]>
Commit | Line | Data |
---|---|---|
ccb4cabe SH |
1 | /* |
2 | * lxc: linux Container library | |
3 | * | |
4 | * Copyright © 2016 Canonical Ltd. | |
5 | * | |
6 | * Authors: | |
7 | * Serge Hallyn <serge.hallyn@ubuntu.com> | |
3fd0de4d | 8 | * Christian Brauner <christian.brauner@ubuntu.com> |
ccb4cabe SH |
9 | * |
10 | * This library is free software; you can redistribute it and/or | |
11 | * modify it under the terms of the GNU Lesser General Public | |
12 | * License as published by the Free Software Foundation; either | |
13 | * version 2.1 of the License, or (at your option) any later version. | |
14 | * | |
15 | * This library is distributed in the hope that it will be useful, | |
16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | * Lesser General Public License for more details. | |
19 | * | |
20 | * You should have received a copy of the GNU Lesser General Public | |
21 | * License along with this library; if not, write to the Free Software | |
22 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
23 | */ | |
24 | ||
25 | /* | |
26 | * cgfs-ng.c: this is a new, simplified implementation of a filesystem | |
27 | * cgroup backend. The original cgfs.c was designed to be as flexible | |
28 | * as possible. It would try to find cgroup filesystems no matter where | |
29 | * or how you had them mounted, and deduce the most usable mount for | |
0e7ff52c | 30 | * each controller. |
ccb4cabe SH |
31 | * |
32 | * This new implementation assumes that cgroup filesystems are mounted | |
33 | * under /sys/fs/cgroup/clist where clist is either the controller, or | |
34 | * a comman-separated list of controllers. | |
35 | */ | |
a54694f8 | 36 | |
d38dd64a CB |
37 | #ifndef _GNU_SOURCE |
38 | #define _GNU_SOURCE 1 | |
39 | #endif | |
a54694f8 CB |
40 | #include <ctype.h> |
41 | #include <dirent.h> | |
42 | #include <errno.h> | |
43 | #include <grp.h> | |
d38dd64a CB |
44 | #include <linux/kdev_t.h> |
45 | #include <linux/types.h> | |
a54694f8 | 46 | #include <stdint.h> |
ccb4cabe SH |
47 | #include <stdio.h> |
48 | #include <stdlib.h> | |
a54694f8 | 49 | #include <string.h> |
438c4581 | 50 | #include <sys/types.h> |
d38dd64a | 51 | #include <unistd.h> |
c8bf519d | 52 | |
b635e92d | 53 | #include "caps.h" |
ccb4cabe | 54 | #include "cgroup.h" |
6328fd9c | 55 | #include "cgroup_utils.h" |
ccb4cabe | 56 | #include "commands.h" |
43654d34 | 57 | #include "conf.h" |
d38dd64a | 58 | #include "config.h" |
a54694f8 | 59 | #include "log.h" |
c19ad94b | 60 | #include "macro.h" |
43654d34 | 61 | #include "storage/storage.h" |
a54694f8 | 62 | #include "utils.h" |
ccb4cabe | 63 | |
64e82f8b DJ |
64 | #ifndef HAVE_STRLCPY |
65 | #include "include/strlcpy.h" | |
66 | #endif | |
67 | ||
3ebe2fbd DJ |
68 | #ifndef HAVE_STRLCAT |
69 | #include "include/strlcat.h" | |
70 | #endif | |
71 | ||
ac2cecc4 | 72 | lxc_log_define(cgfsng, cgroup); |
ccb4cabe | 73 | |
ccb4cabe SH |
74 | static void free_string_list(char **clist) |
75 | { | |
2d5fe5ba | 76 | int i; |
ccb4cabe | 77 | |
2d5fe5ba CB |
78 | if (!clist) |
79 | return; | |
80 | ||
81 | for (i = 0; clist[i]; i++) | |
82 | free(clist[i]); | |
83 | ||
84 | free(clist); | |
ccb4cabe SH |
85 | } |
86 | ||
7745483d | 87 | /* Allocate a pointer, do not fail. */ |
ccb4cabe SH |
88 | static void *must_alloc(size_t sz) |
89 | { | |
90 | return must_realloc(NULL, sz); | |
91 | } | |
92 | ||
8b8db2f6 CB |
93 | /* Given a pointer to a null-terminated array of pointers, realloc to add one |
94 | * entry, and point the new entry to NULL. Do not fail. Return the index to the | |
95 | * second-to-last entry - that is, the one which is now available for use | |
96 | * (keeping the list null-terminated). | |
ccb4cabe SH |
97 | */ |
98 | static int append_null_to_list(void ***list) | |
99 | { | |
100 | int newentry = 0; | |
101 | ||
102 | if (*list) | |
8b8db2f6 CB |
103 | for (; (*list)[newentry]; newentry++) |
104 | ; | |
ccb4cabe SH |
105 | |
106 | *list = must_realloc(*list, (newentry + 2) * sizeof(void **)); | |
107 | (*list)[newentry + 1] = NULL; | |
108 | return newentry; | |
109 | } | |
110 | ||
8073018d CB |
111 | /* Given a null-terminated array of strings, check whether @entry is one of the |
112 | * strings. | |
ccb4cabe SH |
113 | */ |
114 | static bool string_in_list(char **list, const char *entry) | |
115 | { | |
116 | int i; | |
117 | ||
118 | if (!list) | |
119 | return false; | |
d6337a5f | 120 | |
ccb4cabe SH |
121 | for (i = 0; list[i]; i++) |
122 | if (strcmp(list[i], entry) == 0) | |
123 | return true; | |
124 | ||
125 | return false; | |
126 | } | |
127 | ||
ac010944 CB |
128 | /* Return a copy of @entry prepending "name=", i.e. turn "systemd" into |
129 | * "name=systemd". Do not fail. | |
130 | */ | |
131 | static char *cg_legacy_must_prefix_named(char *entry) | |
132 | { | |
133 | size_t len; | |
134 | char *prefixed; | |
135 | ||
136 | len = strlen(entry); | |
137 | prefixed = must_alloc(len + 6); | |
138 | ||
6333c915 CB |
139 | memcpy(prefixed, "name=", STRLITERALLEN("name=")); |
140 | memcpy(prefixed + STRLITERALLEN("name="), entry, len); | |
ac010944 | 141 | prefixed[len + 5] = '\0'; |
99bb3fa8 | 142 | |
ac010944 CB |
143 | return prefixed; |
144 | } | |
145 | ||
42a993b4 CB |
146 | /* Append an entry to the clist. Do not fail. @clist must be NULL the first time |
147 | * we are called. | |
ccb4cabe | 148 | * |
42a993b4 CB |
149 | * We also handle named subsystems here. Any controller which is not a kernel |
150 | * subsystem, we prefix "name=". Any which is both a kernel and named subsystem, | |
151 | * we refuse to use because we're not sure which we have here. | |
152 | * (TODO: We could work around this in some cases by just remounting to be | |
153 | * unambiguous, or by comparing mountpoint contents with current cgroup.) | |
ccb4cabe SH |
154 | * |
155 | * The last entry will always be NULL. | |
156 | */ | |
42a993b4 CB |
157 | static void must_append_controller(char **klist, char **nlist, char ***clist, |
158 | char *entry) | |
ccb4cabe SH |
159 | { |
160 | int newentry; | |
161 | char *copy; | |
162 | ||
163 | if (string_in_list(klist, entry) && string_in_list(nlist, entry)) { | |
c2712f64 | 164 | ERROR("Refusing to use ambiguous controller \"%s\"", entry); |
ccb4cabe SH |
165 | ERROR("It is both a named and kernel subsystem"); |
166 | return; | |
167 | } | |
168 | ||
169 | newentry = append_null_to_list((void ***)clist); | |
170 | ||
171 | if (strncmp(entry, "name=", 5) == 0) | |
172 | copy = must_copy_string(entry); | |
173 | else if (string_in_list(klist, entry)) | |
174 | copy = must_copy_string(entry); | |
175 | else | |
7745483d | 176 | copy = cg_legacy_must_prefix_named(entry); |
ccb4cabe SH |
177 | |
178 | (*clist)[newentry] = copy; | |
179 | } | |
180 | ||
5ae0207c CB |
181 | /* Given a handler's cgroup data, return the struct hierarchy for the controller |
182 | * @c, or NULL if there is none. | |
ccb4cabe | 183 | */ |
27a5132c | 184 | struct hierarchy *get_hierarchy(struct cgroup_ops *ops, const char *controller) |
ccb4cabe SH |
185 | { |
186 | int i; | |
187 | ||
27a5132c CB |
188 | errno = ENOENT; |
189 | ||
190 | if (!ops->hierarchies) { | |
191 | TRACE("There are no useable cgroup controllers"); | |
ccb4cabe | 192 | return NULL; |
27a5132c | 193 | } |
d6337a5f | 194 | |
2202afc9 | 195 | for (i = 0; ops->hierarchies[i]; i++) { |
27a5132c | 196 | if (!controller) { |
d6337a5f | 197 | /* This is the empty unified hierarchy. */ |
2202afc9 CB |
198 | if (ops->hierarchies[i]->controllers && |
199 | !ops->hierarchies[i]->controllers[0]) | |
200 | return ops->hierarchies[i]; | |
d6337a5f | 201 | |
106f1f38 | 202 | continue; |
d6337a5f CB |
203 | } |
204 | ||
27a5132c | 205 | if (string_in_list(ops->hierarchies[i]->controllers, controller)) |
2202afc9 | 206 | return ops->hierarchies[i]; |
ccb4cabe | 207 | } |
d6337a5f | 208 | |
27a5132c CB |
209 | if (controller) |
210 | WARN("There is no useable %s controller", controller); | |
211 | else | |
212 | WARN("There is no empty unified cgroup hierarchy"); | |
213 | ||
ccb4cabe SH |
214 | return NULL; |
215 | } | |
216 | ||
a54694f8 CB |
217 | #define BATCH_SIZE 50 |
218 | static void batch_realloc(char **mem, size_t oldlen, size_t newlen) | |
219 | { | |
220 | int newbatches = (newlen / BATCH_SIZE) + 1; | |
221 | int oldbatches = (oldlen / BATCH_SIZE) + 1; | |
222 | ||
223 | if (!*mem || newbatches > oldbatches) { | |
224 | *mem = must_realloc(*mem, newbatches * BATCH_SIZE); | |
225 | } | |
226 | } | |
227 | ||
228 | static void append_line(char **dest, size_t oldlen, char *new, size_t newlen) | |
229 | { | |
230 | size_t full = oldlen + newlen; | |
231 | ||
232 | batch_realloc(dest, oldlen, full + 1); | |
233 | ||
234 | memcpy(*dest + oldlen, new, newlen + 1); | |
235 | } | |
236 | ||
237 | /* Slurp in a whole file */ | |
d6337a5f | 238 | static char *read_file(const char *fnam) |
a54694f8 CB |
239 | { |
240 | FILE *f; | |
241 | char *line = NULL, *buf = NULL; | |
242 | size_t len = 0, fulllen = 0; | |
243 | int linelen; | |
244 | ||
245 | f = fopen(fnam, "r"); | |
246 | if (!f) | |
247 | return NULL; | |
248 | while ((linelen = getline(&line, &len, f)) != -1) { | |
249 | append_line(&buf, fulllen, line, linelen); | |
250 | fulllen += linelen; | |
251 | } | |
252 | fclose(f); | |
253 | free(line); | |
254 | return buf; | |
255 | } | |
256 | ||
257 | /* Taken over modified from the kernel sources. */ | |
258 | #define NBITS 32 /* bits in uint32_t */ | |
259 | #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d)) | |
260 | #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS) | |
261 | ||
262 | static void set_bit(unsigned bit, uint32_t *bitarr) | |
263 | { | |
264 | bitarr[bit / NBITS] |= (1 << (bit % NBITS)); | |
265 | } | |
266 | ||
267 | static void clear_bit(unsigned bit, uint32_t *bitarr) | |
268 | { | |
269 | bitarr[bit / NBITS] &= ~(1 << (bit % NBITS)); | |
270 | } | |
271 | ||
272 | static bool is_set(unsigned bit, uint32_t *bitarr) | |
273 | { | |
274 | return (bitarr[bit / NBITS] & (1 << (bit % NBITS))) != 0; | |
275 | } | |
276 | ||
277 | /* Create cpumask from cpulist aka turn: | |
278 | * | |
279 | * 0,2-3 | |
280 | * | |
d5d468f6 | 281 | * into bit array |
a54694f8 CB |
282 | * |
283 | * 1 0 1 1 | |
284 | */ | |
285 | static uint32_t *lxc_cpumask(char *buf, size_t nbits) | |
286 | { | |
287 | char *token; | |
d5d468f6 CB |
288 | size_t arrlen; |
289 | uint32_t *bitarr; | |
d5d468f6 CB |
290 | |
291 | arrlen = BITS_TO_LONGS(nbits); | |
292 | bitarr = calloc(arrlen, sizeof(uint32_t)); | |
a54694f8 CB |
293 | if (!bitarr) |
294 | return NULL; | |
295 | ||
0be0d78f | 296 | lxc_iterate_parts(token, buf, ",") { |
a54694f8 | 297 | errno = 0; |
d5d468f6 CB |
298 | unsigned end, start; |
299 | char *range; | |
a54694f8 | 300 | |
d5d468f6 CB |
301 | start = strtoul(token, NULL, 0); |
302 | end = start; | |
303 | range = strchr(token, '-'); | |
a54694f8 CB |
304 | if (range) |
305 | end = strtoul(range + 1, NULL, 0); | |
d5d468f6 | 306 | |
a54694f8 CB |
307 | if (!(start <= end)) { |
308 | free(bitarr); | |
309 | return NULL; | |
310 | } | |
311 | ||
312 | if (end >= nbits) { | |
313 | free(bitarr); | |
314 | return NULL; | |
315 | } | |
316 | ||
317 | while (start <= end) | |
318 | set_bit(start++, bitarr); | |
319 | } | |
320 | ||
321 | return bitarr; | |
322 | } | |
323 | ||
a54694f8 CB |
324 | /* Turn cpumask into simple, comma-separated cpulist. */ |
325 | static char *lxc_cpumask_to_cpulist(uint32_t *bitarr, size_t nbits) | |
326 | { | |
a54694f8 | 327 | int ret; |
414c6719 | 328 | size_t i; |
a54694f8 | 329 | char **cpulist = NULL; |
c19ad94b | 330 | char numstr[INTTYPE_TO_STRLEN(size_t)] = {0}; |
a54694f8 CB |
331 | |
332 | for (i = 0; i <= nbits; i++) { | |
414c6719 CB |
333 | if (!is_set(i, bitarr)) |
334 | continue; | |
335 | ||
979a0d93 CB |
336 | ret = snprintf(numstr, sizeof(numstr), "%zu", i); |
337 | if (ret < 0 || (size_t)ret >= sizeof(numstr)) { | |
414c6719 CB |
338 | lxc_free_array((void **)cpulist, free); |
339 | return NULL; | |
340 | } | |
341 | ||
342 | ret = lxc_append_string(&cpulist, numstr); | |
343 | if (ret < 0) { | |
344 | lxc_free_array((void **)cpulist, free); | |
345 | return NULL; | |
a54694f8 CB |
346 | } |
347 | } | |
414c6719 CB |
348 | |
349 | if (!cpulist) | |
350 | return NULL; | |
351 | ||
a54694f8 CB |
352 | return lxc_string_join(",", (const char **)cpulist, false); |
353 | } | |
354 | ||
355 | static ssize_t get_max_cpus(char *cpulist) | |
356 | { | |
357 | char *c1, *c2; | |
358 | char *maxcpus = cpulist; | |
359 | size_t cpus = 0; | |
360 | ||
361 | c1 = strrchr(maxcpus, ','); | |
362 | if (c1) | |
363 | c1++; | |
364 | ||
365 | c2 = strrchr(maxcpus, '-'); | |
366 | if (c2) | |
367 | c2++; | |
368 | ||
369 | if (!c1 && !c2) | |
370 | c1 = maxcpus; | |
371 | else if (c1 > c2) | |
372 | c2 = c1; | |
373 | else if (c1 < c2) | |
374 | c1 = c2; | |
333987b9 | 375 | else if (!c1 && c2) |
a54694f8 CB |
376 | c1 = c2; |
