($cdtime -  $old->{time}) * $cpucount * $cpuinfo->{user_hz};
-
-           if ($dtime > 1000) {
-               my $dutime = $used -  $old->{used};
-
-               $d->{cpu} = (($dutime/$dtime)* $cpucount) / $d->{cpus};
+           my $delta_ms = ($cdtime - $old->{time}) * $cpucount * 1000.0;
+           if ($delta_ms > 1000.0) {
+               my $delta_used_ms = $used_ms - $old->{used};
+               $d->{cpu} = (($delta_used_ms / $delta_ms) * $cpucount) / $d->{cpus};
                $last_proc_vmid_stat->{$vmid} = {
                    time => $cdtime,
-                   used => $used,
+                   used => $used_ms,
                    cpu => $d->{cpu},
                };
            } else {
@@ -329,33 +308,6 @@ sub vmstatus {
     return $list;
 }
 
-sub read_cgroup_list($$$$) {
-    my ($group, $vmid, $unprivileged, $name) = @_;
-
-    my $content = read_cgroup_value($group, $vmid, $unprivileged, $name, 1);
-
-    return { split(/\s+/, $content) };
-}
-
-sub read_cgroup_value($$$$$) {
-    my ($group, $vmid, $unprivileged, $name, $full) = @_;
-
-    my $nsdir = $unprivileged ? '' : 'ns/';
-    my $path = "/sys/fs/cgroup/$group/lxc/$vmid/${nsdir}$name";
-
-    return PVE::Tools::file_get_contents($path) if $full;
-
-    return PVE::Tools::file_read_firstline($path);
-}
-
-sub write_cgroup_value {
-   my ($group, $vmid, $name, $value) = @_;
-
-   my $path = "/sys/fs/cgroup/$group/lxc/$vmid/$name";
-   PVE::ProcFSTools::write_proc_entry($path, $value) if -e $path;
-
-}
-
 sub find_lxc_console_pids {
 
     my $res = {};
@@ -472,7 +424,7 @@ sub get_cgroup_subsystems {
 #
 # This returns a configuration snippet added to the raw lxc config.
 sub make_seccomp_config {
-    my ($conf, $conf_dir, $unprivileged, $features) = @_;
+    my ($conf, $vmid, $conf_dir, $unprivileged, $features) = @_;
     # User-configured profile has precedence, note that the user's entry would
     # be written 'after' this line anyway...
     if (PVE::LXC::Config->has_lxc_entry($conf, 'lxc.seccomp.profile')) {
@@ -516,6 +468,7 @@ sub make_seccomp_config {
        }
 
        $raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
+       $raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
 
        $rules->{mknod} = [
            # condition: (mode & S_IFMT) == S_IFCHR
@@ -627,8 +580,26 @@ sub update_lxc_config {
        return;
     }
 
+    my ($lxc_major, $lxc_minor) = get_lxc_version();
+
     my $raw = '';
 
+    if ($lxc_major >= 4) {
+       # Explicitly don't use relative directories, which is the default, but
+       # note that we do this mostly because they are only applied for *some*
+       # cgroups. Our pve-container@.service now starts lxc-start with `-F`,
+       # so we also don't need to worry about the new monitor cgroup to
+       # confuse systemd.
+       $raw .= "lxc.cgroup.relative = 0\n";
+
+       # To make things easier, let's keep our previous cgroup layout and
+       # simply move the monitor outside:
+       $raw .= "lxc.cgroup.dir.monitor = lxc.monitor/$vmid\n";
+       # cgroup namespace separation for stronger limits:
+       $raw .= "lxc.cgroup.dir.container = lxc/$vmid\n";
+       $raw .= "lxc.cgroup.dir.container.inner = ns\n";
+    }
+
     die "missing 'arch' - internal error" if !$conf->{arch};
     $raw .= "lxc.arch = $conf->{arch}\n";
 
@@ -649,13 +620,19 @@ sub update_lxc_config {
 
     my $features = PVE::LXC::Config->parse_features($conf->{features});
 
-    $raw .= make_seccomp_config($conf, $dir, $unprivileged, $features);
+    $raw .= make_seccomp_config($conf, $vmid, $dir, $unprivileged, $features);
     $raw .= make_apparmor_config($conf, $unprivileged, $features);
     if ($features->{fuse}) {
        $raw .= "lxc.apparmor.raw = mount fstype=fuse,\n";
        $raw .= "lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0\n";
     }
 
