]>
Commit | Line | Data |
---|---|---|
ccb4cabe SH |
1 | /* |
2 | * lxc: linux Container library | |
3 | * | |
4 | * Copyright © 2016 Canonical Ltd. | |
5 | * | |
6 | * Authors: | |
7 | * Serge Hallyn <serge.hallyn@ubuntu.com> | |
8 | * | |
9 | * This library is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU Lesser General Public | |
11 | * License as published by the Free Software Foundation; either | |
12 | * version 2.1 of the License, or (at your option) any later version. | |
13 | * | |
14 | * This library is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | * Lesser General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU Lesser General Public | |
20 | * License along with this library; if not, write to the Free Software | |
21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
22 | */ | |
23 | ||
24 | /* | |
25 | * cgfs-ng.c: this is a new, simplified implementation of a filesystem | |
26 | * cgroup backend. The original cgfs.c was designed to be as flexible | |
27 | * as possible. It would try to find cgroup filesystems no matter where | |
28 | * or how you had them mounted, and deduce the most usable mount for | |
29 | * each controller. It also was not designed for unprivileged use, as | |
30 | * that was reserved for cgmanager. | |
31 | * | |
32 | * This new implementation assumes that cgroup filesystems are mounted | |
33 | * under /sys/fs/cgroup/clist where clist is either the controller, or | |
34 | * a comman-separated list of controllers. | |
35 | */ | |
a54694f8 | 36 | |
ccb4cabe | 37 | #include "config.h" |
a54694f8 CB |
38 | |
39 | #include <ctype.h> | |
40 | #include <dirent.h> | |
41 | #include <errno.h> | |
42 | #include <grp.h> | |
43 | #include <stdint.h> | |
ccb4cabe SH |
44 | #include <stdio.h> |
45 | #include <stdlib.h> | |
a54694f8 | 46 | #include <string.h> |
ccb4cabe | 47 | #include <unistd.h> |
a54694f8 | 48 | #include <sys/types.h> |
ccb4cabe | 49 | |
c8bf519d | 50 | #include <linux/types.h> |
51 | #include <linux/kdev_t.h> | |
52 | ||
b635e92d | 53 | #include "caps.h" |
ccb4cabe | 54 | #include "cgroup.h" |
6328fd9c | 55 | #include "cgroup_utils.h" |
ccb4cabe | 56 | #include "commands.h" |
43654d34 | 57 | #include "conf.h" |
a54694f8 | 58 | #include "log.h" |
43654d34 | 59 | #include "storage/storage.h" |
a54694f8 | 60 | #include "utils.h" |
ccb4cabe SH |
61 | |
62 | lxc_log_define(lxc_cgfsng, lxc); | |
63 | ||
64 | static struct cgroup_ops cgfsng_ops; | |
65 | ||
ccb4cabe SH |
66 | /* |
67 | * A descriptor for a mounted hierarchy | |
68 | * @controllers: either NULL, or a null-terminated list of all | |
69 | * the co-mounted controllers | |
70 | * @mountpoint: the mountpoint we will use. It will be either | |
71 | * /sys/fs/cgroup/controller or /sys/fs/cgroup/controllerlist | |
72 | * @base_cgroup: the cgroup under which the container cgroup path | |
73 | is created. This will be either the caller's cgroup (if not | |
74 | root), or init's cgroup (if root). | |
75 | */ | |
76 | struct hierarchy { | |
77 | char **controllers; | |
78 | char *mountpoint; | |
79 | char *base_cgroup; | |
80 | char *fullcgpath; | |
d6337a5f | 81 | int version; |
ccb4cabe SH |
82 | }; |
83 | ||
84 | /* | |
85 | * The cgroup data which is attached to the lxc_handler. | |
43654d34 CB |
86 | * @cgroup_pattern : A copy of the lxc.cgroup.pattern |