377 | ||
a54694f8 CB |
378 | errno = 0; |
379 | cpus = strtoul(c1, NULL, 0); | |
380 | if (errno != 0) | |
381 | return -1; | |
382 | ||
383 | return cpus; | |
384 | } | |
385 | ||
6f9584d8 | 386 | #define __ISOL_CPUS "/sys/devices/system/cpu/isolated" |
a3926f6a | 387 | static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized) |
a54694f8 | 388 | { |
a54694f8 CB |
389 | int ret; |
390 | ssize_t i; | |
59ac3b88 CB |
391 | char *lastslash, *fpath, oldv; |
392 | ssize_t maxisol = 0, maxposs = 0; | |
393 | char *cpulist = NULL, *isolcpus = NULL, *posscpus = NULL; | |
394 | uint32_t *isolmask = NULL, *possmask = NULL; | |
6f9584d8 | 395 | bool bret = false, flipped_bit = false; |
a54694f8 CB |
396 | |
397 | lastslash = strrchr(path, '/'); | |
59ac3b88 CB |
398 | if (!lastslash) { |
399 | ERROR("Failed to detect \"/\" in \"%s\"", path); | |
a54694f8 CB |
400 | return bret; |
401 | } | |
402 | oldv = *lastslash; | |
403 | *lastslash = '\0'; | |
404 | fpath = must_make_path(path, "cpuset.cpus", NULL); | |
405 | posscpus = read_file(fpath); | |
6f9584d8 | 406 | if (!posscpus) { |
59ac3b88 | 407 | SYSERROR("Failed to read file \"%s\"", fpath); |
6f9584d8 CB |
408 | goto on_error; |
409 | } | |
a54694f8 CB |
410 | |
411 | /* Get maximum number of cpus found in possible cpuset. */ | |
412 | maxposs = get_max_cpus(posscpus); | |
92d5ea57 | 413 | if (maxposs < 0 || maxposs >= INT_MAX - 1) |
6f9584d8 | 414 | goto on_error; |
a54694f8 | 415 | |
6f9584d8 CB |
416 | if (!file_exists(__ISOL_CPUS)) { |
417 | /* This system doesn't expose isolated cpus. */ | |
59ac3b88 | 418 | DEBUG("The path \""__ISOL_CPUS"\" to read isolated cpus from does not exist"); |
65d29cbc CB |
419 | cpulist = posscpus; |
420 | /* No isolated cpus but we weren't already initialized by | |
421 | * someone. We should simply copy the parents cpuset.cpus | |
422 | * values. | |
423 | */ | |
424 | if (!am_initialized) { | |
59ac3b88 | 425 | DEBUG("Copying cpu settings of parent cgroup"); |
65d29cbc CB |
426 | goto copy_parent; |
427 | } | |
428 | /* No isolated cpus but we were already initialized by someone. | |
429 | * Nothing more to do for us. | |
430 | */ | |
6f9584d8 CB |
431 | goto on_success; |
432 | } | |
433 | ||
434 | isolcpus = read_file(__ISOL_CPUS); | |
435 | if (!isolcpus) { | |
59ac3b88 | 436 | SYSERROR("Failed to read file \""__ISOL_CPUS"\""); |
6f9584d8 CB |
437 | goto on_error; |
438 | } | |
a54694f8 | 439 | if (!isdigit(isolcpus[0])) { |
59ac3b88 | 440 | TRACE("No isolated cpus detected"); |
a54694f8 CB |
441 | cpulist = posscpus; |
442 | /* No isolated cpus but we weren't already initialized by | |
443 | * someone. We should simply copy the parents cpuset.cpus | |
444 | * values. | |
445 | */ | |
6f9584d8 | 446 | if (!am_initialized) { |
59ac3b88 | 447 | DEBUG("Copying cpu settings of parent cgroup"); |
a54694f8 | 448 | goto copy_parent; |
6f9584d8 | 449 | } |
a54694f8 CB |
450 | /* No isolated cpus but we were already initialized by someone. |
451 | * Nothing more to do for us. | |
452 | */ | |
6f9584d8 | 453 | goto on_success; |
a54694f8 CB |
454 | } |
455 | ||
456 | /* Get maximum number of cpus found in isolated cpuset. */ | |
457 | maxisol = get_max_cpus(isolcpus); | |
92d5ea57 | 458 | if (maxisol < 0 || maxisol >= INT_MAX - 1) |
6f9584d8 | 459 | goto on_error; |
a54694f8 CB |
460 | |
461 | if (maxposs < maxisol) | |
462 | maxposs = maxisol; | |
463 | maxposs++; | |
464 | ||
465 | possmask = lxc_cpumask(posscpus, maxposs); | |
6f9584d8 | 466 | if (!possmask) { |
59ac3b88 | 467 | ERROR("Failed to create cpumask for possible cpus"); |
6f9584d8 CB |
468 | goto on_error; |
469 | } | |
a54694f8 CB |
470 | |
471 | isolmask = lxc_cpumask(isolcpus, maxposs); | |
6f9584d8 | 472 | if (!isolmask) { |
59ac3b88 | 473 | ERROR("Failed to create cpumask for isolated cpus"); |
6f9584d8 CB |
474 | goto on_error; |
475 | } | |
a54694f8 CB |
476 | |
477 | for (i = 0; i <= maxposs; i++) { | |
59ac3b88 CB |
478 | if (!is_set(i, isolmask) || !is_set(i, possmask)) |
479 | continue; | |
480 | ||
481 | flipped_bit = true; | |
482 | clear_bit(i, possmask); | |
a54694f8 CB |
483 | } |
484 | ||
6f9584d8 | 485 | if (!flipped_bit) { |
59ac3b88 | 486 | DEBUG("No isolated cpus present in cpuset"); |
6f9584d8 CB |
487 | goto on_success; |
488 | } | |
59ac3b88 | 489 | DEBUG("Removed isolated cpus from cpuset"); |
6f9584d8 | 490 | |
a54694f8 | 491 | cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); |
6f9584d8 | 492 | if (!cpulist) { |
59ac3b88 | 493 | ERROR("Failed to create cpu list"); |
6f9584d8 CB |
494 | goto on_error; |
495 | } | |
a54694f8 CB |
496 | |
497 | copy_parent: | |
498 | *lastslash = oldv; | |
dcbc861e | 499 | free(fpath); |
a54694f8 | 500 | fpath = must_make_path(path, "cpuset.cpus", NULL); |
7cea5905 | 501 | ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false, 0666); |
6f9584d8 | 502 | if (ret < 0) { |
59ac3b88 | 503 | SYSERROR("Failed to write cpu list to \"%s\"", fpath); |
6f9584d8 CB |
504 | goto on_error; |
505 | } | |
506 | ||
507 | on_success: | |
508 | bret = true; | |
a54694f8 | 509 | |
6f9584d8 | 510 | on_error: |
a54694f8 CB |
511 | free(fpath); |
512 | ||
513 | free(isolcpus); | |
514 | free(isolmask); | |
515 | ||
516 | if (posscpus != cpulist) | |
517 | free(posscpus); | |
518 | free(possmask); | |
519 | ||
520 | free(cpulist); | |
521 | return bret; | |
522 | } | |
523 | ||
e3a3fecf SH |
524 | /* Copy contents of parent(@path)/@file to @path/@file */ |
525 | static bool copy_parent_file(char *path, char *file) | |
526 | { | |
e3a3fecf | 527 | int ret; |
b095a8eb CB |
528 | char *fpath, *lastslash, oldv; |
529 | int len = 0; | |
530 | char *value = NULL; | |
e3a3fecf SH |
531 | |
532 | lastslash = strrchr(path, '/'); | |
b095a8eb CB |
533 | if (!lastslash) { |
534 | ERROR("Failed to detect \"/\" in \"%s\"", path); | |
e3a3fecf SH |
535 | return false; |
536 | } | |
537 | oldv = *lastslash; | |
538 | *lastslash = '\0'; | |
539 | fpath = must_make_path(path, file, NULL); | |
540 | len = lxc_read_from_file(fpath, NULL, 0); | |
541 | if (len <= 0) | |
b095a8eb CB |
542 | goto on_error; |
543 | ||
e3a3fecf | 544 | value = must_alloc(len + 1); |
b095a8eb CB |
545 | ret = lxc_read_from_file(fpath, value, len); |
546 | if (ret != len) | |
547 | goto on_error; | |
e3a3fecf | 548 | free(fpath); |
b095a8eb | 549 | |
e3a3fecf SH |
550 | *lastslash = oldv; |
551 | fpath = must_make_path(path, file, NULL); | |
7cea5905 | 552 | ret = lxc_write_to_file(fpath, value, len, false, 0666); |
e3a3fecf | 553 | if (ret < 0) |
b095a8eb | 554 | SYSERROR("Failed to write \"%s\" to file \"%s\"", value, fpath); |
e3a3fecf SH |
555 | free(fpath); |
556 | free(value); | |
557 | return ret >= 0; | |
558 | ||
b095a8eb CB |
559 | on_error: |
560 | SYSERROR("Failed to read file \"%s\"", fpath); | |
e3a3fecf SH |
561 | free(fpath); |
562 | free(value); | |
563 | return false; | |
564 | } | |
565 | ||
7793add3 CB |
566 | /* Initialize the cpuset hierarchy in first directory of @gname and set |
567 | * cgroup.clone_children so that children inherit settings. Since the | |
568 | * h->base_path is populated by init or ourselves, we know it is already | |
569 | * initialized. | |
e3a3fecf | 570 | */ |
a3926f6a | 571 | static bool cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) |
e3a3fecf | 572 | { |
7793add3 CB |
573 | int ret; |
574 | char v; | |
575 | char *cgpath, *clonechildrenpath, *slash; | |
e3a3fecf SH |
576 | |
577 | if (!string_in_list(h->controllers, "cpuset")) | |
578 | return true; | |
579 | ||
580 | if (*cgname == '/') | |
581 | cgname++; | |
582 | slash = strchr(cgname, '/'); | |
583 | if (slash) | |
584 | *slash = '\0'; | |
585 | ||
bb221ad1 | 586 | cgpath = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); |
e3a3fecf SH |
587 | if (slash) |
588 | *slash = '/'; | |
7793add3 CB |
589 | |
590 | ret = mkdir(cgpath, 0755); | |
591 | if (ret < 0) { | |
592 | if (errno != EEXIST) { | |
593 | SYSERROR("Failed to create directory \"%s\"", cgpath); | |
594 | free(cgpath); | |
595 | return false; | |
596 | } | |
e3a3fecf | 597 | } |
6f9584d8 | 598 | |
f8390327 | 599 | clonechildrenpath = must_make_path(cgpath, "cgroup.clone_children", NULL); |
6328fd9c CB |
600 | /* unified hierarchy doesn't have clone_children */ |
601 | if (!file_exists(clonechildrenpath)) { | |
e3a3fecf SH |
602 | free(clonechildrenpath); |
603 | free(cgpath); | |
604 | return true; | |
605 | } | |
7793add3 CB |
606 | |
607 | ret = lxc_read_from_file(clonechildrenpath, &v, 1); | |
608 | if (ret < 0) { | |
609 | SYSERROR("Failed to read file \"%s\"", clonechildrenpath); | |
e3a3fecf SH |
610 | free(clonechildrenpath); |
611 | free(cgpath); | |
612 | return false; | |
613 | } | |
614 | ||
a54694f8 | 615 | /* Make sure any isolated cpus are removed from cpuset.cpus. */ |
a3926f6a | 616 | if (!cg_legacy_filter_and_set_cpus(cgpath, v == '1')) { |
7793add3 | 617 | SYSERROR("Failed to remove isolated cpus"); |
6f9584d8 CB |
618 | free(clonechildrenpath); |
619 | free(cgpath); | |
a54694f8 | 620 | return false; |
6f9584d8 | 621 | } |
a54694f8 | 622 | |
7793add3 CB |
623 | /* Already set for us by someone else. */ |
624 | if (v == '1') { | |
625 | DEBUG("\"cgroup.clone_children\" was already set to \"1\""); | |
e3a3fecf SH |
626 | free(clonechildrenpath); |
627 | free(cgpath); | |
628 | return true; | |
629 | } | |
630 | ||
631 | /* copy parent's settings */ | |
a54694f8 | 632 | if (!copy_parent_file(cgpath, "cpuset.mems")) { |
7793add3 | 633 | SYSERROR("Failed to copy \"cpuset.mems\" settings"); |
e3a3fecf SH |
634 | free(cgpath); |
635 | free(clonechildrenpath); | |
636 | return false; | |
637 | } | |
638 | free(cgpath); | |
639 | ||
7cea5905 | 640 | ret = lxc_write_to_file(clonechildrenpath, "1", 1, false, 0666); |
7793add3 | 641 | if (ret < 0) { |
e3a3fecf | 642 | /* Set clone_children so children inherit our settings */ |
7793add3 | 643 | SYSERROR("Failed to write 1 to \"%s\"", clonechildrenpath); |
e3a3fecf SH |
644 | free(clonechildrenpath); |
645 | return false; | |
646 | } | |
647 | free(clonechildrenpath); | |
648 | return true; | |
649 | } | |
650 | ||
5c0089ae CB |
651 | /* Given two null-terminated lists of strings, return true if any string is in |
652 | * both. | |
ccb4cabe SH |
653 | */ |
654 | static bool controller_lists_intersect(char **l1, char **l2) | |
655 | { | |
656 | int i; | |
657 | ||
658 | if (!l1 || !l2) | |
659 | return false; | |
660 | ||
661 | for (i = 0; l1[i]; i++) { | |
662 | if (string_in_list(l2, l1[i])) | |
663 | return true; | |
664 | } | |
5c0089ae | 665 | |
ccb4cabe SH |
666 | return false; |
667 | } | |
668 | ||
258449e5 CB |
669 | /* For a null-terminated list of controllers @clist, return true if any of those |
670 | * controllers is already listed the null-terminated list of hierarchies @hlist. | |
671 | * Realistically, if one is present, all must be present. | |
ccb4cabe SH |
672 | */ |
673 | static bool controller_list_is_dup(struct hierarchy **hlist, char **clist) | |
674 | { | |
675 | int i; | |
676 | ||
677 | if (!hlist) | |
678 | return false; | |
258449e5 | 679 | |
ccb4cabe SH |
680 | for (i = 0; hlist[i]; i++) |
681 | if (controller_lists_intersect(hlist[i]->controllers, clist)) | |
682 | return true; | |
ccb4cabe | 683 | |
258449e5 | 684 | return false; |
ccb4cabe SH |
685 | } |
686 | ||
f57ac67f CB |
687 | /* Return true if the controller @entry is found in the null-terminated list of |
688 | * hierarchies @hlist. | |
ccb4cabe SH |
689 | */ |
690 | static bool controller_found(struct hierarchy **hlist, char *entry) | |
691 | { | |
692 | int i; | |
d6337a5f | 693 | |
ccb4cabe SH |
694 | if (!hlist) |
695 | return false; | |
696 | ||
697 | for (i = 0; hlist[i]; i++) | |
698 | if (string_in_list(hlist[i]->controllers, entry)) | |
699 | return true; | |
d6337a5f | 700 | |
ccb4cabe SH |
701 | return false; |
702 | } | |
703 | ||
e1c27ab0 CB |
704 | /* Return true if all of the controllers which we require have been found. The |
705 | * required list is freezer and anything in lxc.cgroup.use. | |
ccb4cabe | 706 | */ |
2202afc9 | 707 | static bool all_controllers_found(struct cgroup_ops *ops) |
ccb4cabe | 708 | { |
b7b18fc5 | 709 | char **cur; |
2202afc9 | 710 | struct hierarchy **hlist = ops->hierarchies; |
ccb4cabe | 711 | |
ccb4cabe | 712 | if (!controller_found(hlist, "freezer")) { |
2202afc9 | 713 | ERROR("No freezer controller mountpoint found"); |
ccb4cabe SH |
714 | return false; |
715 | } | |
716 | ||
2202afc9 | 717 | if (!ops->cgroup_use) |
ccb4cabe | 718 | return true; |
c2712f64 | 719 | |
b7b18fc5 CB |
720 | for (cur = ops->cgroup_use; cur && *cur; cur++) |
721 | if (!controller_found(hlist, *cur)) { | |
722 | ERROR("No %s controller mountpoint found", *cur); | |
ccb4cabe SH |
723 | return false; |
724 | } | |
c2712f64 | 725 | |
ccb4cabe SH |
726 | return true; |
727 | } | |
728 | ||
f205f10c CB |
729 | /* Get the controllers from a mountinfo line There are other ways we could get |
