use PVE::ProcFSTools;
use PVE::Syscall qw(:fsmount);
use PVE::LXC::Config;
-use PVE::GuestHelpers;
+use PVE::GuestHelpers qw(safe_string_ne safe_num_ne safe_boolean_ne);
use PVE::LXC::Tools;
+use PVE::LXC::CGroup;
use Time::HiRes qw (gettimeofday);
+my $have_sdn;
+eval {
+ require PVE::Network::SDN::Zones;
+ $have_sdn = 1;
+};
my $LXC_CONFIG_PATH = '/usr/share/lxc/config';
my $last_proc_vmid_stat;
-my $parse_cpuacct_stat = sub {
- my ($vmid, $unprivileged) = @_;
-
- my $raw = read_cgroup_value('cpuacct', $vmid, $unprivileged, 'cpuacct.stat', 1);
-
- my $stat = {};
-
- if ($raw =~ m/^user (\d+)\nsystem (\d+)\n/) {
-
- $stat->{utime} = $1;
- $stat->{stime} = $2;
-
- }
-
- return $stat;
-};
-
our $vmstatus_return_properties = {
vmid => get_standard_option('pve-vmid'),
status => {
my $unpriv = $unprivileged->{$vmid};
- if (-d '/sys/fs/cgroup/memory') {
- my $memory_stat = read_cgroup_list('memory', $vmid, $unpriv, 'memory.stat');
- my $mem_usage_in_bytes = read_cgroup_value('memory', $vmid, $unpriv, 'memory.usage_in_bytes');
+ my $cgroups = PVE::LXC::CGroup->new($vmid);
- $d->{mem} = $mem_usage_in_bytes - $memory_stat->{total_cache};
- $d->{swap} = read_cgroup_value('memory', $vmid, $unpriv, 'memory.memsw.usage_in_bytes') - $mem_usage_in_bytes;
+ if (defined(my $mem = $cgroups->get_memory_stat())) {
+ $d->{mem} = $mem->{mem};
+ $d->{swap} = $mem->{swap};
} else {
$d->{mem} = 0;
$d->{swap} = 0;
}
- if (-d '/sys/fs/cgroup/blkio') {
- my $blkio_bytes = read_cgroup_value('blkio', $vmid, 0, 'blkio.throttle.io_service_bytes', 1); # don't check if unpriv
- my @bytes = split(/\n/, $blkio_bytes);
- foreach my $byte (@bytes) {
- if (my ($key, $value) = $byte =~ /(Read|Write)\s+(\d+)/) {
- $d->{diskread} += $2 if $key eq 'Read';
- $d->{diskwrite} += $2 if $key eq 'Write';
- }
- }
+ if (defined(my $blkio = $cgroups->get_io_stats())) {
+ $d->{diskread} = $blkio->{diskread};
+ $d->{diskwrite} = $blkio->{diskwrite};
} else {
$d->{diskread} = 0;
$d->{diskwrite} = 0;
}
- if (-d '/sys/fs/cgroup/cpuacct') {
- my $pstat = $parse_cpuacct_stat->($vmid, $unpriv);
-
- my $used = $pstat->{utime} + $pstat->{stime};
+ if (defined(my $cpu = $cgroups->get_cpu_stat())) {
+ # Total time (in milliseconds) used up by the cpu.