87 | * @container_cgroup : If not null, the cgroup which was created for the | |
88 | * container. For each hierarchy, it is created under the | |
89 | * @hierarchy->base_cgroup directory. Relative to the | |
90 | * base_cgroup it is the same for all hierarchies. | |
91 | * @name : The name of the container. | |
92 | * @cgroup_meta : A copy of the container's cgroup information. This | |
93 | * overrides @cgroup_pattern. | |
ccb4cabe SH |
94 | */ |
95 | struct cgfsng_handler_data { | |
ccb4cabe | 96 | char *cgroup_pattern; |
1a0e70ac CB |
97 | char *container_cgroup; /* cgroup we created for the container */ |
98 | char *name; /* container name */ | |
43654d34 CB |
99 | /* per-container cgroup information */ |
100 | struct lxc_cgroup cgroup_meta; | |
d6337a5f | 101 | cgroup_layout_t cgroup_layout; |
ccb4cabe SH |
102 | }; |
103 | ||
457ca9aa SH |
104 | /* |
105 | * @hierarchies - a NULL-terminated array of struct hierarchy, one per | |
d6337a5f CB |
106 | * legacy hierarchy. No duplicates. First sufficient, writeable |
107 | * mounted hierarchy wins | |
457ca9aa SH |
108 | */ |
109 | struct hierarchy **hierarchies; | |
d6337a5f CB |
110 | struct hierarchy *unified; |
111 | cgroup_layout_t cgroup_layout; | |
457ca9aa SH |
112 | |
113 | /* | |
114 | * @cgroup_use - a copy of the lxc.cgroup.use | |
115 | */ | |
116 | char *cgroup_use; | |
117 | ||
e4aeecf5 CB |
118 | /* |
119 | * @lxc_cgfsng_debug - whether to print debug info to stdout for the cgfsng | |
120 | * driver | |
121 | */ | |
122 | static bool lxc_cgfsng_debug; | |
123 | ||
65d78313 MPS |
124 | #define CGFSNG_DEBUG(format, ...) do { \ |
125 | if (lxc_cgfsng_debug) \ | |
126 | printf("cgfsng: " format, ##__VA_ARGS__); \ | |
127 | } while(0) | |
128 | ||
ccb4cabe SH |
129 | static void free_string_list(char **clist) |
130 | { | |
131 | if (clist) { | |
132 | int i; | |
133 | ||
134 | for (i = 0; clist[i]; i++) | |
135 | free(clist[i]); | |
136 | free(clist); | |
137 | } | |
138 | } | |
139 | ||
ccb4cabe SH |
140 | /* Allocate a pointer, do not fail */ |
141 | static void *must_alloc(size_t sz) | |
142 | { | |
143 | return must_realloc(NULL, sz); | |
144 | } | |
145 | ||
ccb4cabe SH |
146 | /* |
147 | * This is a special case - return a copy of @entry | |
148 | * prepending 'name='. I.e. turn systemd into name=systemd. | |
149 | * Do not fail. | |
150 | */ | |
151 | static char *must_prefix_named(char *entry) | |
152 | { | |
153 | char *ret; | |
154 | size_t len = strlen(entry); | |
155 | ||
156 | ret = must_alloc(len + 6); | |
157 | snprintf(ret, len + 6, "name=%s", entry); | |
158 | return ret; | |
159 | } | |
160 | ||
161 | /* | |
162 | * Given a pointer to a null-terminated array of pointers, realloc to | |
163 | * add one entry, and point the new entry to NULL. Do not fail. Return | |
164 | * the index to the second-to-last entry - that is, the one which is | |
165 | * now available for use (keeping the list null-terminated). | |
166 | */ | |
167 | static int append_null_to_list(void ***list) | |
168 | { | |
169 | int newentry = 0; | |
170 | ||
171 | if (*list) | |
172 | for (; (*list)[newentry]; newentry++); | |
173 | ||
174 | *list = must_realloc(*list, (newentry + 2) * sizeof(void **)); | |
175 | (*list)[newentry + 1] = NULL; | |
176 | return newentry; | |
177 | } | |