730 | * this info. For lxcfs, field 3 is /cgroup/controller-list. For cgroupfs, we | |
731 | * could parse the mount options. But we simply assume that the mountpoint must | |
732 | * be /sys/fs/cgroup/controller-list | |
ccb4cabe | 733 | */ |
a3926f6a CB |
734 | static char **cg_hybrid_get_controllers(char **klist, char **nlist, char *line, |
735 | int type) | |
ccb4cabe | 736 | { |
f205f10c CB |
737 | /* The fourth field is /sys/fs/cgroup/comma-delimited-controller-list |
738 | * for legacy hierarchies. | |
739 | */ | |
ccb4cabe | 740 | int i; |
411ac6d8 | 741 | char *dup, *p2, *tok; |
0be0d78f | 742 | char *p = line, *sep = ","; |
411ac6d8 | 743 | char **aret = NULL; |
6328fd9c | 744 | |
ccb4cabe | 745 | for (i = 0; i < 4; i++) { |
235f1815 | 746 | p = strchr(p, ' '); |
ccb4cabe SH |
747 | if (!p) |
748 | return NULL; | |
749 | p++; | |
750 | } | |
a55f31bd | 751 | |
f205f10c CB |
752 | /* Note, if we change how mountinfo works, then our caller will need to |
753 | * verify /sys/fs/cgroup/ in this field. | |
754 | */ | |
755 | if (strncmp(p, "/sys/fs/cgroup/", 15) != 0) { | |
2202afc9 | 756 | ERROR("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p); |
ccb4cabe | 757 | return NULL; |
5059aae9 | 758 | } |
d6337a5f | 759 | |
ccb4cabe | 760 | p += 15; |
235f1815 | 761 | p2 = strchr(p, ' '); |
ccb4cabe | 762 | if (!p2) { |
2202afc9 | 763 | ERROR("Corrupt mountinfo"); |
ccb4cabe SH |
764 | return NULL; |
765 | } | |
766 | *p2 = '\0'; | |
6328fd9c | 767 | |
d6337a5f | 768 | if (type == CGROUP_SUPER_MAGIC) { |
0be0d78f CB |
769 | /* strdup() here for v1 hierarchies. Otherwise |
770 | * lxc_iterate_parts() will destroy mountpoints such as | |
771 | * "/sys/fs/cgroup/cpu,cpuacct". | |
d6337a5f CB |
772 | */ |
773 | dup = strdup(p); | |
774 | if (!dup) | |
775 | return NULL; | |
776 | ||
0be0d78f | 777 | lxc_iterate_parts(tok, dup, sep) { |
d6337a5f | 778 | must_append_controller(klist, nlist, &aret, tok); |
0be0d78f | 779 | } |
d6337a5f CB |
780 | |
781 | free(dup); | |
411ac6d8 | 782 | } |
d6337a5f | 783 | *p2 = ' '; |
f205f10c | 784 | |
d6337a5f CB |
785 | return aret; |
786 | } | |
411ac6d8 | 787 | |
d6337a5f CB |
788 | static char **cg_unified_make_empty_controller(void) |
789 | { | |
790 | int newentry; | |
791 | char **aret = NULL; | |
792 | ||
793 | newentry = append_null_to_list((void ***)&aret); | |
794 | aret[newentry] = NULL; | |
795 | return aret; | |
796 | } | |
797 | ||
798 | static char **cg_unified_get_controllers(const char *file) | |
799 | { | |
800 | char *buf, *tok; | |
0be0d78f | 801 | char *sep = " \t\n"; |
d6337a5f CB |
802 | char **aret = NULL; |
803 | ||
804 | buf = read_file(file); | |
805 | if (!buf) | |
411ac6d8 | 806 | return NULL; |
6328fd9c | 807 | |
0be0d78f | 808 | lxc_iterate_parts(tok, buf, sep) { |
d6337a5f CB |
809 | int newentry; |
810 | char *copy; | |
811 | ||
812 | newentry = append_null_to_list((void ***)&aret); | |
813 | copy = must_copy_string(tok); | |
814 | aret[newentry] = copy; | |
ccb4cabe SH |
815 | } |
816 | ||
d6337a5f | 817 | free(buf); |
ccb4cabe SH |
818 | return aret; |
819 | } | |
820 | ||
2202afc9 | 821 | static struct hierarchy *add_hierarchy(struct hierarchy ***h, char **clist, char *mountpoint, |
bb221ad1 | 822 | char *container_base_path, int type) |
ccb4cabe SH |
823 | { |
824 | struct hierarchy *new; | |
825 | int newentry; | |
826 | ||
827 | new = must_alloc(sizeof(*new)); | |
828 | new->controllers = clist; | |
829 | new->mountpoint = mountpoint; | |
bb221ad1 | 830 | new->container_base_path = container_base_path; |
eb697136 | 831 | new->container_full_path = NULL; |
e09b62f9 | 832 | new->monitor_full_path = NULL; |
d6337a5f | 833 | new->version = type; |
6328fd9c | 834 | |
2202afc9 CB |
835 | newentry = append_null_to_list((void ***)h); |
836 | (*h)[newentry] = new; | |
d6337a5f | 837 | return new; |
ccb4cabe SH |
838 | } |
839 | ||
798c3b33 CB |
840 | /* Get a copy of the mountpoint from @line, which is a line from |
841 | * /proc/self/mountinfo. | |
ccb4cabe | 842 | */ |
a3926f6a | 843 | static char *cg_hybrid_get_mountpoint(char *line) |
ccb4cabe SH |
844 | { |
845 | int i; | |
ccb4cabe | 846 | size_t len; |
798c3b33 CB |
847 | char *p2; |
848 | char *p = line, *sret = NULL; | |
ccb4cabe SH |
849 | |
850 | for (i = 0; i < 4; i++) { | |
235f1815 | 851 | p = strchr(p, ' '); |
ccb4cabe SH |
852 | if (!p) |
853 | return NULL; | |
854 | p++; | |
855 | } | |
d6337a5f | 856 | |
798c3b33 | 857 | if (strncmp(p, "/sys/fs/cgroup/", 15) != 0) |
d6337a5f CB |
858 | return NULL; |
859 | ||
860 | p2 = strchr(p + 15, ' '); | |
861 | if (!p2) | |
862 | return NULL; | |
863 | *p2 = '\0'; | |
864 | ||
ccb4cabe SH |
865 | len = strlen(p); |
866 | sret = must_alloc(len + 1); | |
867 | memcpy(sret, p, len); | |
868 | sret[len] = '\0'; | |
869 | return sret; | |
870 | } | |
871 | ||
f523291e | 872 | /* Given a multi-line string, return a null-terminated copy of the current line. */ |
ccb4cabe SH |
873 | static char *copy_to_eol(char *p) |
874 | { | |
235f1815 | 875 | char *p2 = strchr(p, '\n'), *sret; |
ccb4cabe SH |
876 | size_t len; |
877 | ||
878 | if (!p2) | |
879 | return NULL; | |
880 | ||
881 | len = p2 - p; | |
882 | sret = must_alloc(len + 1); | |
883 | memcpy(sret, p, len); | |
884 | sret[len] = '\0'; | |
885 | return sret; | |
886 | } | |
887 | ||
bced39de CB |
888 | /* cgline: pointer to character after the first ':' in a line in a \n-terminated |
889 | * /proc/self/cgroup file. Check whether controller c is present. | |
ccb4cabe SH |
890 | */ |
891 | static bool controller_in_clist(char *cgline, char *c) | |
892 | { | |
0be0d78f | 893 | char *tok, *eol, *tmp; |
ccb4cabe SH |
894 | size_t len; |
895 | ||
235f1815 | 896 | eol = strchr(cgline, ':'); |
ccb4cabe SH |
897 | if (!eol) |
898 | return false; | |
899 | ||
900 | len = eol - cgline; | |
901 | tmp = alloca(len + 1); | |
902 | memcpy(tmp, cgline, len); | |
903 | tmp[len] = '\0'; | |
904 | ||
0be0d78f | 905 | lxc_iterate_parts(tok, tmp, ",") { |
ccb4cabe SH |
906 | if (strcmp(tok, c) == 0) |
907 | return true; | |
908 | } | |
d6337a5f | 909 | |
ccb4cabe SH |
910 | return false; |
911 | } | |
912 | ||
c3ef912e CB |
913 | /* @basecginfo is a copy of /proc/$$/cgroup. Return the current cgroup for |
914 | * @controller. | |
ccb4cabe | 915 | */ |
c3ef912e CB |
916 | static char *cg_hybrid_get_current_cgroup(char *basecginfo, char *controller, |
917 | int type) | |
ccb4cabe SH |
918 | { |
919 | char *p = basecginfo; | |
6328fd9c | 920 | |
d6337a5f CB |
921 | for (;;) { |
922 | bool is_cgv2_base_cgroup = false; | |
923 | ||
6328fd9c | 924 | /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */ |
d6337a5f CB |
925 | if ((type == CGROUP2_SUPER_MAGIC) && (*p == '0')) |
926 | is_cgv2_base_cgroup = true; | |
ccb4cabe | 927 | |
235f1815 | 928 | p = strchr(p, ':'); |
ccb4cabe SH |
929 | if (!p) |
930 | return NULL; | |
931 | p++; | |
d6337a5f CB |
932 | |
933 | if (is_cgv2_base_cgroup || (controller && controller_in_clist(p, controller))) { | |
235f1815 | 934 | p = strchr(p, ':'); |
ccb4cabe SH |
935 | if (!p) |
936 | return NULL; | |
937 | p++; | |
938 | return copy_to_eol(p); | |
939 | } | |
940 | ||
235f1815 | 941 | p = strchr(p, '\n'); |
ccb4cabe SH |
942 | if (!p) |
943 | return NULL; | |
944 | p++; | |
945 | } | |
946 | } | |
947 | ||
ccb4cabe SH |
948 | static void must_append_string(char ***list, char *entry) |
949 | { | |
6dfb18bf | 950 | int newentry; |
ccb4cabe SH |
951 | char *copy; |
952 | ||
6dfb18bf | 953 | newentry = append_null_to_list((void ***)list); |
ccb4cabe SH |
954 | copy = must_copy_string(entry); |
955 | (*list)[newentry] = copy; | |
956 | } | |
957 | ||
d6337a5f | 958 | static int get_existing_subsystems(char ***klist, char ***nlist) |
ccb4cabe SH |
959 | { |
960 | FILE *f; | |
961 | char *line = NULL; | |
962 | size_t len = 0; | |
963 | ||
d6337a5f CB |
964 | f = fopen("/proc/self/cgroup", "r"); |
965 | if (!f) | |
966 | return -1; | |
967 | ||
ccb4cabe | 968 | while (getline(&line, &len, f) != -1) { |
0be0d78f | 969 | char *p, *p2, *tok; |
235f1815 | 970 | p = strchr(line, ':'); |
ccb4cabe SH |
971 | if (!p) |
972 | continue; | |
973 | p++; | |
235f1815 | 974 | p2 = strchr(p, ':'); |
ccb4cabe SH |
975 | if (!p2) |
976 | continue; | |
977 | *p2 = '\0'; | |
ff8d6ee9 | 978 | |
6328fd9c CB |
979 | /* If the kernel has cgroup v2 support, then /proc/self/cgroup |
980 | * contains an entry of the form: | |
ff8d6ee9 CB |
981 | * |
982 | * 0::/some/path | |
983 | * | |
6328fd9c | 984 | * In this case we use "cgroup2" as controller name. |
ff8d6ee9 | 985 | */ |
6328fd9c CB |
986 | if ((p2 - p) == 0) { |
987 | must_append_string(klist, "cgroup2"); | |
ff8d6ee9 | 988 | continue; |
6328fd9c | 989 | } |
ff8d6ee9 | 990 | |
0be0d78f | 991 | lxc_iterate_parts(tok, p, ",") { |
ccb4cabe SH |
992 | if (strncmp(tok, "name=", 5) == 0) |
993 | must_append_string(nlist, tok); | |
994 | else | |
995 | must_append_string(klist, tok); | |
996 | } | |
997 | } | |
998 | ||
999 | free(line); | |
1000 | fclose(f); | |
d6337a5f | 1001 | return 0; |
ccb4cabe SH |
1002 | } |
1003 | ||
1004 | static void trim(char *s) | |
1005 | { | |
7689dfd7 CB |
1006 | size_t len; |
1007 | ||
1008 | len = strlen(s); | |
2c28d76b | 1009 | while ((len > 1) && (s[len - 1] == '\n')) |
ccb4cabe SH |
1010 | s[--len] = '\0'; |
1011 | } | |
1012 | ||
2202afc9 | 1013 | static void lxc_cgfsng_print_hierarchies(struct cgroup_ops *ops) |
ccb4cabe SH |
1014 | { |
1015 | int i; | |
27d84737 | 1016 | struct hierarchy **it; |
41c33dbe | 1017 | |
2202afc9 CB |
1018 | if (!ops->hierarchies) { |
1019 | TRACE(" No hierarchies found"); | |
ccb4cabe SH |
1020 | return; |
1021 | } | |
27d84737 | 1022 | |
2202afc9 CB |
1023 | TRACE(" Hierarchies:"); |
1024 | for (i = 0, it = ops->hierarchies; it && *it; it++, i++) { | |
ccb4cabe | 1025 | int j; |
27d84737 CB |
1026 | char **cit; |
1027 | ||
bb221ad1 | 1028 | TRACE(" %d: base_cgroup: %s", i, (*it)->container_base_path ? (*it)->container_base_path : "(null)"); |
2202afc9 CB |
1029 | TRACE(" mountpoint: %s", (*it)->mountpoint ? (*it)->mountpoint : "(null)"); |
1030 | TRACE(" controllers:"); | |
a7b0cc4c | 1031 | for (j = 0, cit = (*it)->controllers; cit && *cit; cit++, j++) |
2202afc9 | 1032 | TRACE(" %d: %s", j, *cit); |
ccb4cabe SH |
1033 | } |
1034 | } | |
41c33dbe | 1035 | |
a3926f6a CB |
1036 | static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist, |
1037 | char **nlist) | |
41c33dbe SH |
1038 | { |
1039 | int k; | |
a7b0cc4c | 1040 | char **it; |
41c33dbe | 1041 | |
2202afc9 CB |
1042 | TRACE("basecginfo is:"); |
1043 | TRACE("%s", basecginfo); | |
41c33dbe | 1044 | |
a7b0cc4c | 1045 | for (k = 0, it = klist; it && *it; it++, k++) |
2202afc9 | 1046 | TRACE("kernel subsystem %d: %s", k, *it); |
0f71dd9b | 1047 | |
a7b0cc4c | 1048 | for (k = 0, it = nlist; it && *it; it++, k++) |
2202afc9 | 1049 | TRACE("named subsystem %d: %s", k, *it); |
41c33dbe | 1050 | } |
ccb4cabe | 1051 | |
2202afc9 CB |
1052 | static int cgroup_rmdir(struct hierarchy **hierarchies, |
1053 | const char *container_cgroup) | |
c71d83e1 | 1054 | { |
2202afc9 | 1055 | int i; |
d6337a5f | 1056 | |
2202afc9 CB |
1057 | if (!container_cgroup || !hierarchies) |
1058 | return 0; | |
d6337a5f | 1059 | |
2202afc9 CB |
1060 | for (i = 0; hierarchies[i]; i++) { |
1061 | int ret; | |
1062 | struct hierarchy *h = hierarchies[i]; | |
d6337a5f | 1063 | |
eb697136 | 1064 | if (!h->container_full_path) |
2202afc9 CB |
1065 | continue; |
1066 | ||
eb697136 | 1067 | ret = recursive_destroy(h->container_full_path); |
2202afc9 | 1068 | if (ret < 0) |
eb697136 | 1069 | WARN("Failed to destroy \"%s\"", h->container_full_path); |
2202afc9 | 1070 | |
eb697136 CB |
1071 | free(h->container_full_path); |
1072 | h->container_full_path = NULL; | |
2202afc9 | 1073 | } |
d6337a5f | 1074 | |
c71d83e1 | 1075 | return 0; |
d6337a5f CB |
1076 | } |
1077 | ||
2202afc9 CB |
1078 | struct generic_userns_exec_data { |
1079 | struct hierarchy **hierarchies; | |
1080 | const char *container_cgroup; | |
1081 | struct lxc_conf *conf; | |
1082 | uid_t origuid; /* target uid in parent namespace */ | |
1083 | char *path; | |
1084 | }; | |
d6337a5f | 1085 | |
2202afc9 CB |
1086 | static int cgroup_rmdir_wrapper(void *data) |
1087 | { | |
1088 | int ret; | |
1089 | struct generic_userns_exec_data *arg = data; | |
1090 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1091 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
d6337a5f | 1092 | |
2202afc9 CB |
1093 | ret = setresgid(nsgid, nsgid, nsgid); |
1094 | if (ret < 0) { | |
1095 | SYSERROR("Failed to setresgid(%d, %d, %d)", (int)nsgid, | |
1096 | (int)nsgid, (int)nsgid); | |
1097 | return -1; | |
1098 | } | |
d6337a5f | 1099 | |
2202afc9 CB |
1100 | ret = setresuid(nsuid, nsuid, nsuid); |
1101 | if (ret < 0) { | |
1102 | SYSERROR("Failed to setresuid(%d, %d, %d)", (int)nsuid, | |
1103 | (int)nsuid, (int)nsuid); | |
1104 | return -1; | |
1105 | } | |
d6337a5f | 1106 | |
2202afc9 CB |