+ my $used_ms = $cpu->{utime} + $cpu->{stime};
my $old = $last_proc_vmid_stat->{$vmid};
if (!$old) {
$last_proc_vmid_stat->{$vmid} = {
time => $cdtime,
- used => $used,
+ used => $used_ms,
cpu => 0,
};
next;
}
- my $dtime = ($cdtime - $old->{time}) * $cpucount * $cpuinfo->{user_hz};
-
- if ($dtime > 1000) {
- my $dutime = $used - $old->{used};
-
- $d->{cpu} = (($dutime/$dtime)* $cpucount) / $d->{cpus};
+ my $delta_ms = ($cdtime - $old->{time}) * $cpucount * 1000.0;
+ if ($delta_ms > 1000.0) {
+ my $delta_used_ms = $used_ms - $old->{used};
+ $d->{cpu} = (($delta_used_ms / $delta_ms) * $cpucount) / $d->{cpus};
$last_proc_vmid_stat->{$vmid} = {
time => $cdtime,
- used => $used,
+ used => $used_ms,
cpu => $d->{cpu},
};
} else {
return $list;
}
-sub read_cgroup_list($$$$) {
- my ($group, $vmid, $unprivileged, $name) = @_;
-
- my $content = read_cgroup_value($group, $vmid, $unprivileged, $name, 1);
-
- return { split(/\s+/, $content) };
-}
-
-sub read_cgroup_value($$$$$) {
- my ($group, $vmid, $unprivileged, $name, $full) = @_;
-
- my $nsdir = $unprivileged ? '' : 'ns/';
- my $path = "/sys/fs/cgroup/$group/lxc/$vmid/${nsdir}$name";
-
- return PVE::Tools::file_get_contents($path) if $full;
-
- return PVE::Tools::file_read_firstline($path);
-}
-
-sub write_cgroup_value {
- my ($group, $vmid, $name, $value) = @_;
-
- my $path = "/sys/fs/cgroup/$group/lxc/$vmid/$name";
- PVE::ProcFSTools::write_proc_entry($path, $value) if -e $path;
-
-}
-
sub find_lxc_console_pids {
my $res = {};
#
# This returns a configuration snippet added to the raw lxc config.
sub make_seccomp_config {
- my ($conf, $conf_dir, $unprivileged, $features) = @_;
+ my ($conf, $vmid, $conf_dir, $unprivileged, $features) = @_;
# User-configured profile has precedence, note that the user's entry would
# be written 'after' this line anyway...
if (PVE::LXC::Config->has_lxc_entry($conf, 'lxc.seccomp.profile')) {
}
$raw_conf .= "lxc.seccomp.notify.proxy = unix:/run/pve/lxc-syscalld.sock\n";
+ $raw_conf .= "lxc.seccomp.notify.cookie = $vmid\n";
$rules->{mknod} = [
# condition: (mode & S_IFMT) == S_IFCHR
return;
}
+ my ($lxc_major, $lxc_minor) = get_lxc_version();
+
my $raw = '';
+ if ($lxc_major >= 4) {
+ # Explicitly don't use relative directories, which is the default, but
+ # note that we do this mostly because they are only applied for *some*
+ # cgroups. Our pve-container@.service now starts lxc-start with `-F`,
+ # so we also don't need to worry about the new monitor cgroup to
+ # confuse systemd.
+ $raw .= "lxc.cgroup.relative = 0\n";
+
+ # To make things easier, let's keep our previous cgroup layout and
+ # simply move the monitor outside:
+ $raw .= "lxc.cgroup.dir.monitor = lxc.monitor/$vmid\n";
+ # cgroup namespace separation for stronger limits:
+ $raw .= "lxc.cgroup.dir.container = lxc/$vmid\n";
+ $raw .= "lxc.cgroup.dir.container.inner = ns\n";
+ }
+
die "missing 'arch' - internal error" if !$conf->{arch};
$raw .= "lxc.arch = $conf->{arch}\n";
my $features = PVE::LXC::Config->parse_features($conf->{features});
- $raw .= make_seccomp_config($conf, $dir, $unprivileged, $features);
+ $raw .= make_seccomp_config($conf, $vmid, $dir, $unprivileged, $features);
$raw .= make_apparmor_config($conf, $unprivileged, $features);
if ($features->{fuse}) {
$raw .= "lxc.apparmor.raw = mount fstype=fuse,\n";
$raw .= "lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0\n";
}
+ if ($unprivileged && !$features->{force_rw_sys}) {
+ # unpriv. CT default to sys:rw, but that doesn't always plays well with
+ # systemd, e.g., systemd-networkd https://systemd.io/CONTAINER_INTERFACE/
+ $raw .= "lxc.mount.auto = sys:mixed\n";
+ }
+
# WARNING: DO NOT REMOVE this without making sure that loop device nodes
# cannot be exposed to the container with r/w access (cgroup perms).
# When this is enabled mounts will still remain in the monitor's namespace
$raw .= "lxc.net.$ind.hwaddr = $d->{hwaddr}\n" if defined($d->{hwaddr});
$raw .= "lxc.net.$ind.name = $d->{name}\n" if defined($d->{name});
$raw .= "lxc.net.$ind.mtu = $d->{mtu}\n" if defined($d->{mtu});
+
+ # Starting with lxc 4.0, we do not patch lxc to execute our up-scripts.