178 | ||
179 | /* | |
180 | * Given a null-terminated array of strings, check whether @entry | |
181 | * is one of the strings | |
182 | */ | |
183 | static bool string_in_list(char **list, const char *entry) | |
184 | { | |
185 | int i; | |
186 | ||
187 | if (!list) | |
188 | return false; | |
d6337a5f | 189 | |
ccb4cabe SH |
190 | for (i = 0; list[i]; i++) |
191 | if (strcmp(list[i], entry) == 0) | |
192 | return true; | |
193 | ||
194 | return false; | |
195 | } | |
196 | ||
197 | /* | |
198 | * append an entry to the clist. Do not fail. | |
199 | * *clist must be NULL the first time we are called. | |
200 | * | |
201 | * We also handle named subsystems here. Any controller which is not a | |
202 | * kernel subsystem, we prefix 'name='. Any which is both a kernel and | |
203 | * named subsystem, we refuse to use because we're not sure which we | |
204 | * have here. (TODO - we could work around this in some cases by just | |
205 | * remounting to be unambiguous, or by comparing mountpoint contents | |
206 | * with current cgroup) | |
207 | * | |
208 | * The last entry will always be NULL. | |
209 | */ | |
210 | static void must_append_controller(char **klist, char **nlist, char ***clist, char *entry) | |
211 | { | |
212 | int newentry; | |
213 | char *copy; | |
214 | ||
215 | if (string_in_list(klist, entry) && string_in_list(nlist, entry)) { | |
c2712f64 | 216 | ERROR("Refusing to use ambiguous controller \"%s\"", entry); |
ccb4cabe SH |
217 | ERROR("It is both a named and kernel subsystem"); |
218 | return; | |
219 | } | |
220 | ||
221 | newentry = append_null_to_list((void ***)clist); | |
222 | ||
223 | if (strncmp(entry, "name=", 5) == 0) | |
224 | copy = must_copy_string(entry); | |
225 | else if (string_in_list(klist, entry)) | |
226 | copy = must_copy_string(entry); | |
227 | else | |
228 | copy = must_prefix_named(entry); | |
229 | ||
230 | (*clist)[newentry] = copy; | |
231 | } | |
232 | ||
ccb4cabe SH |
233 | static void free_handler_data(struct cgfsng_handler_data *d) |
234 | { | |
ccb4cabe SH |
235 | free(d->cgroup_pattern); |
236 | free(d->container_cgroup); | |
237 | free(d->name); | |
43654d34 CB |
238 | if (d->cgroup_meta.dir) |
239 | free(d->cgroup_meta.dir); | |
240 | if (d->cgroup_meta.controllers) | |
241 | free(d->cgroup_meta.controllers); | |
ccb4cabe SH |
242 | free(d); |
243 | } | |
244 | ||
245 | /* | |
246 | * Given a handler's cgroup data, return the struct hierarchy for the | |
247 | * controller @c, or NULL if there is none. | |
248 | */ | |
457ca9aa | 249 | struct hierarchy *get_hierarchy(const char *c) |
ccb4cabe SH |
250 | { |
251 | int i; | |
252 | ||
457ca9aa | 253 | if (!hierarchies) |
ccb4cabe | 254 | return NULL; |
d6337a5f | 255 | |
457ca9aa | 256 | for (i = 0; hierarchies[i]; i++) { |
d6337a5f CB |
257 | if (!c) { |
258 | /* This is the empty unified hierarchy. */ | |
259 | if (hierarchies[i]->controllers && | |
260 | !hierarchies[i]->controllers[0]) | |
261 | return hierarchies[i]; | |
262 | ||
263 | return NULL; | |
264 | } | |
265 | ||
457ca9aa SH |
266 | if (string_in_list(hierarchies[i]->controllers, c)) |
267 | return hierarchies[i]; | |
ccb4cabe | 268 | } |
d6337a5f | 269 | |
ccb4cabe SH |
270 | return NULL; |
271 | } | |
272 | ||
a54694f8 CB |
273 | #define BATCH_SIZE 50 |