1107 | ret = setgroups(0, NULL); |
1108 | if (ret < 0 && errno != EPERM) { | |
1109 | SYSERROR("Failed to setgroups(0, NULL)"); | |
1110 | return -1; | |
1111 | } | |
d6337a5f | 1112 | |
2202afc9 | 1113 | return cgroup_rmdir(arg->hierarchies, arg->container_cgroup); |
d6337a5f CB |
1114 | } |
1115 | ||
434c8e15 CB |
1116 | __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, |
1117 | struct lxc_handler *handler) | |
d6337a5f CB |
1118 | { |
1119 | int ret; | |
2202afc9 | 1120 | struct generic_userns_exec_data wrap; |
bd8ef4e4 | 1121 | |
4160c3a0 | 1122 | wrap.origuid = 0; |
2202afc9 CB |
1123 | wrap.container_cgroup = ops->container_cgroup; |
1124 | wrap.hierarchies = ops->hierarchies; | |
1125 | wrap.conf = handler->conf; | |
4160c3a0 | 1126 | |
2202afc9 CB |
1127 | if (handler->conf && !lxc_list_empty(&handler->conf->id_map)) |
1128 | ret = userns_exec_1(handler->conf, cgroup_rmdir_wrapper, &wrap, | |
bd8ef4e4 | 1129 | "cgroup_rmdir_wrapper"); |
ccb4cabe | 1130 | else |
2202afc9 | 1131 | ret = cgroup_rmdir(ops->hierarchies, ops->container_cgroup); |
bd8ef4e4 CB |
1132 | if (ret < 0) { |
1133 | WARN("Failed to destroy cgroups"); | |
ccb4cabe | 1134 | return; |
ccb4cabe | 1135 | } |
ccb4cabe SH |
1136 | } |
1137 | ||
434c8e15 CB |
1138 | __cgfsng_ops static void cgfsng_monitor_destroy(struct cgroup_ops *ops, |
1139 | struct lxc_handler *handler) | |
1140 | { | |
1141 | int len; | |
1142 | char *pivot_path; | |
1143 | struct lxc_conf *conf = handler->conf; | |
1144 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; | |
1145 | ||
1146 | if (!ops->hierarchies) | |
1147 | return; | |
1148 | ||
1149 | len = snprintf(pidstr, sizeof(pidstr), "%d", handler->monitor_pid); | |
1150 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
1151 | return; | |
1152 | ||
1153 | for (int i = 0; ops->hierarchies[i]; i++) { | |
1154 | int ret; | |
23e5c045 | 1155 | char *chop; |
434c8e15 CB |
1156 | struct hierarchy *h = ops->hierarchies[i]; |
1157 | ||
1158 | if (!h->monitor_full_path) | |
1159 | continue; | |
1160 | ||
1161 | if (conf && conf->cgroup_meta.dir) | |
1162 | pivot_path = must_make_path(h->mountpoint, | |
1163 | h->container_base_path, | |
1164 | conf->cgroup_meta.dir, | |
625ad37b | 1165 | PIVOT_CGROUP, |
434c8e15 CB |
1166 | "cgroup.procs", NULL); |
1167 | else | |
1168 | pivot_path = must_make_path(h->mountpoint, | |
1169 | h->container_base_path, | |
625ad37b | 1170 | PIVOT_CGROUP, |
434c8e15 CB |
1171 | "cgroup.procs", NULL); |
1172 | ||
23e5c045 CB |
1173 | chop = strrchr(pivot_path, '/'); |
1174 | if (chop) | |
1175 | *chop = '\0'; | |
1176 | ||
434c8e15 CB |
1177 | ret = mkdir_p(pivot_path, 0755); |
1178 | if (ret < 0 && errno != EEXIST) | |
1179 | goto next; | |
1180 | ||
23e5c045 CB |
1181 | if (chop) |
1182 | *chop = '/'; | |
1183 | ||
434c8e15 CB |
1184 | /* Move ourselves into the pivot cgroup to delete our own |
1185 | * cgroup. | |
1186 | */ | |
1187 | ret = lxc_write_to_file(pivot_path, pidstr, len, false, 0666); | |
1188 | if (ret != 0) | |
1189 | goto next; | |
1190 | ||
1191 | ret = recursive_destroy(h->monitor_full_path); | |
1192 | if (ret < 0) | |
1193 | WARN("Failed to destroy \"%s\"", h->monitor_full_path); | |
1194 | ||
1195 | next: | |
1196 | free(pivot_path); | |
1197 | } | |
1198 | } | |
1199 | ||
a3926f6a | 1200 | static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname) |
0c3deb94 | 1201 | { |
0c3deb94 | 1202 | size_t i, parts_len; |
389d44ec | 1203 | char **it; |
0c3deb94 CB |
1204 | size_t full_len = 0; |
1205 | char *add_controllers = NULL, *cgroup = NULL; | |
1206 | char **parts = NULL; | |
1207 | bool bret = false; | |
1208 | ||
1209 | if (h->version != CGROUP2_SUPER_MAGIC) | |
1210 | return true; | |
1211 | ||
1212 | if (!h->controllers) | |
1213 | return true; | |
1214 | ||
1215 | /* For now we simply enable all controllers that we have detected by | |
1216 | * creating a string like "+memory +pids +cpu +io". | |
1217 | * TODO: In the near future we might want to support "-<controller>" | |
1218 | * etc. but whether supporting semantics like this make sense will need | |
1219 | * some thinking. | |
1220 | */ | |
1221 | for (it = h->controllers; it && *it; it++) { | |
64e82f8b DJ |
1222 | full_len += strlen(*it) + 2; |
1223 | add_controllers = must_realloc(add_controllers, full_len + 1); | |
1224 | ||
1225 | if (h->controllers[0] == *it) | |
1226 | add_controllers[0] = '\0'; | |
1227 | ||
3ebe2fbd DJ |
1228 | (void)strlcat(add_controllers, "+", full_len + 1); |
1229 | (void)strlcat(add_controllers, *it, full_len + 1); | |
64e82f8b DJ |
1230 | |
1231 | if ((it + 1) && *(it + 1)) | |
3ebe2fbd | 1232 | (void)strlcat(add_controllers, " ", full_len + 1); |
0c3deb94 CB |
1233 | } |
1234 | ||
1235 | parts = lxc_string_split(cgname, '/'); | |
1236 | if (!parts) | |
1237 | goto on_error; | |
64e82f8b | 1238 | |
0c3deb94 CB |
1239 | parts_len = lxc_array_len((void **)parts); |
1240 | if (parts_len > 0) | |
1241 | parts_len--; | |
1242 | ||
bb221ad1 | 1243 | cgroup = must_make_path(h->mountpoint, h->container_base_path, NULL); |
0c3deb94 CB |
1244 | for (i = 0; i < parts_len; i++) { |
1245 | int ret; | |
1246 | char *target; | |
1247 | ||
1248 | cgroup = must_append_path(cgroup, parts[i], NULL); | |
1249 | target = must_make_path(cgroup, "cgroup.subtree_control", NULL); | |
7cea5905 | 1250 | ret = lxc_write_to_file(target, add_controllers, full_len, false, 0666); |
0c3deb94 CB |
1251 | free(target); |
1252 | if (ret < 0) { | |
1253 | SYSERROR("Could not enable \"%s\" controllers in the " | |
1254 | "unified cgroup \"%s\"", add_controllers, cgroup); | |
1255 | goto on_error; | |
1256 | } | |
1257 | } | |
1258 | ||
1259 | bret = true; | |
1260 | ||
1261 | on_error: | |
1262 | lxc_free_array((void **)parts, free); | |
1263 | free(add_controllers); | |
1264 | free(cgroup); | |
1265 | return bret; | |
1266 | } | |
1267 | ||
6099dd5a CB |
1268 | static int mkdir_eexist_on_last(const char *dir, mode_t mode) |
1269 | { | |
1270 | const char *tmp = dir; | |
1271 | const char *orig = dir; | |
1272 | size_t orig_len; | |
1273 | ||
1274 | orig_len = strlen(dir); | |
1275 | do { | |
1276 | int ret; | |
1277 | size_t cur_len; | |
1278 | char *makeme; | |
1279 | ||
1280 | dir = tmp + strspn(tmp, "/"); | |
1281 | tmp = dir + strcspn(dir, "/"); | |
1282 | ||
1283 | errno = ENOMEM; | |
1284 | cur_len = dir - orig; | |
1285 | makeme = strndup(orig, cur_len); | |
1286 | if (!makeme) | |
1287 | return -1; | |
1288 | ||
1289 | ret = mkdir(makeme, mode); | |
1290 | if (ret < 0) { | |
1291 | if ((errno != EEXIST) || (orig_len == cur_len)) { | |
1292 | SYSERROR("Failed to create directory \"%s\"", makeme); | |
1293 | free(makeme); | |
1294 | return -1; | |
1295 | } | |
1296 | } | |
1297 | free(makeme); | |
1298 | ||
1299 | } while (tmp != dir); | |
1300 | ||
1301 | return 0; | |
1302 | } | |
1303 | ||
72068e74 CB |
1304 | static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname) |
1305 | { | |
1306 | int ret; | |
1307 | ||
ef185360 CB |
1308 | if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) { |
1309 | ERROR("Failed to handle legacy cpuset controller"); | |
1310 | return false; | |
1311 | } | |
1312 | ||
72068e74 | 1313 | h->monitor_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); |
6099dd5a CB |
1314 | ret = mkdir_eexist_on_last(h->monitor_full_path, 0755); |
1315 | if (ret < 0) { | |
1316 | ERROR("Failed to create cgroup \"%s\"", h->monitor_full_path); | |
ee455be4 CB |
1317 | return false; |
1318 | } | |
72068e74 | 1319 | |
72068e74 CB |
1320 | return cg_unified_create_cgroup(h, cgname); |
1321 | } | |
1322 | ||
1323 | static bool container_create_path_for_hierarchy(struct hierarchy *h, char *cgname) | |
ccb4cabe | 1324 | { |
0c3deb94 CB |
1325 | int ret; |
1326 | ||
ef185360 CB |
1327 | if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) { |
1328 | ERROR("Failed to handle legacy cpuset controller"); | |
1329 | return false; | |
1330 | } | |
1331 | ||
bb221ad1 | 1332 | h->container_full_path = must_make_path(h->mountpoint, h->container_base_path, cgname, NULL); |
6099dd5a CB |
1333 | ret = mkdir_eexist_on_last(h->container_full_path, 0755); |
1334 | if (ret < 0) { | |
1335 | ERROR("Failed to create cgroup \"%s\"", h->container_full_path); | |
d8da679e | 1336 | return false; |
6f9584d8 | 1337 | } |
0c3deb94 | 1338 | |
a3926f6a | 1339 | return cg_unified_create_cgroup(h, cgname); |
ccb4cabe SH |
1340 | } |
1341 | ||
72068e74 | 1342 | static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname, bool monitor) |
ccb4cabe | 1343 | { |
e56639fb | 1344 | int ret; |
72068e74 CB |
1345 | char *full_path; |
1346 | ||
1347 | if (monitor) | |
1348 | full_path = h->monitor_full_path; | |
1349 | else | |
1350 | full_path = h->container_full_path; | |
e56639fb | 1351 | |
72068e74 | 1352 | ret = rmdir(full_path); |
e56639fb | 1353 | if (ret < 0) |
72068e74 CB |
1354 | SYSERROR("Failed to rmdir(\"%s\") from failed creation attempt", full_path); |
1355 | ||
1356 | free(full_path); | |
1357 | ||
1358 | if (monitor) | |
1359 | h->monitor_full_path = NULL; | |
1360 | else | |
1361 | h->container_full_path = NULL; | |
1362 | } | |
1363 | ||
b857f4be | 1364 | __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops, |
d28779d9 | 1365 | struct lxc_handler *handler) |
72068e74 | 1366 | { |
5ce03bc0 | 1367 | char *monitor_cgroup, *offset, *tmp; |
ebc10afe | 1368 | int i, idx = 0; |
5ce03bc0 | 1369 | size_t len; |
72068e74 CB |
1370 | bool bret = false; |
1371 | struct lxc_conf *conf = handler->conf; | |
1372 | ||
1373 | if (!conf) | |
1374 | return bret; | |
e56639fb | 1375 | |
72068e74 | 1376 | if (conf->cgroup_meta.dir) |
5ce03bc0 CB |
1377 | tmp = lxc_string_join("/", |
1378 | (const char *[]){conf->cgroup_meta.dir, | |
1379 | ops->monitor_pattern, | |
1380 | handler->name, NULL}, | |
1381 | false); | |
72068e74 | 1382 | else |
5ce03bc0 CB |
1383 | tmp = must_make_path(ops->monitor_pattern, handler->name, NULL); |
1384 | if (!tmp) | |
72068e74 CB |
1385 | return bret; |
1386 | ||
5ce03bc0 | 1387 | len = strlen(tmp) + 5; /* leave room for -NNN\0 */ |
5407d095 | 1388 | monitor_cgroup = must_realloc(tmp, len); |
5ce03bc0 | 1389 | offset = monitor_cgroup + len - 5; |
5407d095 | 1390 | *offset = 0; |
5ce03bc0 CB |
1391 | |
1392 | do { | |
1393 | if (idx) { | |
1394 | int ret = snprintf(offset, 5, "-%d", idx); | |
1395 | if (ret < 0 || (size_t)ret >= 5) | |
1396 | goto on_error; | |
72068e74 | 1397 | } |
72068e74 | 1398 | |
ebc10afe | 1399 | for (i = 0; ops->hierarchies[i]; i++) { |
5ce03bc0 CB |
1400 | if (!monitor_create_path_for_hierarchy(ops->hierarchies[i], monitor_cgroup)) { |
1401 | ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->monitor_full_path); | |
1402 | free(ops->hierarchies[i]->container_full_path); | |
1403 | ops->hierarchies[i]->container_full_path = NULL; | |
1404 | ||
1405 | for (int j = 0; j < i; j++) | |
1406 | remove_path_for_hierarchy(ops->hierarchies[j], monitor_cgroup, true); | |
1407 | ||
1408 | idx++; | |
1409 | break; | |
1410 | } | |
1411 | } | |
ebc10afe | 1412 | } while (ops->hierarchies[i] && idx > 0 && idx < 1000); |
5ce03bc0 | 1413 | |
529822a4 | 1414 | if (idx < 1000) { |
5ce03bc0 | 1415 | bret = true; |
529822a4 CB |
1416 | INFO("The monitor process uses \"%s\" as cgroup", monitor_cgroup); |
1417 | } | |
72068e74 CB |
1418 | |
1419 | on_error: | |
1420 | free(monitor_cgroup); | |
1421 | ||
1422 | return bret; | |
ccb4cabe SH |
1423 | } |
1424 | ||
cecad0c1 CB |
1425 | /* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern; |
1426 | * next cgroup_pattern-1, -2, ..., -999. | |
ccb4cabe | 1427 | */ |
b857f4be | 1428 | __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, |
6439f06e | 1429 | struct lxc_handler *handler) |
ccb4cabe | 1430 | { |
bb30b52a | 1431 | int i; |
ccb4cabe | 1432 | size_t len; |
0c3deb94 | 1433 | char *container_cgroup, *offset, *tmp; |
7d531e9b | 1434 | int idx = 0; |
2202afc9 | 1435 | struct lxc_conf *conf = handler->conf; |
ccb4cabe | 1436 | |
2202afc9 CB |
1437 | if (ops->container_cgroup) { |
1438 | WARN("cgfsng_create called a second time: %s", ops->container_cgroup); | |
ccb4cabe | 1439 | return false; |
2202afc9 | 1440 | } |
43654d34 | 1441 | |
2202afc9 | 1442 | if (!conf) |
ccb4cabe | 1443 | return false; |
ccb4cabe | 1444 | |
2202afc9 | 1445 | if (conf->cgroup_meta.dir) |
3ec12d39 | 1446 | tmp = lxc_string_join("/", (const char *[]){conf->cgroup_meta.dir, handler->name, NULL}, false); |
43654d34 | 1447 | else |
2202afc9 | 1448 | tmp = lxc_string_replace("%n", handler->name, ops->cgroup_pattern); |
ccb4cabe SH |
1449 | if (!tmp) { |
1450 | ERROR("Failed expanding cgroup name pattern"); | |
1451 | return false; | |
1452 | } | |
64e82f8b | 1453 | |
1a0e70ac | 1454 | len = strlen(tmp) + 5; /* leave room for -NNN\0 */ |
0c3deb94 | 1455 | container_cgroup = must_alloc(len); |
64e82f8b | 1456 | (void)strlcpy(container_cgroup, tmp, len); |
ccb4cabe | 1457 | free(tmp); |