+ if ($lxc_major >= 4) {
+ $raw .= "lxc.net.$ind.script.up = /usr/share/lxc/lxcnetaddbr\n";
+ }
}
- if ($cgv1->{cpuset}) {
- my $had_cpuset = 0;
- if (my $lxcconf = $conf->{lxc}) {
- foreach my $entry (@$lxcconf) {
- my ($k, $v) = @$entry;
- $had_cpuset = 1 if $k eq 'lxc.cgroup.cpuset.cpus';
- $raw .= "$k = $v\n";
- }
+ my $had_cpuset = 0;
+ if (my $lxcconf = $conf->{lxc}) {
+ foreach my $entry (@$lxcconf) {
+ my ($k, $v) = @$entry;
+ $had_cpuset = 1 if $k eq 'lxc.cgroup.cpuset.cpus';
+ $raw .= "$k = $v\n";
}
+ }
- my $cores = $conf->{cores};
- if (!$had_cpuset && $cores) {
- my $cpuset = eval { PVE::CpuSet->new_from_cgroup('lxc', 'effective_cpus') };
- $cpuset = PVE::CpuSet->new_from_cgroup('', 'effective_cpus') if !$cpuset;
- my @members = $cpuset->members();
- while (scalar(@members) > $cores) {
- my $randidx = int(rand(scalar(@members)));
- $cpuset->delete($members[$randidx]);
- splice(@members, $randidx, 1); # keep track of the changes
- }
- $raw .= "lxc.cgroup.cpuset.cpus = ".$cpuset->short_string()."\n";
+ my $cpuset;
+ my $cpuset_cgroup = eval { PVE::LXC::CGroup::cpuset_controller_path() };
+ if (defined($cpuset_cgroup)) {
+ $cpuset = eval { PVE::CpuSet->new_from_path("$cpuset_cgroup/lxc", 1) }
+ || PVE::CpuSet->new_from_path($cpuset_cgroup, 1);
+ }
+ my $cores = $conf->{cores};
+ if (!$had_cpuset && $cores && $cpuset) {
+ my @members = $cpuset->members();
+ while (scalar(@members) > $cores) {
+ my $randidx = int(rand(scalar(@members)));
+ $cpuset->delete($members[$randidx]);
+ splice(@members, $randidx, 1); # keep track of the changes
}
+ $raw .= "lxc.cgroup.cpuset.cpus = ".$cpuset->short_string()."\n";
}
File::Path::mkpath("$dir/rootfs");
warn $@ if $@; # avoid errors - just warn
}
-my $safe_num_ne = sub {
- my ($a, $b) = @_;
-
- return 0 if !defined($a) && !defined($b);
- return 1 if !defined($a);
- return 1 if !defined($b);
-
- return $a != $b;
-};
-
-my $safe_string_ne = sub {
- my ($a, $b) = @_;
-
- return 0 if !defined($a) && !defined($b);
- return 1 if !defined($a);
- return 1 if !defined($b);
-
- return $a ne $b;
-};
-
sub update_net {
my ($vmid, $conf, $opt, $newnet, $netid, $rootdir) = @_;
if (my $oldnetcfg = $conf->{$opt}) {
my $oldnet = PVE::LXC::Config->parse_lxc_network($oldnetcfg);
- if (&$safe_string_ne($oldnet->{hwaddr}, $newnet->{hwaddr}) ||
- &$safe_string_ne($oldnet->{name}, $newnet->{name})) {
+ if (safe_string_ne($oldnet->{hwaddr}, $newnet->{hwaddr}) ||
+ safe_string_ne($oldnet->{name}, $newnet->{name})) {
PVE::Network::veth_delete($veth);
delete $conf->{$opt};
hotplug_net($vmid, $conf, $opt, $newnet, $netid);
} else {
- if (&$safe_string_ne($oldnet->{bridge}, $newnet->{bridge}) ||
- &$safe_num_ne($oldnet->{tag}, $newnet->{tag}) ||
- &$safe_num_ne($oldnet->{firewall}, $newnet->{firewall})) {
+ if (safe_string_ne($oldnet->{bridge}, $newnet->{bridge}) ||
+ safe_num_ne($oldnet->{tag}, $newnet->{tag}) ||
+ safe_num_ne($oldnet->{firewall}, $newnet->{firewall})) {
if ($oldnet->{bridge}) {
PVE::Network::tap_unplug($veth);
PVE::LXC::Config->write_config($vmid, $conf);
}
- PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+ if ($have_sdn) {
+ PVE::Network::SDN::Zones::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+ } else {
+ PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+ }
+
# This includes the rate:
foreach (qw(bridge tag firewall rate)) {
$oldnet->{$_} = $newnet->{$_} if $newnet->{$_};