274 | static void batch_realloc(char **mem, size_t oldlen, size_t newlen) | |
275 | { | |
276 | int newbatches = (newlen / BATCH_SIZE) + 1; | |
277 | int oldbatches = (oldlen / BATCH_SIZE) + 1; | |
278 | ||
279 | if (!*mem || newbatches > oldbatches) { | |
280 | *mem = must_realloc(*mem, newbatches * BATCH_SIZE); | |
281 | } | |
282 | } | |
283 | ||
284 | static void append_line(char **dest, size_t oldlen, char *new, size_t newlen) | |
285 | { | |
286 | size_t full = oldlen + newlen; | |
287 | ||
288 | batch_realloc(dest, oldlen, full + 1); | |
289 | ||
290 | memcpy(*dest + oldlen, new, newlen + 1); | |
291 | } | |
292 | ||
293 | /* Slurp in a whole file */ | |
d6337a5f | 294 | static char *read_file(const char *fnam) |
a54694f8 CB |
295 | { |
296 | FILE *f; | |
297 | char *line = NULL, *buf = NULL; | |
298 | size_t len = 0, fulllen = 0; | |
299 | int linelen; | |
300 | ||
301 | f = fopen(fnam, "r"); | |
302 | if (!f) | |
303 | return NULL; | |
304 | while ((linelen = getline(&line, &len, f)) != -1) { | |
305 | append_line(&buf, fulllen, line, linelen); | |
306 | fulllen += linelen; | |
307 | } | |
308 | fclose(f); | |
309 | free(line); | |
310 | return buf; | |
311 | } | |
312 | ||
313 | /* Taken over modified from the kernel sources. */ | |
314 | #define NBITS 32 /* bits in uint32_t */ | |
315 | #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d)) | |
316 | #define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, NBITS) | |
317 | ||
318 | static void set_bit(unsigned bit, uint32_t *bitarr) | |
319 | { | |
320 | bitarr[bit / NBITS] |= (1 << (bit % NBITS)); | |
321 | } | |
322 | ||
323 | static void clear_bit(unsigned bit, uint32_t *bitarr) | |
324 | { | |
325 | bitarr[bit / NBITS] &= ~(1 << (bit % NBITS)); | |
326 | } | |
327 | ||
328 | static bool is_set(unsigned bit, uint32_t *bitarr) | |
329 | { | |
330 | return (bitarr[bit / NBITS] & (1 << (bit % NBITS))) != 0; | |
331 | } | |
332 | ||
333 | /* Create cpumask from cpulist aka turn: | |
334 | * | |
335 | * 0,2-3 | |
336 | * | |
337 | * into bit array | |
338 | * | |
339 | * 1 0 1 1 | |
340 | */ | |
341 | static uint32_t *lxc_cpumask(char *buf, size_t nbits) | |
342 | { | |
343 | char *token; | |
344 | char *saveptr = NULL; | |
345 | size_t arrlen = BITS_TO_LONGS(nbits); | |
346 | uint32_t *bitarr = calloc(arrlen, sizeof(uint32_t)); | |
347 | if (!bitarr) | |
348 | return NULL; | |
349 | ||
350 | for (; (token = strtok_r(buf, ",", &saveptr)); buf = NULL) { | |
351 | errno = 0; | |
352 | unsigned start = strtoul(token, NULL, 0); | |
353 | unsigned end = start; | |
354 | ||
355 | char *range = strchr(token, '-'); | |
356 | if (range) | |
357 | end = strtoul(range + 1, NULL, 0); | |
358 | if (!(start <= end)) { | |
359 | free(bitarr); | |
360 | return NULL; | |
361 | } | |
362 | ||
363 | if (end >= nbits) { | |
364 | free(bitarr); | |
365 | return NULL; | |
366 | } | |
367 | ||
368 | while (start <= end) | |
369 | set_bit(start++, bitarr); | |
370 | } | |
371 | ||
372 | return bitarr; | |
373 | } | |
374 | ||
a54694f8 CB |
375 | /* Turn cpumask into simple, comma-separated cpulist. */ |
376 | static char *lxc_cpumask_to_cpulist(uint32_t *bitarr, size_t nbits) | |
377 | { | |
378 | size_t i; | |
379 | int ret; | |
eab15c1e | 380 | char numstr[LXC_NUMSTRLEN64] = {0}; |
a54694f8 CB |
381 | char **cpulist = NULL; |
382 | ||