0c3deb94 | 1458 | offset = container_cgroup + len - 5; |
ccb4cabe SH |
1459 | |
1460 | again: | |
95adfe93 SH |
1461 | if (idx == 1000) { |
1462 | ERROR("Too many conflicting cgroup names"); | |
ccb4cabe | 1463 | goto out_free; |
95adfe93 | 1464 | } |
cecad0c1 | 1465 | |
66b66624 | 1466 | if (idx) { |
bb30b52a CB |
1467 | int ret; |
1468 | ||
66b66624 CB |
1469 | ret = snprintf(offset, 5, "-%d", idx); |
1470 | if (ret < 0 || (size_t)ret >= 5) { | |
1471 | FILE *f = fopen("/dev/null", "w"); | |
97ebced3 | 1472 | if (f) { |
66b66624 CB |
1473 | fprintf(f, "Workaround for GCC7 bug: " |
1474 | "https://gcc.gnu.org/bugzilla/" | |
1475 | "show_bug.cgi?id=78969"); | |
1476 | fclose(f); | |
1477 | } | |
1478 | } | |
1479 | } | |
cecad0c1 | 1480 | |
2202afc9 | 1481 | for (i = 0; ops->hierarchies[i]; i++) { |
72068e74 | 1482 | if (!container_create_path_for_hierarchy(ops->hierarchies[i], container_cgroup)) { |
eb697136 CB |
1483 | ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->container_full_path); |
1484 | free(ops->hierarchies[i]->container_full_path); | |
1485 | ops->hierarchies[i]->container_full_path = NULL; | |
72068e74 CB |
1486 | for (int j = 0; j < i; j++) |
1487 | remove_path_for_hierarchy(ops->hierarchies[j], container_cgroup, false); | |
ccb4cabe SH |
1488 | idx++; |
1489 | goto again; | |
1490 | } | |
1491 | } | |
cecad0c1 | 1492 | |
2202afc9 | 1493 | ops->container_cgroup = container_cgroup; |
529822a4 | 1494 | INFO("The container uses \"%s\" as cgroup", container_cgroup); |
cecad0c1 | 1495 | |
ccb4cabe SH |
1496 | return true; |
1497 | ||
1498 | out_free: | |
0c3deb94 | 1499 | free(container_cgroup); |
cecad0c1 | 1500 | |
ccb4cabe SH |
1501 | return false; |
1502 | } | |
1503 | ||
b857f4be | 1504 | __cgfsng_ops static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid, |
eeef32bb | 1505 | bool monitor) |
ccb4cabe | 1506 | { |
eeef32bb | 1507 | int len; |
a3650c0c | 1508 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; |
ccb4cabe | 1509 | |
a3650c0c CB |
1510 | len = snprintf(pidstr, sizeof(pidstr), "%d", pid); |
1511 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
ccb4cabe SH |
1512 | return false; |
1513 | ||
eeef32bb | 1514 | for (int i = 0; ops->hierarchies[i]; i++) { |
08768001 | 1515 | int ret; |
eeef32bb | 1516 | char *path; |
08768001 | 1517 | |
eeef32bb CB |
1518 | if (monitor) |
1519 | path = must_make_path(ops->hierarchies[i]->monitor_full_path, | |
1520 | "cgroup.procs", NULL); | |
1521 | else | |
1522 | path = must_make_path(ops->hierarchies[i]->container_full_path, | |
1523 | "cgroup.procs", NULL); | |
1524 | ret = lxc_write_to_file(path, pidstr, len, false, 0666); | |
08768001 | 1525 | if (ret != 0) { |
eeef32bb CB |
1526 | SYSERROR("Failed to enter cgroup \"%s\"", path); |
1527 | free(path); | |
ccb4cabe SH |
1528 | return false; |
1529 | } | |
eeef32bb | 1530 | free(path); |
ccb4cabe SH |
1531 | } |
1532 | ||
1533 | return true; | |
1534 | } | |
1535 | ||
b857f4be | 1536 | __cgfsng_ops static bool cgfsng_monitor_enter(struct cgroup_ops *ops, pid_t pid) |
eeef32bb CB |
1537 | { |
1538 | return __do_cgroup_enter(ops, pid, true); | |
1539 | } | |
1540 | ||
1541 | static bool cgfsng_payload_enter(struct cgroup_ops *ops, pid_t pid) | |
1542 | { | |
1543 | return __do_cgroup_enter(ops, pid, false); | |
1544 | } | |
1545 | ||
6efacf80 CB |
1546 | static int chowmod(char *path, uid_t chown_uid, gid_t chown_gid, |
1547 | mode_t chmod_mode) | |
1548 | { | |
1549 | int ret; | |
1550 | ||
1551 | ret = chown(path, chown_uid, chown_gid); | |
1552 | if (ret < 0) { | |
a24c5678 | 1553 | SYSWARN("Failed to chown(%s, %d, %d)", path, (int)chown_uid, (int)chown_gid); |
6efacf80 CB |
1554 | return -1; |
1555 | } | |
1556 | ||
1557 | ret = chmod(path, chmod_mode); | |
1558 | if (ret < 0) { | |
a24c5678 | 1559 | SYSWARN("Failed to chmod(%s, %d)", path, (int)chmod_mode); |
6efacf80 CB |
1560 | return -1; |
1561 | } | |
1562 | ||
1563 | return 0; | |
1564 | } | |
1565 | ||
1566 | /* chgrp the container cgroups to container group. We leave | |
c0888dfe SH |
1567 | * the container owner as cgroup owner. So we must make the |
1568 | * directories 775 so that the container can create sub-cgroups. | |
43647298 SH |
1569 | * |
1570 | * Also chown the tasks and cgroup.procs files. Those may not | |
1571 | * exist depending on kernel version. | |
c0888dfe | 1572 | */ |
ccb4cabe SH |
1573 | static int chown_cgroup_wrapper(void *data) |
1574 | { | |
6efacf80 | 1575 | int i, ret; |
4160c3a0 CB |
1576 | uid_t destuid; |
1577 | struct generic_userns_exec_data *arg = data; | |
1578 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1579 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
ccb4cabe | 1580 | |
6efacf80 CB |
1581 | ret = setresgid(nsgid, nsgid, nsgid); |
1582 | if (ret < 0) { | |
1583 | SYSERROR("Failed to setresgid(%d, %d, %d)", | |
1584 | (int)nsgid, (int)nsgid, (int)nsgid); | |
1585 | return -1; | |
1586 | } | |
1587 | ||
1588 | ret = setresuid(nsuid, nsuid, nsuid); | |
1589 | if (ret < 0) { | |
1590 | SYSERROR("Failed to setresuid(%d, %d, %d)", | |
1591 | (int)nsuid, (int)nsuid, (int)nsuid); | |
1592 | return -1; | |
1593 | } | |
1594 | ||
1595 | ret = setgroups(0, NULL); | |
1596 | if (ret < 0 && errno != EPERM) { | |
1597 | SYSERROR("Failed to setgroups(0, NULL)"); | |
1598 | return -1; | |
1599 | } | |
ccb4cabe SH |
1600 | |
1601 | destuid = get_ns_uid(arg->origuid); | |
b962868f CB |
1602 | if (destuid == LXC_INVALID_UID) |
1603 | destuid = 0; | |
ccb4cabe | 1604 | |
2202afc9 | 1605 | for (i = 0; arg->hierarchies[i]; i++) { |
6efacf80 | 1606 | char *fullpath; |
eb697136 | 1607 | char *path = arg->hierarchies[i]->container_full_path; |
43647298 | 1608 | |
63e42fee | 1609 | ret = chowmod(path, destuid, nsgid, 0775); |
6efacf80 | 1610 | if (ret < 0) |
ccb4cabe | 1611 | return -1; |
c0888dfe | 1612 | |
6efacf80 CB |
1613 | /* Failures to chown() these are inconvenient but not |
1614 | * detrimental We leave these owned by the container launcher, | |
1615 | * so that container root can write to the files to attach. We | |
1616 | * chmod() them 664 so that container systemd can write to the | |
1617 | * files (which systemd in wily insists on doing). | |
ab8f5424 | 1618 | */ |
6efacf80 | 1619 | |
2202afc9 | 1620 | if (arg->hierarchies[i]->version == CGROUP_SUPER_MAGIC) { |
6efacf80 CB |
1621 | fullpath = must_make_path(path, "tasks", NULL); |
1622 | (void)chowmod(fullpath, destuid, nsgid, 0664); | |
1623 | free(fullpath); | |
1624 | } | |
43647298 SH |
1625 | |
1626 | fullpath = must_make_path(path, "cgroup.procs", NULL); | |
2202afc9 | 1627 | (void)chowmod(fullpath, destuid, nsgid, 0664); |
ccb4cabe | 1628 | free(fullpath); |
0e17357c | 1629 | |
2202afc9 | 1630 | if (arg->hierarchies[i]->version != CGROUP2_SUPER_MAGIC) |
0e17357c CB |
1631 | continue; |
1632 | ||
1633 | fullpath = must_make_path(path, "cgroup.subtree_control", NULL); | |
6efacf80 | 1634 | (void)chowmod(fullpath, destuid, nsgid, 0664); |
0e17357c CB |
1635 | free(fullpath); |
1636 | ||
1637 | fullpath = must_make_path(path, "cgroup.threads", NULL); | |
6efacf80 | 1638 | (void)chowmod(fullpath, destuid, nsgid, 0664); |
0e17357c | 1639 | free(fullpath); |
ccb4cabe SH |
1640 | } |
1641 | ||
1642 | return 0; | |
1643 | } | |
1644 | ||
b857f4be | 1645 | __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, |
fb55e009 | 1646 | struct lxc_conf *conf) |
ccb4cabe | 1647 | { |
4160c3a0 | 1648 | struct generic_userns_exec_data wrap; |
ccb4cabe | 1649 | |
ccb4cabe SH |
1650 | if (lxc_list_empty(&conf->id_map)) |
1651 | return true; | |
1652 | ||
ccb4cabe | 1653 | wrap.origuid = geteuid(); |
4160c3a0 | 1654 | wrap.path = NULL; |
2202afc9 | 1655 | wrap.hierarchies = ops->hierarchies; |
4160c3a0 | 1656 | wrap.conf = conf; |
ccb4cabe | 1657 | |
c9b7c33e CB |
1658 | if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, |
1659 | "chown_cgroup_wrapper") < 0) { | |
f7faba6c | 1660 | ERROR("Error requesting cgroup chown in new user namespace"); |
ccb4cabe SH |
1661 | return false; |
1662 | } | |
1663 | ||
1664 | return true; | |
1665 | } | |
1666 | ||
8aa1044f SH |
1667 | /* cgroup-full:* is done, no need to create subdirs */ |
1668 | static bool cg_mount_needs_subdirs(int type) | |
1669 | { | |
1670 | if (type >= LXC_AUTO_CGROUP_FULL_RO) | |
1671 | return false; | |
a3926f6a | 1672 | |
8aa1044f SH |
1673 | return true; |
1674 | } | |
1675 | ||
886cac86 CB |
1676 | /* After $rootfs/sys/fs/container/controller/the/cg/path has been created, |
1677 | * remount controller ro if needed and bindmount the cgroupfs onto | |
1678 | * controll/the/cg/path. | |
8aa1044f | 1679 | */ |
6812d833 CB |
1680 | static int cg_legacy_mount_controllers(int type, struct hierarchy *h, |
1681 | char *controllerpath, char *cgpath, | |
1682 | const char *container_cgroup) | |
8aa1044f | 1683 | { |
5285689c | 1684 | int ret, remount_flags; |
886cac86 CB |
1685 | char *sourcepath; |
1686 | int flags = MS_BIND; | |
1687 | ||
8aa1044f | 1688 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_MIXED) { |
886cac86 CB |
1689 | ret = mount(controllerpath, controllerpath, "cgroup", MS_BIND, NULL); |
1690 | if (ret < 0) { | |
1691 | SYSERROR("Failed to bind mount \"%s\" onto \"%s\"", | |
1692 | controllerpath, controllerpath); | |
8aa1044f SH |
1693 | return -1; |
1694 | } | |
886cac86 | 1695 | |
5285689c CB |
1696 | remount_flags = add_required_remount_flags(controllerpath, |
1697 | controllerpath, | |
1698 | flags | MS_REMOUNT); | |
886cac86 | 1699 | ret = mount(controllerpath, controllerpath, "cgroup", |
8186c5c7 CB |
1700 | remount_flags | MS_REMOUNT | MS_BIND | MS_RDONLY, |
1701 | NULL); | |
886cac86 CB |
1702 | if (ret < 0) { |
1703 | SYSERROR("Failed to remount \"%s\" ro", controllerpath); | |
8aa1044f SH |
1704 | return -1; |
1705 | } | |
886cac86 | 1706 | |
8aa1044f SH |
1707 | INFO("Remounted %s read-only", controllerpath); |
1708 | } | |
886cac86 | 1709 | |
bb221ad1 | 1710 | sourcepath = must_make_path(h->mountpoint, h->container_base_path, |
886cac86 | 1711 | container_cgroup, NULL); |
8aa1044f SH |
1712 | if (type == LXC_AUTO_CGROUP_RO) |
1713 | flags |= MS_RDONLY; | |
886cac86 CB |
1714 | |
1715 | ret = mount(sourcepath, cgpath, "cgroup", flags, NULL); | |
1716 | if (ret < 0) { | |
1717 | SYSERROR("Failed to mount \"%s\" onto \"%s\"", h->controllers[0], cgpath); | |
8aa1044f | 1718 | free(sourcepath); |
8aa1044f SH |
1719 | return -1; |
1720 | } | |
886cac86 | 1721 | INFO("Mounted \"%s\" onto \"%s\"", h->controllers[0], cgpath); |
f8c40ffa L |
1722 | |
1723 | if (flags & MS_RDONLY) { | |
5285689c CB |
1724 | remount_flags = add_required_remount_flags(sourcepath, cgpath, |
1725 | flags | MS_REMOUNT); | |
1726 | ret = mount(sourcepath, cgpath, "cgroup", remount_flags, NULL); | |
886cac86 CB |
1727 | if (ret < 0) { |
1728 | SYSERROR("Failed to remount \"%s\" ro", cgpath); | |
f8c40ffa | 1729 | free(sourcepath); |
f8c40ffa L |
1730 | return -1; |
1731 | } | |
5285689c | 1732 | INFO("Remounted %s read-only", cgpath); |
f8c40ffa L |
1733 | } |
1734 | ||
8aa1044f | 1735 | free(sourcepath); |
886cac86 | 1736 | INFO("Completed second stage cgroup automounts for \"%s\"", cgpath); |
8aa1044f SH |
1737 | return 0; |
1738 | } | |
1739 | ||
6812d833 CB |
1740 | /* __cg_mount_direct |
1741 | * | |
1742 | * Mount cgroup hierarchies directly without using bind-mounts. The main | |
1743 | * uses-cases are mounting cgroup hierarchies in cgroup namespaces and mounting | |
1744 | * cgroups for the LXC_AUTO_CGROUP_FULL option. | |
1745 | */ | |
1746 | static int __cg_mount_direct(int type, struct hierarchy *h, | |
1747 | const char *controllerpath) | |
b635e92d CB |
1748 | { |
1749 | int ret; | |
1750 | char *controllers = NULL; | |
a760603e CB |
1751 | char *fstype = "cgroup2"; |
1752 | unsigned long flags = 0; | |
b635e92d | 1753 | |
a760603e CB |
1754 | flags |= MS_NOSUID; |
1755 | flags |= MS_NOEXEC; | |
1756 | flags |= MS_NODEV; | |
1757 | flags |= MS_RELATIME; | |
1758 | ||
1759 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO) | |
1760 | flags |= MS_RDONLY; | |
1761 | ||
d6337a5f | 1762 | if (h->version != CGROUP2_SUPER_MAGIC) { |
a760603e CB |
1763 | controllers = lxc_string_join(",", (const char **)h->controllers, false); |
1764 | if (!controllers) | |
1765 | return -ENOMEM; | |
1766 | fstype = "cgroup"; | |
b635e92d CB |
1767 | } |
1768 | ||
a760603e | 1769 | ret = mount("cgroup", controllerpath, fstype, flags, controllers); |
b635e92d CB |
1770 | free(controllers); |
1771 | if (ret < 0) { | |
6812d833 | 1772 | SYSERROR("Failed to mount \"%s\" with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1773 | return -1; |
1774 | } | |
1775 | ||
6812d833 | 1776 | DEBUG("Mounted \"%s\" with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1777 | return 0; |
1778 | } | |
1779 | ||
6812d833 CB |
1780 | static inline int cg_mount_in_cgroup_namespace(int type, struct hierarchy *h, |
1781 | const char *controllerpath) | |
1782 | { | |