+    if ($unprivileged && !$features->{force_rw_sys}) {
+       # unpriv. CT default to sys:rw, but that doesn't always plays well with
+       # systemd, e.g., systemd-networkd https://systemd.io/CONTAINER_INTERFACE/
+       $raw .= "lxc.mount.auto = sys:mixed\n";
+    }
+
     # WARNING: DO NOT REMOVE this without making sure that loop device nodes
     # cannot be exposed to the container with r/w access (cgroup perms).
     # When this is enabled mounts will still remain in the monitor's namespace
@@ -723,30 +700,37 @@ sub update_lxc_config {
        $raw .= "lxc.net.$ind.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
        $raw .= "lxc.net.$ind.name = $d->{name}\n" if defined($d->{name});
        $raw .= "lxc.net.$ind.mtu = $d->{mtu}\n" if defined($d->{mtu});
+
+       # Starting with lxc 4.0, we do not patch lxc to execute our up-scripts.
+       if ($lxc_major >= 4) {
+           $raw .= "lxc.net.$ind.script.up = /usr/share/lxc/lxcnetaddbr\n";
+       }
     }
 
-    if ($cgv1->{cpuset}) {
-       my $had_cpuset = 0;
-       if (my $lxcconf = $conf->{lxc}) {
-           foreach my $entry (@$lxcconf) {
-               my ($k, $v) = @$entry;
-               $had_cpuset = 1 if $k eq 'lxc.cgroup.cpuset.cpus';
-               $raw .= "$k = $v\n";
-           }
+    my $had_cpuset = 0;
+    if (my $lxcconf = $conf->{lxc}) {
+       foreach my $entry (@$lxcconf) {
+           my ($k, $v) = @$entry;
+           $had_cpuset = 1 if $k eq 'lxc.cgroup.cpuset.cpus';
+           $raw .= "$k = $v\n";
        }
+    }
 
-       my $cores = $conf->{cores};
-       if (!$had_cpuset && $cores) {
-           my $cpuset = eval { PVE::CpuSet->new_from_cgroup('lxc', 'effective_cpus') };
-           $cpuset = PVE::CpuSet->new_from_cgroup('', 'effective_cpus') if !$cpuset;
-           my @members = $cpuset->members();
-           while (scalar(@members) > $cores) {
-               my $randidx = int(rand(scalar(@members)));
-               $cpuset->delete($members[$randidx]);
-               splice(@members, $randidx, 1); # keep track of the changes
-           }
-           $raw .= "lxc.cgroup.cpuset.cpus = ".$cpuset->short_string()."\n";
+    my $cpuset;
+    my $cpuset_cgroup = eval { PVE::LXC::CGroup::cpuset_controller_path() };
+    if (defined($cpuset_cgroup)) {
+       $cpuset = eval { PVE::CpuSet->new_from_path("$cpuset_cgroup/lxc", 1) }
+           || PVE::CpuSet->new_from_path($cpuset_cgroup, 1);
+    }
+    my $cores = $conf->{cores};
+    if (!$had_cpuset && $cores && $cpuset) {
+       my @members = $cpuset->members();
+       while (scalar(@members) > $cores) {
+           my $randidx = int(rand(scalar(@members)));
+           $cpuset->delete($members[$randidx]);
+           splice(@members, $randidx, 1); # keep track of the changes
        }
+       $raw .= "lxc.cgroup.cpuset.cpus = ".$cpuset->short_string()."\n";
     }
 
     File::Path::mkpath("$dir/rootfs");
@@ -875,26 +859,6 @@ sub vm_stop_cleanup {
     warn $@ if $@; # avoid errors - just warn
 }
 
-my $safe_num_ne = sub {
-    my ($a, $b) = @_;
-
-    return 0 if !defined($a) && !defined($b);
-    return 1 if !defined($a);
-    return 1 if !defined($b);
-
-    return $a != $b;
-};
-
-my $safe_string_ne = sub {
-    my ($a, $b) = @_;
-
-    return 0 if !defined($a) && !defined($b);
-    return 1 if !defined($a);
-    return 1 if !defined($b);
-
-    return $a ne $b;
-};
-
 sub update_net {
     my ($vmid, $conf, $opt, $newnet, $netid, $rootdir) = @_;
 
@@ -909,8 +873,8 @@ sub update_net {
     if (my $oldnetcfg = $conf->{$opt}) {
        my $oldnet = PVE::LXC::Config->parse_lxc_network($oldnetcfg);
 
-       if (&$safe_string_ne($oldnet->{hwaddr}, $newnet->{hwaddr}) ||
-           &$safe_string_ne($oldnet->{name}, $newnet->{name})) {
+       if (safe_string_ne($oldnet->{hwaddr}, $newnet->{hwaddr}) ||
+           safe_string_ne($oldnet->{name}, $newnet->{name})) {
 