383 | for (i = 0; i <= nbits; i++) { | |
384 | if (is_set(i, bitarr)) { | |
eab15c1e CB |
385 | ret = snprintf(numstr, LXC_NUMSTRLEN64, "%zu", i); |
386 | if (ret < 0 || (size_t)ret >= LXC_NUMSTRLEN64) { | |
a54694f8 CB |
387 | lxc_free_array((void **)cpulist, free); |
388 | return NULL; | |
389 | } | |
390 | if (lxc_append_string(&cpulist, numstr) < 0) { | |
391 | lxc_free_array((void **)cpulist, free); | |
392 | return NULL; | |
393 | } | |
394 | } | |
395 | } | |
396 | return lxc_string_join(",", (const char **)cpulist, false); | |
397 | } | |
398 | ||
399 | static ssize_t get_max_cpus(char *cpulist) | |
400 | { | |
401 | char *c1, *c2; | |
402 | char *maxcpus = cpulist; | |
403 | size_t cpus = 0; | |
404 | ||
405 | c1 = strrchr(maxcpus, ','); | |
406 | if (c1) | |
407 | c1++; | |
408 | ||
409 | c2 = strrchr(maxcpus, '-'); | |
410 | if (c2) | |
411 | c2++; | |
412 | ||
413 | if (!c1 && !c2) | |
414 | c1 = maxcpus; | |
415 | else if (c1 > c2) | |
416 | c2 = c1; | |
417 | else if (c1 < c2) | |
418 | c1 = c2; | |
1a0e70ac | 419 | else if (!c1 && c2) /* The reverse case is obvs. not needed. */ |
a54694f8 CB |
420 | c1 = c2; |
421 | ||
422 | /* If the above logic is correct, c1 should always hold a valid string | |
423 | * here. | |
424 | */ | |
425 | ||
426 | errno = 0; | |
427 | cpus = strtoul(c1, NULL, 0); | |
428 | if (errno != 0) | |
429 | return -1; | |
430 | ||
431 | return cpus; | |
432 | } | |
433 | ||
6f9584d8 | 434 | #define __ISOL_CPUS "/sys/devices/system/cpu/isolated" |
a54694f8 CB |
435 | static bool filter_and_set_cpus(char *path, bool am_initialized) |
436 | { | |
437 | char *lastslash, *fpath, oldv; | |
438 | int ret; | |
439 | ssize_t i; | |
440 | ||
441 | ssize_t maxposs = 0, maxisol = 0; | |
442 | char *cpulist = NULL, *posscpus = NULL, *isolcpus = NULL; | |
443 | uint32_t *possmask = NULL, *isolmask = NULL; | |
6f9584d8 | 444 | bool bret = false, flipped_bit = false; |
a54694f8 CB |
445 | |
446 | lastslash = strrchr(path, '/'); | |
1a0e70ac | 447 | if (!lastslash) { /* bug... this shouldn't be possible */ |
6f9584d8 | 448 | ERROR("Invalid path: %s.", path); |
a54694f8 CB |
449 | return bret; |
450 | } | |
451 | oldv = *lastslash; | |
452 | *lastslash = '\0'; | |
453 | fpath = must_make_path(path, "cpuset.cpus", NULL); | |
454 | posscpus = read_file(fpath); | |
6f9584d8 CB |
455 | if (!posscpus) { |
456 | SYSERROR("Could not read file: %s.\n", fpath); | |
457 | goto on_error; | |
458 | } | |
a54694f8 CB |
459 | |
460 | /* Get maximum number of cpus found in possible cpuset. */ | |
461 | maxposs = get_max_cpus(posscpus); | |
462 | if (maxposs < 0) | |
6f9584d8 | 463 | goto on_error; |
a54694f8 | 464 | |
6f9584d8 CB |
465 | if (!file_exists(__ISOL_CPUS)) { |
466 | /* This system doesn't expose isolated cpus. */ | |
467 | DEBUG("Path: "__ISOL_CPUS" to read isolated cpus from does not exist.\n"); | |
65d29cbc CB |
468 | cpulist = posscpus; |
469 | /* No isolated cpus but we weren't already initialized by | |
470 | * someone. We should simply copy the parents cpuset.cpus | |
471 | * values. | |
472 | */ | |
473 | if (!am_initialized) { | |
474 | DEBUG("Copying cpuset of parent cgroup."); | |
475 | goto copy_parent; | |
476 | } | |
477 | /* No isolated cpus but we were already initialized by someone. | |
478 | * Nothing more to do for us. | |