1783 | return __cg_mount_direct(type, h, controllerpath); | |
1784 | } | |
1785 | ||
1786 | static inline int cg_mount_cgroup_full(int type, struct hierarchy *h, | |
1787 | const char *controllerpath) | |
1788 | { | |
1789 | if (type < LXC_AUTO_CGROUP_FULL_RO || type > LXC_AUTO_CGROUP_FULL_MIXED) | |
1790 | return 0; | |
1791 | ||
1792 | return __cg_mount_direct(type, h, controllerpath); | |
1793 | } | |
1794 | ||
b857f4be | 1795 | __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, |
fb55e009 CB |
1796 | struct lxc_handler *handler, |
1797 | const char *root, int type) | |
ccb4cabe | 1798 | { |
3f69fb12 | 1799 | int i, ret; |
8aa1044f | 1800 | char *tmpfspath = NULL; |
affd10fa | 1801 | bool has_cgns = false, retval = false, wants_force_mount = false; |
8aa1044f SH |
1802 | |
1803 | if ((type & LXC_AUTO_CGROUP_MASK) == 0) | |
1804 | return true; | |
1805 | ||
3f69fb12 SY |
1806 | if (type & LXC_AUTO_CGROUP_FORCE) { |
1807 | type &= ~LXC_AUTO_CGROUP_FORCE; | |
1808 | wants_force_mount = true; | |
1809 | } | |
b635e92d | 1810 | |
3f69fb12 SY |
1811 | if (!wants_force_mount){ |
1812 | if (!lxc_list_empty(&handler->conf->keepcaps)) | |
1813 | wants_force_mount = !in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); | |
1814 | else | |
1815 | wants_force_mount = in_caplist(CAP_SYS_ADMIN, &handler->conf->caps); | |
1816 | } | |
8aa1044f | 1817 | |
3f69fb12 SY |
1818 | has_cgns = cgns_supported(); |
1819 | if (has_cgns && !wants_force_mount) | |
1820 | return true; | |
8aa1044f SH |
1821 | |
1822 | if (type == LXC_AUTO_CGROUP_NOSPEC) | |
1823 | type = LXC_AUTO_CGROUP_MIXED; | |
1824 | else if (type == LXC_AUTO_CGROUP_FULL_NOSPEC) | |
1825 | type = LXC_AUTO_CGROUP_FULL_MIXED; | |
1826 | ||
1827 | /* Mount tmpfs */ | |
3f69fb12 | 1828 | tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL); |
6812d833 | 1829 | ret = safe_mount(NULL, tmpfspath, "tmpfs", |
3f69fb12 SY |
1830 | MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, |
1831 | "size=10240k,mode=755", root); | |
1832 | if (ret < 0) | |
1833 | goto on_error; | |
8aa1044f | 1834 | |
2202afc9 | 1835 | for (i = 0; ops->hierarchies[i]; i++) { |
8aa1044f | 1836 | char *controllerpath, *path2; |
2202afc9 | 1837 | struct hierarchy *h = ops->hierarchies[i]; |
8aa1044f | 1838 | char *controller = strrchr(h->mountpoint, '/'); |
8aa1044f SH |
1839 | |
1840 | if (!controller) | |
1841 | continue; | |
1842 | controller++; | |
affd10fa | 1843 | |
8aa1044f SH |
1844 | controllerpath = must_make_path(tmpfspath, controller, NULL); |
1845 | if (dir_exists(controllerpath)) { | |
1846 | free(controllerpath); | |
1847 | continue; | |
1848 | } | |
affd10fa | 1849 | |
3f69fb12 SY |
1850 | ret = mkdir(controllerpath, 0755); |
1851 | if (ret < 0) { | |
8aa1044f SH |
1852 | SYSERROR("Error creating cgroup path: %s", controllerpath); |
1853 | free(controllerpath); | |
3f69fb12 | 1854 | goto on_error; |
8aa1044f | 1855 | } |
b635e92d | 1856 | |
3f69fb12 | 1857 | if (has_cgns && wants_force_mount) { |
b635e92d CB |
1858 | /* If cgroup namespaces are supported but the container |
1859 | * will not have CAP_SYS_ADMIN after it has started we | |
1860 | * need to mount the cgroups manually. | |
1861 | */ | |
3f69fb12 | 1862 | ret = cg_mount_in_cgroup_namespace(type, h, controllerpath); |
b635e92d | 1863 | free(controllerpath); |
3f69fb12 SY |
1864 | if (ret < 0) |
1865 | goto on_error; | |
1866 | ||
b635e92d CB |
1867 | continue; |
1868 | } | |
1869 | ||
6812d833 | 1870 | ret = cg_mount_cgroup_full(type, h, controllerpath); |
3f69fb12 | 1871 | if (ret < 0) { |
8aa1044f | 1872 | free(controllerpath); |
3f69fb12 | 1873 | goto on_error; |
8aa1044f | 1874 | } |
3f69fb12 | 1875 | |
8aa1044f SH |
1876 | if (!cg_mount_needs_subdirs(type)) { |
1877 | free(controllerpath); | |
1878 | continue; | |
1879 | } | |
3f69fb12 | 1880 | |
bb221ad1 | 1881 | path2 = must_make_path(controllerpath, h->container_base_path, |
2202afc9 | 1882 | ops->container_cgroup, NULL); |
3f69fb12 SY |
1883 | ret = mkdir_p(path2, 0755); |
1884 | if (ret < 0) { | |
8aa1044f | 1885 | free(controllerpath); |
8e0c6620 | 1886 | free(path2); |
3f69fb12 | 1887 | goto on_error; |
8aa1044f | 1888 | } |
2f62fb00 | 1889 | |
6812d833 | 1890 | ret = cg_legacy_mount_controllers(type, h, controllerpath, |
2202afc9 | 1891 | path2, ops->container_cgroup); |
8aa1044f SH |
1892 | free(controllerpath); |
1893 | free(path2); | |
3f69fb12 SY |
1894 | if (ret < 0) |
1895 | goto on_error; | |
8aa1044f SH |
1896 | } |
1897 | retval = true; | |
1898 | ||
3f69fb12 | 1899 | on_error: |
8aa1044f SH |
1900 | free(tmpfspath); |
1901 | return retval; | |
ccb4cabe SH |
1902 | } |
1903 | ||
1904 | static int recursive_count_nrtasks(char *dirname) | |
1905 | { | |
74f96976 | 1906 | struct dirent *direntp; |
ccb4cabe SH |
1907 | DIR *dir; |
1908 | int count = 0, ret; | |
1909 | char *path; | |
1910 | ||
1911 | dir = opendir(dirname); | |
1912 | if (!dir) | |
1913 | return 0; | |
1914 | ||
74f96976 | 1915 | while ((direntp = readdir(dir))) { |
ccb4cabe SH |
1916 | struct stat mystat; |
1917 | ||
ccb4cabe SH |
1918 | if (!strcmp(direntp->d_name, ".") || |
1919 | !strcmp(direntp->d_name, "..")) | |
1920 | continue; | |
1921 | ||
1922 | path = must_make_path(dirname, direntp->d_name, NULL); | |
1923 | ||
1924 | if (lstat(path, &mystat)) | |
1925 | goto next; | |
1926 | ||
1927 | if (!S_ISDIR(mystat.st_mode)) | |
1928 | goto next; | |
1929 | ||
1930 | count += recursive_count_nrtasks(path); | |
13c49955 | 1931 | next: |
ccb4cabe SH |
1932 | free(path); |
1933 | } | |
1934 | ||
1935 | path = must_make_path(dirname, "cgroup.procs", NULL); | |
1936 | ret = lxc_count_file_lines(path); | |
1937 | if (ret != -1) | |
1938 | count += ret; | |
1939 | free(path); | |
1940 | ||
13c49955 | 1941 | (void)closedir(dir); |
ccb4cabe SH |
1942 | |
1943 | return count; | |
1944 | } | |
1945 | ||
b857f4be | 1946 | __cgfsng_ops static int cgfsng_nrtasks(struct cgroup_ops *ops) |
3135c5d4 | 1947 | { |
ccb4cabe | 1948 | int count; |
3135c5d4 | 1949 | char *path; |
ccb4cabe | 1950 | |
2202afc9 | 1951 | if (!ops->container_cgroup || !ops->hierarchies) |
ccb4cabe | 1952 | return -1; |
a3926f6a | 1953 | |
eb697136 | 1954 | path = must_make_path(ops->hierarchies[0]->container_full_path, NULL); |
ccb4cabe SH |
1955 | count = recursive_count_nrtasks(path); |
1956 | free(path); | |
1957 | return count; | |
1958 | } | |
1959 | ||
11c23867 | 1960 | /* Only root needs to escape to the cgroup of its init. */ |
b857f4be | 1961 | __cgfsng_ops static bool cgfsng_escape(const struct cgroup_ops *ops, |
fb55e009 | 1962 | struct lxc_conf *conf) |
ccb4cabe | 1963 | { |
ccb4cabe SH |
1964 | int i; |
1965 | ||
9caee129 | 1966 | if (conf->cgroup_meta.relative || geteuid()) |
ccb4cabe SH |
1967 | return true; |
1968 | ||
2202afc9 | 1969 | for (i = 0; ops->hierarchies[i]; i++) { |
11c23867 CB |
1970 | int ret; |
1971 | char *fullpath; | |
1972 | ||
2202afc9 | 1973 | fullpath = must_make_path(ops->hierarchies[i]->mountpoint, |
bb221ad1 | 1974 | ops->hierarchies[i]->container_base_path, |
11c23867 | 1975 | "cgroup.procs", NULL); |
7cea5905 | 1976 | ret = lxc_write_to_file(fullpath, "0", 2, false, 0666); |
11c23867 CB |
1977 | if (ret != 0) { |
1978 | SYSERROR("Failed to escape to cgroup \"%s\"", fullpath); | |
ccb4cabe | 1979 | free(fullpath); |
6df334d1 | 1980 | return false; |
ccb4cabe SH |
1981 | } |
1982 | free(fullpath); | |
1983 | } | |
1984 | ||
6df334d1 | 1985 | return true; |
ccb4cabe SH |
1986 | } |
1987 | ||
b857f4be | 1988 | __cgfsng_ops static int cgfsng_num_hierarchies(struct cgroup_ops *ops) |
36662416 TA |
1989 | { |
1990 | int i; | |
1991 | ||
2202afc9 | 1992 | for (i = 0; ops->hierarchies[i]; i++) |
36662416 TA |
1993 | ; |
1994 | ||
1995 | return i; | |
1996 | } | |
1997 | ||
b857f4be | 1998 | __cgfsng_ops static bool cgfsng_get_hierarchies(struct cgroup_ops *ops, int n, char ***out) |
36662416 TA |
1999 | { |
2000 | int i; | |
2001 | ||
2002 | /* sanity check n */ | |
6b38e644 | 2003 | for (i = 0; i < n; i++) |
2202afc9 | 2004 | if (!ops->hierarchies[i]) |
36662416 | 2005 | return false; |
36662416 | 2006 | |
2202afc9 | 2007 | *out = ops->hierarchies[i]->controllers; |
36662416 TA |
2008 | |
2009 | return true; | |
2010 | } | |
2011 | ||
ccb4cabe SH |
2012 | #define THAWED "THAWED" |
2013 | #define THAWED_LEN (strlen(THAWED)) | |
2014 | ||
d6337a5f CB |
2015 | /* TODO: If the unified cgroup hierarchy grows a freezer controller this needs |
2016 | * to be adapted. | |
2017 | */ | |
b857f4be | 2018 | __cgfsng_ops static bool cgfsng_unfreeze(struct cgroup_ops *ops) |
ccb4cabe | 2019 | { |
d6337a5f | 2020 | int ret; |
ccb4cabe | 2021 | char *fullpath; |
d6337a5f | 2022 | struct hierarchy *h; |
ccb4cabe | 2023 | |
2202afc9 | 2024 | h = get_hierarchy(ops, "freezer"); |
457ca9aa | 2025 | if (!h) |
ccb4cabe | 2026 | return false; |
d6337a5f | 2027 | |
eb697136 | 2028 | fullpath = must_make_path(h->container_full_path, "freezer.state", NULL); |
7cea5905 | 2029 | ret = lxc_write_to_file(fullpath, THAWED, THAWED_LEN, false, 0666); |
ccb4cabe | 2030 | free(fullpath); |
d6337a5f CB |
2031 | if (ret < 0) |
2032 | return false; | |
2033 | ||
ccb4cabe SH |
2034 | return true; |
2035 | } | |
2036 | ||
b857f4be | 2037 | __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, |
fb55e009 | 2038 | const char *controller) |
ccb4cabe | 2039 | { |
d6337a5f CB |
2040 | struct hierarchy *h; |
2041 | ||
2202afc9 | 2042 | h = get_hierarchy(ops, controller); |
106f1f38 | 2043 | if (!h) { |
2202afc9 CB |
2044 | WARN("Failed to find hierarchy for controller \"%s\"", |
2045 | controller ? controller : "(null)"); | |
ccb4cabe | 2046 | return NULL; |
106f1f38 | 2047 | } |
ccb4cabe | 2048 | |
eb697136 | 2049 | return h->container_full_path ? h->container_full_path + strlen(h->mountpoint) : NULL; |
371f834d SH |
2050 | } |
2051 | ||
c40c8209 CB |
2052 | /* Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a full path, |
2053 | * which must be freed by the caller. | |
371f834d | 2054 | */ |
c40c8209 CB |
2055 | static inline char *build_full_cgpath_from_monitorpath(struct hierarchy *h, |
2056 | const char *inpath, | |
2057 | const char *filename) | |
371f834d | 2058 | { |
371f834d | 2059 | return must_make_path(h->mountpoint, inpath, filename, NULL); |
ccb4cabe SH |
2060 | } |
2061 | ||
25f66a8f CB |
2062 | /* Technically, we're always at a delegation boundary here (This is especially |
2063 | * true when cgroup namespaces are available.). The reasoning is that in order | |
c2aed66d | 2064 | * for us to have been able to start a container in the first place the root |
25f66a8f | 2065 | * cgroup must have been a leaf node. Now, either the container's init system |
c2aed66d CB |
2066 | * has populated the cgroup and kept it as a leaf node or it has created |
2067 | * subtrees. In the former case we will simply attach to the leaf node we | |
2068 | * created when we started the container in the latter case we create our own | |
2069 | * cgroup for the attaching process. | |
2070 | */ | |
a3926f6a CB |
2071 | static int __cg_unified_attach(const struct hierarchy *h, const char *name, |
2072 | const char *lxcpath, const char *pidstr, | |
2073 | size_t pidstr_len, const char *controller) | |
c2aed66d CB |
2074 | { |
2075 | int ret; | |
2076 | size_t len; | |
2077 | int fret = -1, idx = 0; | |
2078 | char *base_path = NULL, *container_cgroup = NULL, *full_path = NULL; | |
2079 | ||
2080 | container_cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); | |
2081 | /* not running */ | |
2082 | if (!container_cgroup) | |
2083 | return 0; | |
2084 | ||
2085 | base_path = must_make_path(h->mountpoint, container_cgroup, NULL); | |
2086 | full_path = must_make_path(base_path, "cgroup.procs", NULL); | |
2087 | /* cgroup is populated */ | |
7cea5905 | 2088 | ret = lxc_write_to_file(full_path, pidstr, pidstr_len, false, 0666); |
c2aed66d CB |
2089 | if (ret < 0 && errno != EBUSY) |
2090 | goto on_error; | |
2091 | ||
2092 | if (ret == 0) | |
2093 | goto on_success; | |
2094 | ||
2095 | free(full_path); | |
2096 | ||
6333c915 CB |
2097 | len = strlen(base_path) + STRLITERALLEN("/lxc-1000") + |
2098 | STRLITERALLEN("/cgroup-procs"); | |
c2aed66d CB |
2099 | full_path = must_alloc(len + 1); |
2100 | do { | |
2101 | if (idx) | |
2102 | ret = snprintf(full_path, len + 1, "%s/lxc-%d", | |
2103 | base_path, idx); | |
2104 | else | |
2105 | ret = snprintf(full_path, len + 1, "%s/lxc", base_path); | |
2106 | if (ret < 0 || (size_t)ret >= len + 1) | |
2107 | goto on_error; | |
2108 | ||
2109 | ret = mkdir_p(full_path, 0755); | |
2110 | if (ret < 0 && errno != EEXIST) | |
2111 | goto on_error; | |
2112 | ||
3ebe2fbd | 2113 | (void)strlcat(full_path, "/cgroup.procs", len + 1); |
7cea5905 | 2114 | ret = lxc_write_to_file(full_path, pidstr, len, false, 0666); |
c2aed66d CB |
2115 | if (ret == 0) |
2116 | goto on_success; | |
2117 | ||
2118 | /* this is a non-leaf node */ | |
2119 | if (errno != EBUSY) | |