}
- } elsif (&$safe_string_ne($oldnet->{rate}, $newnet->{rate})) {
+ } elsif (safe_string_ne($oldnet->{rate}, $newnet->{rate})) {
# Rate can be applied on its own but any change above needs to
# include the rate in tap_plug since OVS resets everything.
PVE::Network::tap_rate_limit($veth, $newnet->{rate});
my $vethpeer = $veth . "p";
my $eth = $newnet->{name};
- PVE::Network::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
- PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+ if ($have_sdn) {
+ PVE::Network::SDN::Zones::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
+ PVE::Network::SDN::Zones::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+ } else {
+ PVE::Network::veth_create($veth, $vethpeer, $newnet->{bridge}, $newnet->{hwaddr});
+ PVE::Network::tap_plug($veth, $newnet->{bridge}, $newnet->{tag}, $newnet->{firewall}, $newnet->{trunks}, $newnet->{rate});
+ }
# attach peer in container
my $cmd = ['lxc-device', '-n', $vmid, 'add', $vethpeer, "$eth" ];
my $oldip = $optdata->{$ip};
my $oldgw = $optdata->{$gw};
- my $change_ip = &$safe_string_ne($oldip, $newip);
- my $change_gw = &$safe_string_ne($oldgw, $newgw);
+ my $change_ip = safe_string_ne($oldip, $newip);
+ my $change_gw = safe_string_ne($oldgw, $newgw);
return if !$change_ip && !$change_gw;
if ($format eq 'subvol') {
if ($mount_path) {
- if ($snapname) {
+ my (undef, $name) = PVE::Storage::parse_volname($storage_cfg, $volid);
+ if (defined($snapname)) {
+ $name .= "\@$snapname";
if ($scfg->{type} eq 'zfspool') {
- my $path_arg = $path;
- $path_arg =~ s!^/+!!;
- PVE::Tools::run_command(['mount', '-o', 'ro', @extra_opts, '-t', 'zfs', $path_arg, $mount_path]);
+ PVE::Tools::run_command(['mount', '-o', 'ro', @extra_opts, '-t', 'zfs', "$scfg->{pool}/$name", $mount_path]);
} else {
die "cannot mount subvol snapshots for storage type '$scfg->{type}'\n";
}
} else {
if (defined($acl) && $scfg->{type} eq 'zfspool') {
my $acltype = ($acl ? 'acltype=posixacl' : 'acltype=noacl');
- my (undef, $name) = PVE::Storage::parse_volname($storage_cfg, $volid);
- $name .= "\@$snapname" if defined($snapname);
PVE::Tools::run_command(['zfs', 'set', $acltype, "$scfg->{pool}/$name"]);
}
bindmount($path, $parentfd, $last_dir//$rootdir, $mount_path, $readonly, @extra_opts);
return $new_volid;
}
+sub get_lxc_version() {
+ my $version;
+ PVE::Tools::run_command([qw(lxc-start --version)], outfunc => sub {
+ my ($line) = @_;
+ # We only parse out major & minor version numbers.
+ if ($line =~ /^(\d+)\.(\d+)(?:\D.*)?$/) {
+ $version = [$1, $2];
+ }
+ });
+
+ die "failed to get lxc version\n" if !defined($version);
+
+ # return as a list:
+ return $version->@*;
+}
+
1;