479 | */ | |
6f9584d8 CB |
480 | goto on_success; |
481 | } | |
482 | ||
483 | isolcpus = read_file(__ISOL_CPUS); | |
484 | if (!isolcpus) { | |
485 | SYSERROR("Could not read file "__ISOL_CPUS); | |
486 | goto on_error; | |
487 | } | |
a54694f8 | 488 | if (!isdigit(isolcpus[0])) { |
6f9584d8 | 489 | DEBUG("No isolated cpus detected."); |
a54694f8 CB |
490 | cpulist = posscpus; |
491 | /* No isolated cpus but we weren't already initialized by | |
492 | * someone. We should simply copy the parents cpuset.cpus | |
493 | * values. | |
494 | */ | |
6f9584d8 CB |
495 | if (!am_initialized) { |
496 | DEBUG("Copying cpuset of parent cgroup."); | |
a54694f8 | 497 | goto copy_parent; |
6f9584d8 | 498 | } |
a54694f8 CB |
499 | /* No isolated cpus but we were already initialized by someone. |
500 | * Nothing more to do for us. | |
501 | */ | |
6f9584d8 | 502 | goto on_success; |
a54694f8 CB |
503 | } |
504 | ||
505 | /* Get maximum number of cpus found in isolated cpuset. */ | |
506 | maxisol = get_max_cpus(isolcpus); | |
507 | if (maxisol < 0) | |
6f9584d8 | 508 | goto on_error; |
a54694f8 CB |
509 | |
510 | if (maxposs < maxisol) | |
511 | maxposs = maxisol; | |
512 | maxposs++; | |
513 | ||
514 | possmask = lxc_cpumask(posscpus, maxposs); | |
6f9584d8 CB |
515 | if (!possmask) { |
516 | ERROR("Could not create cpumask for all possible cpus.\n"); | |
517 | goto on_error; | |
518 | } | |
a54694f8 CB |
519 | |
520 | isolmask = lxc_cpumask(isolcpus, maxposs); | |
6f9584d8 CB |
521 | if (!isolmask) { |
522 | ERROR("Could not create cpumask for all isolated cpus.\n"); | |
523 | goto on_error; | |
524 | } | |
a54694f8 CB |
525 | |
526 | for (i = 0; i <= maxposs; i++) { | |
527 | if (is_set(i, isolmask) && is_set(i, possmask)) { | |
6f9584d8 | 528 | flipped_bit = true; |
a54694f8 CB |
529 | clear_bit(i, possmask); |
530 | } | |
531 | } | |
532 | ||
6f9584d8 CB |
533 | if (!flipped_bit) { |
534 | DEBUG("No isolated cpus present in cpuset."); | |
535 | goto on_success; | |
536 | } | |
537 | DEBUG("Removed isolated cpus from cpuset."); | |
538 | ||
a54694f8 | 539 | cpulist = lxc_cpumask_to_cpulist(possmask, maxposs); |
6f9584d8 CB |
540 | if (!cpulist) { |
541 | ERROR("Could not create cpu list.\n"); | |
542 | goto on_error; | |
543 | } | |
a54694f8 CB |
544 | |
545 | copy_parent: | |
546 | *lastslash = oldv; | |
dcbc861e | 547 | free(fpath); |
a54694f8 CB |
548 | fpath = must_make_path(path, "cpuset.cpus", NULL); |
549 | ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false); | |
6f9584d8 CB |
550 | if (ret < 0) { |
551 | SYSERROR("Could not write cpu list to: %s.\n", fpath); | |
552 | goto on_error; | |
553 | } | |
554 | ||
555 | on_success: | |
556 | bret = true; | |
a54694f8 | 557 | |
6f9584d8 | 558 | on_error: |
a54694f8 CB |
559 | free(fpath); |
560 | ||
561 | free(isolcpus); | |
562 | free(isolmask); | |
563 | ||
564 | if (posscpus != cpulist) | |
565 | free(posscpus); | |
566 | free(possmask); | |
567 | ||
568 | free(cpulist); | |
569 | return bret; | |
570 | } | |
571 | ||
e3a3fecf SH |
572 | /* Copy contents of parent(@path)/@file to @path/@file */ |
573 | static bool copy_parent_file(char *path, char *file) | |
574 | { | |
575 | char *lastslash, *value = NULL, *fpath, oldv; | |
576 | int len = 0; | |
577 | int ret; | |
578 | ||