2120 | goto on_error; | |
2121 | ||
2122 | } while (++idx > 0 && idx < 1000); | |
2123 | ||
2124 | on_success: | |
2125 | if (idx < 1000) | |
2126 | fret = 0; | |
2127 | ||
2128 | on_error: | |
2129 | free(base_path); | |
2130 | free(container_cgroup); | |
2131 | free(full_path); | |
2132 | ||
2133 | return fret; | |
2134 | } | |
2135 | ||
b857f4be | 2136 | __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, |
fb55e009 | 2137 | const char *lxcpath, pid_t pid) |
ccb4cabe | 2138 | { |
c2aed66d | 2139 | int i, len, ret; |
a3650c0c | 2140 | char pidstr[INTTYPE_TO_STRLEN(pid_t)]; |
ccb4cabe | 2141 | |
a3650c0c CB |
2142 | len = snprintf(pidstr, sizeof(pidstr), "%d", pid); |
2143 | if (len < 0 || (size_t)len >= sizeof(pidstr)) | |
ccb4cabe SH |
2144 | return false; |
2145 | ||
2202afc9 | 2146 | for (i = 0; ops->hierarchies[i]; i++) { |
c2aed66d CB |
2147 | char *path; |
2148 | char *fullpath = NULL; | |
2202afc9 | 2149 | struct hierarchy *h = ops->hierarchies[i]; |
ccb4cabe | 2150 | |
c2aed66d | 2151 | if (h->version == CGROUP2_SUPER_MAGIC) { |
a3926f6a CB |
2152 | ret = __cg_unified_attach(h, name, lxcpath, pidstr, len, |
2153 | h->controllers[0]); | |
c2aed66d CB |
2154 | if (ret < 0) |
2155 | return false; | |
2156 | ||
2157 | continue; | |
2158 | } | |
2159 | ||
ccb4cabe | 2160 | path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]); |
c2aed66d CB |
2161 | /* not running */ |
2162 | if (!path) | |
ccb4cabe SH |
2163 | continue; |
2164 | ||
371f834d | 2165 | fullpath = build_full_cgpath_from_monitorpath(h, path, "cgroup.procs"); |
71cb9afb | 2166 | free(path); |
7cea5905 | 2167 | ret = lxc_write_to_file(fullpath, pidstr, len, false, 0666); |
c2aed66d | 2168 | if (ret < 0) { |
ccb4cabe SH |
2169 | SYSERROR("Failed to attach %d to %s", (int)pid, fullpath); |
2170 | free(fullpath); | |
ccb4cabe SH |
2171 | return false; |
2172 | } | |
ccb4cabe SH |
2173 | free(fullpath); |
2174 | } | |
2175 | ||
ccb4cabe SH |
2176 | return true; |
2177 | } | |
2178 | ||
e2bd2b13 CB |
2179 | /* Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. Here we |
2180 | * don't have a cgroup_data set up, so we ask the running container through the | |
2181 | * commands API for the cgroup path. | |
ccb4cabe | 2182 | */ |
b857f4be | 2183 | __cgfsng_ops static int cgfsng_get(struct cgroup_ops *ops, const char *filename, |
fb55e009 CB |
2184 | char *value, size_t len, const char *name, |
2185 | const char *lxcpath) | |
ccb4cabe | 2186 | { |
ccb4cabe | 2187 | int ret = -1; |
0069cc61 CB |
2188 | size_t controller_len; |
2189 | char *controller, *p, *path; | |
2190 | struct hierarchy *h; | |
ccb4cabe | 2191 | |
0069cc61 CB |
2192 | controller_len = strlen(filename); |
2193 | controller = alloca(controller_len + 1); | |
64e82f8b DJ |
2194 | (void)strlcpy(controller, filename, controller_len + 1); |
2195 | ||
0069cc61 CB |
2196 | p = strchr(controller, '.'); |
2197 | if (p) | |
ccb4cabe SH |
2198 | *p = '\0'; |
2199 | ||
0069cc61 CB |
2200 | path = lxc_cmd_get_cgroup_path(name, lxcpath, controller); |
2201 | /* not running */ | |
2202 | if (!path) | |
ccb4cabe SH |
2203 | return -1; |
2204 | ||
2202afc9 | 2205 | h = get_hierarchy(ops, controller); |
ccb4cabe | 2206 | if (h) { |
0069cc61 CB |
2207 | char *fullpath; |
2208 | ||
2209 | fullpath = build_full_cgpath_from_monitorpath(h, path, filename); | |
ccb4cabe SH |
2210 | ret = lxc_read_from_file(fullpath, value, len); |
2211 | free(fullpath); | |
2212 | } | |
ccb4cabe SH |
2213 | free(path); |
2214 | ||
2215 | return ret; | |
2216 | } | |
2217 | ||
eec533e3 CB |
2218 | /* Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. Here we |
2219 | * don't have a cgroup_data set up, so we ask the running container through the | |
2220 | * commands API for the cgroup path. | |
ccb4cabe | 2221 | */ |
b857f4be | 2222 | __cgfsng_ops static int cgfsng_set(struct cgroup_ops *ops, |
fb55e009 CB |
2223 | const char *filename, const char *value, |
2224 | const char *name, const char *lxcpath) | |
ccb4cabe | 2225 | { |
ccb4cabe | 2226 | int ret = -1; |
87777968 CB |
2227 | size_t controller_len; |
2228 | char *controller, *p, *path; | |
2229 | struct hierarchy *h; | |
ccb4cabe | 2230 | |
87777968 CB |
2231 | controller_len = strlen(filename); |
2232 | controller = alloca(controller_len + 1); | |
64e82f8b DJ |
2233 | (void)strlcpy(controller, filename, controller_len + 1); |
2234 | ||
87777968 CB |
2235 | p = strchr(controller, '.'); |
2236 | if (p) | |
ccb4cabe SH |
2237 | *p = '\0'; |
2238 | ||
87777968 CB |
2239 | path = lxc_cmd_get_cgroup_path(name, lxcpath, controller); |
2240 | /* not running */ | |
2241 | if (!path) | |
ccb4cabe SH |
2242 | return -1; |
2243 | ||
2202afc9 | 2244 | h = get_hierarchy(ops, controller); |
ccb4cabe | 2245 | if (h) { |
87777968 CB |
2246 | char *fullpath; |
2247 | ||
2248 | fullpath = build_full_cgpath_from_monitorpath(h, path, filename); | |
7cea5905 | 2249 | ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); |
ccb4cabe SH |
2250 | free(fullpath); |
2251 | } | |
ccb4cabe SH |
2252 | free(path); |
2253 | ||
2254 | return ret; | |
2255 | } | |
2256 | ||
91d1a13a | 2257 | /* take devices cgroup line |
72add155 SH |
2258 | * /dev/foo rwx |
2259 | * and convert it to a valid | |
2260 | * type major:minor mode | |
91d1a13a CB |
2261 | * line. Return <0 on error. Dest is a preallocated buffer long enough to hold |
2262 | * the output. | |
72add155 SH |
2263 | */ |
2264 | static int convert_devpath(const char *invalue, char *dest) | |
2265 | { | |
2a06d041 CB |
2266 | int n_parts; |
2267 | char *p, *path, type; | |
72add155 | 2268 | unsigned long minor, major; |
91d1a13a | 2269 | struct stat sb; |
2a06d041 CB |
2270 | int ret = -EINVAL; |
2271 | char *mode = NULL; | |
72add155 SH |
2272 | |
2273 | path = must_copy_string(invalue); | |
2274 | ||
91d1a13a CB |
2275 | /* Read path followed by mode. Ignore any trailing text. |
2276 | * A ' # comment' would be legal. Technically other text is not | |
2277 | * legal, we could check for that if we cared to. | |
72add155 SH |
2278 | */ |
2279 | for (n_parts = 1, p = path; *p && n_parts < 3; p++) { | |
2c2d6c49 SH |
2280 | if (*p != ' ') |
2281 | continue; | |
2282 | *p = '\0'; | |
91d1a13a | 2283 | |
2c2d6c49 SH |
2284 | if (n_parts != 1) |
2285 | break; | |
2286 | p++; | |
2287 | n_parts++; | |
91d1a13a | 2288 | |
2c2d6c49 SH |
2289 | while (*p == ' ') |
2290 | p++; | |
91d1a13a | 2291 | |
2c2d6c49 | 2292 | mode = p; |
91d1a13a | 2293 | |
2c2d6c49 SH |
2294 | if (*p == '\0') |
2295 | goto out; | |
72add155 | 2296 | } |
2c2d6c49 SH |
2297 | |
2298 | if (n_parts == 1) | |
72add155 | 2299 | goto out; |
72add155 SH |
2300 | |
2301 | ret = stat(path, &sb); | |
2302 | if (ret < 0) | |
2303 | goto out; | |
2304 | ||
72add155 SH |
2305 | mode_t m = sb.st_mode & S_IFMT; |
2306 | switch (m) { | |
2307 | case S_IFBLK: | |
2308 | type = 'b'; | |
2309 | break; | |
2310 | case S_IFCHR: | |
2311 | type = 'c'; | |
2312 | break; | |
2c2d6c49 | 2313 | default: |
91d1a13a | 2314 | ERROR("Unsupported device type %i for \"%s\"", m, path); |
72add155 SH |
2315 | ret = -EINVAL; |
2316 | goto out; | |
2317 | } | |
2c2d6c49 SH |
2318 | |
2319 | major = MAJOR(sb.st_rdev); | |
2320 | minor = MINOR(sb.st_rdev); | |
2321 | ret = snprintf(dest, 50, "%c %lu:%lu %s", type, major, minor, mode); | |
72add155 | 2322 | if (ret < 0 || ret >= 50) { |
2a06d041 CB |
2323 | ERROR("Error on configuration value \"%c %lu:%lu %s\" (max 50 " |
2324 | "chars)", type, major, minor, mode); | |
72add155 SH |
2325 | ret = -ENAMETOOLONG; |
2326 | goto out; | |
2327 | } | |
2328 | ret = 0; | |
2329 | ||
2330 | out: | |
2331 | free(path); | |
2332 | return ret; | |
2333 | } | |
2334 | ||
90e97284 CB |
2335 | /* Called from setup_limits - here we have the container's cgroup_data because |
2336 | * we created the cgroups. | |
ccb4cabe | 2337 | */ |
2202afc9 CB |
2338 | static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename, |
2339 | const char *value) | |
ccb4cabe | 2340 | { |
ab1a6cac | 2341 | size_t len; |
90e97284 | 2342 | char *fullpath, *p; |
1a0e70ac CB |
2343 | /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */ |
2344 | char converted_value[50]; | |
b3646d7e CB |
2345 | struct hierarchy *h; |
2346 | int ret = 0; | |
2347 | char *controller = NULL; | |
ccb4cabe | 2348 | |
ab1a6cac CB |
2349 | len = strlen(filename); |
2350 | controller = alloca(len + 1); | |
64e82f8b DJ |
2351 | (void)strlcpy(controller, filename, len + 1); |
2352 | ||
ab1a6cac CB |
2353 | p = strchr(controller, '.'); |
2354 | if (p) | |
ccb4cabe SH |
2355 | *p = '\0'; |
2356 | ||
c8bf519d | 2357 | if (strcmp("devices.allow", filename) == 0 && value[0] == '/') { |
72add155 SH |
2358 | ret = convert_devpath(value, converted_value); |
2359 | if (ret < 0) | |
c8bf519d | 2360 | return ret; |
72add155 | 2361 | value = converted_value; |
c8bf519d | 2362 | } |
2363 | ||
2202afc9 | 2364 | h = get_hierarchy(ops, controller); |
b3646d7e CB |
2365 | if (!h) { |
2366 | ERROR("Failed to setup limits for the \"%s\" controller. " | |
2367 | "The controller seems to be unused by \"cgfsng\" cgroup " | |
2368 | "driver or not enabled on the cgroup hierarchy", | |
2369 | controller); | |
d1953b26 | 2370 | errno = ENOENT; |
ab1a6cac | 2371 | return -ENOENT; |
ccb4cabe | 2372 | } |
b3646d7e | 2373 | |
eb697136 | 2374 | fullpath = must_make_path(h->container_full_path, filename, NULL); |
7cea5905 | 2375 | ret = lxc_write_to_file(fullpath, value, strlen(value), false, 0666); |
b3646d7e | 2376 | free(fullpath); |
ccb4cabe SH |
2377 | return ret; |
2378 | } | |
2379 | ||
2202afc9 | 2380 | static bool __cg_legacy_setup_limits(struct cgroup_ops *ops, |
a3926f6a CB |
2381 | struct lxc_list *cgroup_settings, |
2382 | bool do_devices) | |
ccb4cabe | 2383 | { |
c347df58 | 2384 | struct lxc_list *iterator, *next, *sorted_cgroup_settings; |
ccb4cabe | 2385 | struct lxc_cgroup *cg; |
ccb4cabe SH |
2386 | bool ret = false; |
2387 | ||
2388 | if (lxc_list_empty(cgroup_settings)) | |
2389 | return true; | |
2390 | ||
2391 | sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); | |
6b38e644 | 2392 | if (!sorted_cgroup_settings) |
ccb4cabe | 2393 | return false; |
ccb4cabe | 2394 | |
ccb4cabe SH |
2395 | lxc_list_for_each(iterator, sorted_cgroup_settings) { |
2396 | cg = iterator->elem; | |
2397 | ||
2398 | if (do_devices == !strncmp("devices", cg->subsystem, 7)) { | |
2202afc9 | 2399 | if (cg_legacy_set_data(ops, cg->subsystem, cg->value)) { |
ccb4cabe | 2400 | if (do_devices && (errno == EACCES || errno == EPERM)) { |
c347df58 CB |
2401 | WARN("Failed to set \"%s\" to \"%s\"", |
2402 | cg->subsystem, cg->value); | |
ccb4cabe SH |
2403 | continue; |
2404 | } | |
c347df58 CB |
2405 | WARN("Failed to set \"%s\" to \"%s\"", |
2406 | cg->subsystem, cg->value); | |
ccb4cabe SH |
2407 | goto out; |
2408 | } | |
c347df58 CB |
2409 | DEBUG("Set controller \"%s\" set to \"%s\"", |
2410 | cg->subsystem, cg->value); | |
ccb4cabe | 2411 | } |
ccb4cabe SH |
2412 | } |
2413 | ||
2414 | ret = true; | |
6b38e644 | 2415 | INFO("Limits for the legacy cgroup hierarchies have been setup"); |
ccb4cabe | 2416 | out: |
ccb4cabe SH |
2417 | lxc_list_for_each_safe(iterator, sorted_cgroup_settings, next) { |
2418 | lxc_list_del(iterator); | |
2419 | free(iterator); | |
2420 | } | |
2421 | free(sorted_cgroup_settings); | |
2422 | return ret; | |
2423 | } | |
2424 | ||
2202afc9 | 2425 | static bool __cg_unified_setup_limits(struct cgroup_ops *ops, |
a3926f6a | 2426 | struct lxc_list *cgroup_settings) |
6b38e644 CB |
2427 | { |
2428 | struct lxc_list *iterator; | |
2202afc9 | 2429 | struct hierarchy *h = ops->unified; |
6b38e644 CB |
2430 | |
2431 | if (lxc_list_empty(cgroup_settings)) | |
2432 | return true; | |
2433 | ||
2434 | if (!h) | |
2435 | return false; | |
2436 | ||
2437 | lxc_list_for_each(iterator, cgroup_settings) { | |
2438 | int ret; | |
2439 | char *fullpath; | |
2440 | struct lxc_cgroup *cg = iterator->elem; | |
2441 | ||
eb697136 | 2442 | fullpath = must_make_path(h->container_full_path, cg->subsystem, NULL); |
7cea5905 | 2443 | ret = lxc_write_to_file(fullpath, cg->value, strlen(cg->value), false, 0666); |
6b38e644 CB |
2444 | free(fullpath); |
2445 | if (ret < 0) { | |
b2ac2cb7 CB |
2446 | SYSERROR("Failed to set \"%s\" to \"%s\"", |
2447 | cg->subsystem, cg->value); | |
6b38e644 CB |
2448 | return false; |
2449 | } | |
2450 | TRACE("Set \"%s\" to \"%s\"", cg->subsystem, cg->value); | |
2451 | } | |
2452 | ||
2453 | INFO("Limits for the unified cgroup hierarchy have been setup"); | |
2454 | return true; | |
2455 | } | |
2456 | ||
b857f4be | 2457 | __cgfsng_ops static bool cgfsng_setup_limits(struct cgroup_ops *ops, |
fb55e009 CB |
2458 | struct lxc_conf *conf, |
2459 | bool do_devices) | |
6b38e644 CB |
2460 | { |
2461 | bool bret; | |
2462 | ||
2202afc9 | 2463 | bret = __cg_legacy_setup_limits(ops, &conf->cgroup, do_devices); |
6b38e644 CB |
2464 | if (!bret) |
2465 | return false; | |
2466 | ||
2202afc9 CB |