            PVE::Network::veth_delete($veth);
            delete $conf->{$opt};
@@ -919,9 +883,9 @@ sub update_net {
            hotplug_net($vmid, $conf, $opt, $newnet, $netid);
 
        } else {
-           if (&$safe_string_ne($oldnet->{bridge}, $newnet->{bridge}) ||
-               &$safe_num_ne($oldnet->{tag}, $newnet->{tag}) ||
-               &$safe_num_ne($oldnet->{firewall}, $newnet->{firewall})) {
+           if (safe_string_ne($oldnet->{bridge}, $newnet->{bridge}) ||
+               safe_num_ne($oldnet->{tag}, $newnet->{tag}) ||
+               safe_num_ne($oldnet->{firewall}, $newnet->{firewall})) {
 
                if ($oldnet->{bridge}) {
                    PVE::Network::tap_unplug($veth);
@@ -932,12 +896,17 @@ sub update_net {
                    PVE::LXC::Config->write_config($vmid, $conf);
                }
 
-               PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+               if ($have_sdn) {
+                   PVE::Network::SDN::Zones::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+               } else {
+                   PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+               }
+
                # This includes the rate:
                foreach (qw(bridge tag firewall rate)) {
                    $oldnet->{$_} = $newnet->{$_} if $newnet->{$_};
                }
-           } elsif (&$safe_string_ne($oldnet->{rate}, $newnet->{rate})) {
+           } elsif (safe_string_ne($oldnet->{rate}, $newnet->{rate})) {
                # Rate can be applied on its own but any change above needs to
                # include the rate in tap_plug since OVS resets everything.
                PVE::Network::tap_rate_limit($veth, $newnet->{rate});
@@ -960,8 +929,13 @@ sub hotplug_net {
     my $vethpeer = $veth . "p";
     my $eth = $newnet->{name};
 
-    PVE::Network::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
-    PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+    if ($have_sdn) {
+       PVE::Network::SDN::Zones::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
+       PVE::Network::SDN::Zones::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+    } else {
+       PVE::Network::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
+       PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+    }
 
     # attach peer in container
     my $cmd = ['lxc-device', '-n', $vmid, 'add', $vethpeer, "$eth" ];
@@ -1007,8 +981,8 @@ sub update_ipconfig {
        my $oldip = $optdata->{$ip};
        my $oldgw = $optdata->{$gw};
 
-       my $change_ip = &$safe_string_ne($oldip, $newip);
-       my $change_gw = &$safe_string_ne($oldgw, $newgw);
+       my $change_ip = safe_string_ne($oldip, $newip);
+       my $change_gw = safe_string_ne($oldgw, $newgw);
 
        return if !$change_ip && !$change_gw;
 
@@ -1646,19 +1620,17 @@ sub __mountpoint_mount {
 
        if ($format eq 'subvol') {
            if ($mount_path) {
-               if ($snapname) {
+               my (undef, $name) = PVE::Storage::parse_volname($storage_cfg, $volid);
+               if (defined($snapname)) {
+                   $name .= "\@$snapname";
                    if ($scfg->{type} eq 'zfspool') {
-                       my $path_arg = $path;
-                       $path_arg =~ s!^/+!!;
-                       PVE::Tools::run_command(['mount', '-o', 'ro', @extra_opts, '-t', 'zfs', $path_arg, $mount_path]);
+                       PVE::Tools::run_command(['mount', '-o', 'ro', @extra_opts, '-t', 'zfs', "$scfg->{pool}/$name", $mount_path]);
                    } else {
                        die "cannot mount subvol snapshots for storage type '$scfg->{type}'\n";
                    }
                } else {
                    if (defined($acl) && $scfg->{type} eq 'zfspool') {
                        my $acltype = ($acl ? 'acltype=posixacl' : 'acltype=noacl');
-                       my (undef, $name) = PVE::Storage::parse_volname($storage_cfg, $volid);
-                       $name .= "\@$snapname" if defined($snapname);
                        PVE::Tools::run_command(['zfs', 'set', $acltype, "$scfg->{pool}/$name"]);
                    }
                    bindmount($path, $parentfd, $last_dir//$rootdir, $mount_path, $readonly, @extra_opts);
@@ -2397,4 +2369,20 @@ sub copy_volume {
     return $new_volid;
 }
 
+sub get_lxc_version() {
+    my $version;
+    PVE::Tools::run_command([qw(lxc-start --version)], outfunc => sub {
+       my ($line) = @_;
+       # We only parse out major & minor version numbers.
+       if ($line =~ /^(\d+)\.(\d+)(?:\D.*)?$/) {
+           $version = [$1, $2];
+       }
+    });
+
+    die "failed to get lxc version\n" if !defined($version);
+
+    # return as a list:
+    return $version->@*;
+}
+
 1;