2467 | return __cg_unified_setup_limits(ops, &conf->cgroup2); |
2468 | } | |
2469 | ||
b7b18fc5 CB |
2470 | static bool cgroup_use_wants_controllers(const struct cgroup_ops *ops, |
2471 | char **controllers) | |
2472 | { | |
2473 | char **cur_ctrl, **cur_use; | |
2474 | ||
2475 | if (!ops->cgroup_use) | |
2476 | return true; | |
2477 | ||
2478 | for (cur_ctrl = controllers; cur_ctrl && *cur_ctrl; cur_ctrl++) { | |
2479 | bool found = false; | |
2480 | ||
2481 | for (cur_use = ops->cgroup_use; cur_use && *cur_use; cur_use++) { | |
2482 | if (strcmp(*cur_use, *cur_ctrl) != 0) | |
2483 | continue; | |
2484 | ||
2485 | found = true; | |
2486 | break; | |
2487 | } | |
2488 | ||
2489 | if (found) | |
2490 | continue; | |
2491 | ||
2492 | return false; | |
2493 | } | |
2494 | ||
2495 | return true; | |
2496 | } | |
2497 | ||
2202afc9 CB |
2498 | /* At startup, parse_hierarchies finds all the info we need about cgroup |
2499 | * mountpoints and current cgroups, and stores it in @d. | |
2500 | */ | |
9caee129 | 2501 | static bool cg_hybrid_init(struct cgroup_ops *ops, bool relative) |
2202afc9 CB |
2502 | { |
2503 | int ret; | |
2504 | char *basecginfo; | |
2202afc9 CB |
2505 | FILE *f; |
2506 | size_t len = 0; | |
2507 | char *line = NULL; | |
2508 | char **klist = NULL, **nlist = NULL; | |
2509 | ||
2510 | /* Root spawned containers escape the current cgroup, so use init's | |
2511 | * cgroups as our base in that case. | |
2512 | */ | |
9caee129 | 2513 | if (!relative && (geteuid() == 0)) |
2202afc9 CB |
2514 | basecginfo = read_file("/proc/1/cgroup"); |
2515 | else | |
2516 | basecginfo = read_file("/proc/self/cgroup"); | |
2517 | if (!basecginfo) | |
2518 | return false; | |
2519 | ||
2520 | ret = get_existing_subsystems(&klist, &nlist); | |
2521 | if (ret < 0) { | |
2522 | ERROR("Failed to retrieve available legacy cgroup controllers"); | |
2523 | free(basecginfo); | |
2524 | return false; | |
2525 | } | |
2526 | ||
2527 | f = fopen("/proc/self/mountinfo", "r"); | |
2528 | if (!f) { | |
2529 | ERROR("Failed to open \"/proc/self/mountinfo\""); | |
2530 | free(basecginfo); | |
2531 | return false; | |
2532 | } | |
2533 | ||
2534 | lxc_cgfsng_print_basecg_debuginfo(basecginfo, klist, nlist); | |
2535 | ||
2536 | while (getline(&line, &len, f) != -1) { | |
2537 | int type; | |
2538 | bool writeable; | |
2539 | struct hierarchy *new; | |
2540 | char *base_cgroup = NULL, *mountpoint = NULL; | |
2541 | char **controller_list = NULL; | |
2542 | ||
2543 | type = get_cgroup_version(line); | |
2544 | if (type == 0) | |
2545 | continue; | |
2546 | ||
2547 | if (type == CGROUP2_SUPER_MAGIC && ops->unified) | |
2548 | continue; | |
2549 | ||
2550 | if (ops->cgroup_layout == CGROUP_LAYOUT_UNKNOWN) { | |
2551 | if (type == CGROUP2_SUPER_MAGIC) | |
2552 | ops->cgroup_layout = CGROUP_LAYOUT_UNIFIED; | |
2553 | else if (type == CGROUP_SUPER_MAGIC) | |
2554 | ops->cgroup_layout = CGROUP_LAYOUT_LEGACY; | |
2555 | } else if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED) { | |
2556 | if (type == CGROUP_SUPER_MAGIC) | |
2557 | ops->cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
2558 | } else if (ops->cgroup_layout == CGROUP_LAYOUT_LEGACY) { | |
2559 | if (type == CGROUP2_SUPER_MAGIC) | |
2560 | ops->cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
2561 | } | |
2562 | ||
2563 | controller_list = cg_hybrid_get_controllers(klist, nlist, line, type); | |
2564 | if (!controller_list && type == CGROUP_SUPER_MAGIC) | |
2565 | continue; | |
2566 | ||
2567 | if (type == CGROUP_SUPER_MAGIC) | |
2568 | if (controller_list_is_dup(ops->hierarchies, controller_list)) | |
2569 | goto next; | |
2570 | ||
2571 | mountpoint = cg_hybrid_get_mountpoint(line); | |
2572 | if (!mountpoint) { | |
2573 | ERROR("Failed parsing mountpoint from \"%s\"", line); | |
2574 | goto next; | |
2575 | } | |
2576 | ||
2577 | if (type == CGROUP_SUPER_MAGIC) | |
2578 | base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, controller_list[0], CGROUP_SUPER_MAGIC); | |
2579 | else | |
2580 | base_cgroup = cg_hybrid_get_current_cgroup(basecginfo, NULL, CGROUP2_SUPER_MAGIC); | |
2581 | if (!base_cgroup) { | |
2582 | ERROR("Failed to find current cgroup"); | |
2583 | goto next; | |
2584 | } | |
2585 | ||
2586 | trim(base_cgroup); | |
2587 | prune_init_scope(base_cgroup); | |
2588 | if (type == CGROUP2_SUPER_MAGIC) | |
2589 | writeable = test_writeable_v2(mountpoint, base_cgroup); | |
2590 | else | |
2591 | writeable = test_writeable_v1(mountpoint, base_cgroup); | |
2592 | if (!writeable) | |
2593 | goto next; | |
2594 | ||
2595 | if (type == CGROUP2_SUPER_MAGIC) { | |
2596 | char *cgv2_ctrl_path; | |
2597 | ||
2598 | cgv2_ctrl_path = must_make_path(mountpoint, base_cgroup, | |
2599 | "cgroup.controllers", | |
2600 | NULL); | |
2601 | ||
2602 | controller_list = cg_unified_get_controllers(cgv2_ctrl_path); | |
2603 | free(cgv2_ctrl_path); | |
2604 | if (!controller_list) { | |
2605 | controller_list = cg_unified_make_empty_controller(); | |
2606 | TRACE("No controllers are enabled for " | |
2607 | "delegation in the unified hierarchy"); | |
2608 | } | |
2609 | } | |
2610 | ||
b7b18fc5 CB |
2611 | /* Exclude all controllers that cgroup use does not want. */ |
2612 | if (!cgroup_use_wants_controllers(ops, controller_list)) | |
2613 | goto next; | |
2614 | ||
2202afc9 CB |
2615 | new = add_hierarchy(&ops->hierarchies, controller_list, mountpoint, base_cgroup, type); |
2616 | if (type == CGROUP2_SUPER_MAGIC && !ops->unified) | |
2617 | ops->unified = new; | |
2618 | ||
2619 | continue; | |
2620 | ||
2621 | next: | |
2622 | free_string_list(controller_list); | |
2623 | free(mountpoint); | |
2624 | free(base_cgroup); | |
2625 | } | |
2626 | ||
2627 | free_string_list(klist); | |
2628 | free_string_list(nlist); | |
2629 | ||
2630 | free(basecginfo); | |
2631 | ||
2632 | fclose(f); | |
2633 | free(line); | |
2634 | ||
2635 | TRACE("Writable cgroup hierarchies:"); | |
2636 | lxc_cgfsng_print_hierarchies(ops); | |
2637 | ||
2638 | /* verify that all controllers in cgroup.use and all crucial | |
2639 | * controllers are accounted for | |
2640 | */ | |
2641 | if (!all_controllers_found(ops)) | |
2642 | return false; | |
2643 | ||
2644 | return true; | |
2645 | } | |
2646 | ||
2647 | static int cg_is_pure_unified(void) | |
2648 | { | |
2649 | ||
2650 | int ret; | |
2651 | struct statfs fs; | |
2652 | ||
2653 | ret = statfs("/sys/fs/cgroup", &fs); | |
2654 | if (ret < 0) | |
2655 | return -ENOMEDIUM; | |
2656 | ||
2657 | if (is_fs_type(&fs, CGROUP2_SUPER_MAGIC)) | |
2658 | return CGROUP2_SUPER_MAGIC; | |
2659 | ||
2660 | return 0; | |
2661 | } | |
2662 | ||
2663 | /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */ | |
9caee129 | 2664 | static char *cg_unified_get_current_cgroup(bool relative) |
2202afc9 CB |
2665 | { |
2666 | char *basecginfo, *base_cgroup; | |
2202afc9 CB |
2667 | char *copy = NULL; |
2668 | ||
9caee129 | 2669 | if (!relative && (geteuid() == 0)) |
2202afc9 CB |
2670 | basecginfo = read_file("/proc/1/cgroup"); |
2671 | else | |
2672 | basecginfo = read_file("/proc/self/cgroup"); | |
2673 | if (!basecginfo) | |
2674 | return NULL; | |
2675 | ||
2676 | base_cgroup = strstr(basecginfo, "0::/"); | |
2677 | if (!base_cgroup) | |
2678 | goto cleanup_on_err; | |
2679 | ||
2680 | base_cgroup = base_cgroup + 3; | |
2681 | copy = copy_to_eol(base_cgroup); | |
2682 | if (!copy) | |
2683 | goto cleanup_on_err; | |
2684 | ||
2685 | cleanup_on_err: | |
2686 | free(basecginfo); | |
2687 | if (copy) | |
2688 | trim(copy); | |
2689 | ||
2690 | return copy; | |
2691 | } | |
2692 | ||
9caee129 | 2693 | static int cg_unified_init(struct cgroup_ops *ops, bool relative) |
2202afc9 CB |
2694 | { |
2695 | int ret; | |
2696 | char *mountpoint, *subtree_path; | |
2697 | char **delegatable; | |
2698 | char *base_cgroup = NULL; | |
2699 | ||
2700 | ret = cg_is_pure_unified(); | |
2701 | if (ret == -ENOMEDIUM) | |
2702 | return -ENOMEDIUM; | |
2703 | ||
2704 | if (ret != CGROUP2_SUPER_MAGIC) | |
2705 | return 0; | |
2706 | ||
9caee129 | 2707 | base_cgroup = cg_unified_get_current_cgroup(relative); |
2202afc9 CB |
2708 | if (!base_cgroup) |
2709 | return -EINVAL; | |
2710 | prune_init_scope(base_cgroup); | |
2711 | ||
2712 | /* We assume that we have already been given controllers to delegate | |
2713 | * further down the hierarchy. If not it is up to the user to delegate | |
2714 | * them to us. | |
2715 | */ | |
2716 | mountpoint = must_copy_string("/sys/fs/cgroup"); | |
2717 | subtree_path = must_make_path(mountpoint, base_cgroup, | |
2718 | "cgroup.subtree_control", NULL); | |
2719 | delegatable = cg_unified_get_controllers(subtree_path); | |
2720 | free(subtree_path); | |
2721 | if (!delegatable) | |
2722 | delegatable = cg_unified_make_empty_controller(); | |
2723 | if (!delegatable[0]) | |
2724 | TRACE("No controllers are enabled for delegation"); | |
2725 | ||
2726 | /* TODO: If the user requested specific controllers via lxc.cgroup.use | |
2727 | * we should verify here. The reason I'm not doing it right is that I'm | |
2728 | * not convinced that lxc.cgroup.use will be the future since it is a | |
2729 | * global property. I much rather have an option that lets you request | |
2730 | * controllers per container. | |
2731 | */ | |
2732 | ||
2733 | add_hierarchy(&ops->hierarchies, delegatable, mountpoint, base_cgroup, CGROUP2_SUPER_MAGIC); | |
2734 | ||
2735 | ops->cgroup_layout = CGROUP_LAYOUT_UNIFIED; | |
2736 | return CGROUP2_SUPER_MAGIC; | |
2737 | } | |
2738 | ||
5a087e05 | 2739 | static bool cg_init(struct cgroup_ops *ops, struct lxc_conf *conf) |
2202afc9 CB |
2740 | { |
2741 | int ret; | |
2742 | const char *tmp; | |
9caee129 | 2743 | bool relative = conf->cgroup_meta.relative; |
2202afc9 CB |
2744 | |
2745 | tmp = lxc_global_config_value("lxc.cgroup.use"); | |
b7b18fc5 CB |
2746 | if (tmp) { |
2747 | char *chop, *cur, *pin; | |
b7b18fc5 CB |
2748 | |
2749 | pin = must_copy_string(tmp); | |
2750 | chop = pin; | |
2751 | ||
0be0d78f | 2752 | lxc_iterate_parts(cur, chop, ",") { |
b7b18fc5 | 2753 | must_append_string(&ops->cgroup_use, cur); |
0be0d78f | 2754 | } |
b7b18fc5 CB |
2755 | |
2756 | free(pin); | |
2757 | } | |
2202afc9 | 2758 | |
9caee129 | 2759 | ret = cg_unified_init(ops, relative); |
2202afc9 CB |
2760 | if (ret < 0) |
2761 | return false; | |
2762 | ||
2763 | if (ret == CGROUP2_SUPER_MAGIC) | |
2764 | return true; | |
2765 | ||
9caee129 | 2766 | return cg_hybrid_init(ops, relative); |
2202afc9 CB |
2767 | } |
2768 | ||
b857f4be | 2769 | __cgfsng_ops static bool cgfsng_data_init(struct cgroup_ops *ops) |
2202afc9 CB |
2770 | { |
2771 | const char *cgroup_pattern; | |
2772 | ||
2773 | /* copy system-wide cgroup information */ | |
2774 | cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); | |
2775 | if (!cgroup_pattern) { | |
2776 | /* lxc.cgroup.pattern is only NULL on error. */ | |
2777 | ERROR("Failed to retrieve cgroup pattern"); | |
2778 | return false; | |
2779 | } | |
2780 | ops->cgroup_pattern = must_copy_string(cgroup_pattern); | |
625ad37b | 2781 | ops->monitor_pattern = MONITOR_CGROUP; |
2202afc9 CB |
2782 | |
2783 | return true; | |
2784 | } | |
2785 | ||
5a087e05 | 2786 | struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf) |
2202afc9 CB |
2787 | { |
2788 | struct cgroup_ops *cgfsng_ops; | |
2789 | ||
2790 | cgfsng_ops = malloc(sizeof(struct cgroup_ops)); | |
2791 | if (!cgfsng_ops) | |
2792 | return NULL; | |
2793 | ||
2794 | memset(cgfsng_ops, 0, sizeof(struct cgroup_ops)); | |
2795 | cgfsng_ops->cgroup_layout = CGROUP_LAYOUT_UNKNOWN; | |
2796 | ||
5a087e05 | 2797 | if (!cg_init(cgfsng_ops, conf)) { |
2202afc9 CB |
2798 | free(cgfsng_ops); |
2799 | return NULL; | |
2800 | } | |
2801 | ||
2802 | cgfsng_ops->data_init = cgfsng_data_init; | |
434c8e15 CB |
2803 | cgfsng_ops->payload_destroy = cgfsng_payload_destroy; |
2804 | cgfsng_ops->monitor_destroy = cgfsng_monitor_destroy; | |
72068e74 | 2805 | cgfsng_ops->monitor_create = cgfsng_monitor_create; |
eeef32bb | 2806 | cgfsng_ops->monitor_enter = cgfsng_monitor_enter; |
e8b181f5 CB |
2807 | cgfsng_ops->payload_create = cgfsng_payload_create; |
2808 | cgfsng_ops->payload_enter = cgfsng_payload_enter; | |
2202afc9 CB |
2809 | cgfsng_ops->escape = cgfsng_escape; |
2810 | cgfsng_ops->num_hierarchies = cgfsng_num_hierarchies; | |
2811 | cgfsng_ops->get_hierarchies = cgfsng_get_hierarchies; | |
2812 | cgfsng_ops->get_cgroup = cgfsng_get_cgroup; | |
2813 | cgfsng_ops->get = cgfsng_get; | |
2814 | cgfsng_ops->set = cgfsng_set; | |
2815 | cgfsng_ops->unfreeze = cgfsng_unfreeze; | |
2816 | cgfsng_ops->setup_limits = cgfsng_setup_limits; | |
2817 | cgfsng_ops->driver = "cgfsng"; | |
2818 | cgfsng_ops->version = "1.0.0"; | |
2819 | cgfsng_ops->attach = cgfsng_attach; | |
2820 | cgfsng_ops->chown = cgfsng_chown; | |
2821 | cgfsng_ops->mount = cgfsng_mount; | |
2822 | cgfsng_ops->nrtasks = cgfsng_nrtasks; | |
2823 | ||
2824 | return cgfsng_ops; | |
2825 | } |