579 | lastslash = strrchr(path, '/'); | |
1a0e70ac | 580 | if (!lastslash) { /* bug... this shouldn't be possible */ |
e3a3fecf SH |
581 | ERROR("cgfsng:copy_parent_file: bad path %s", path); |
582 | return false; | |
583 | } | |
584 | oldv = *lastslash; | |
585 | *lastslash = '\0'; | |
586 | fpath = must_make_path(path, file, NULL); | |
587 | len = lxc_read_from_file(fpath, NULL, 0); | |
588 | if (len <= 0) | |
589 | goto bad; | |
590 | value = must_alloc(len + 1); | |
591 | if (lxc_read_from_file(fpath, value, len) != len) | |
592 | goto bad; | |
593 | free(fpath); | |
594 | *lastslash = oldv; | |
595 | fpath = must_make_path(path, file, NULL); | |
596 | ret = lxc_write_to_file(fpath, value, len, false); | |
597 | if (ret < 0) | |
598 | SYSERROR("Unable to write %s to %s", value, fpath); | |
599 | free(fpath); | |
600 | free(value); | |
601 | return ret >= 0; | |
602 | ||
603 | bad: | |
604 | SYSERROR("Error reading '%s'", fpath); | |
605 | free(fpath); | |
606 | free(value); | |
607 | return false; | |
608 | } | |
609 | ||
610 | /* | |
611 | * Initialize the cpuset hierarchy in first directory of @gname and | |
612 | * set cgroup.clone_children so that children inherit settings. | |
613 | * Since the h->base_path is populated by init or ourselves, we know | |
614 | * it is already initialized. | |
615 | */ | |
a54694f8 | 616 | static bool handle_cpuset_hierarchy(struct hierarchy *h, char *cgname) |
e3a3fecf SH |
617 | { |
618 | char *cgpath, *clonechildrenpath, v, *slash; | |
619 | ||
620 | if (!string_in_list(h->controllers, "cpuset")) | |
621 | return true; | |
622 | ||
623 | if (*cgname == '/') | |
624 | cgname++; | |
625 | slash = strchr(cgname, '/'); | |
626 | if (slash) | |
627 | *slash = '\0'; | |
628 | ||
629 | cgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL); | |
630 | if (slash) | |
631 | *slash = '/'; | |
632 | if (mkdir(cgpath, 0755) < 0 && errno != EEXIST) { | |
633 | SYSERROR("Failed to create '%s'", cgpath); | |
634 | free(cgpath); | |
635 | return false; | |
636 | } | |
6f9584d8 | 637 | |
e3a3fecf | 638 | clonechildrenpath = must_make_path(cgpath, "cgroup.clone_children", NULL); |
6328fd9c CB |
639 | /* unified hierarchy doesn't have clone_children */ |
640 | if (!file_exists(clonechildrenpath)) { | |
e3a3fecf SH |
641 | free(clonechildrenpath); |
642 | free(cgpath); | |
643 | return true; | |
644 | } | |
645 | if (lxc_read_from_file(clonechildrenpath, &v, 1) < 0) { | |
646 | SYSERROR("Failed to read '%s'", clonechildrenpath); | |
647 | free(clonechildrenpath); | |
648 | free(cgpath); | |
649 | return false; | |
650 | } | |
651 | ||
a54694f8 | 652 | /* Make sure any isolated cpus are removed from cpuset.cpus. */ |
6f9584d8 CB |
653 | if (!filter_and_set_cpus(cgpath, v == '1')) { |
654 | SYSERROR("Failed to remove isolated cpus."); | |
655 | free(clonechildrenpath); | |
656 | free(cgpath); | |
a54694f8 | 657 | return false; |
6f9584d8 | 658 | } |
a54694f8 | 659 | |
e3a3fecf | 660 | if (v == '1') { /* already set for us by someone else */ |
6f9584d8 | 661 | DEBUG("\"cgroup.clone_children\" was already set to \"1\"."); |
e3a3fecf SH |
662 | free(clonechildrenpath); |
663 | free(cgpath); | |
664 | return true; | |
665 | } | |
666 | ||
667 | /* copy parent's settings */ | |
a54694f8 | 668 | if (!copy_parent_file(cgpath, "cpuset.mems")) { |
6f9584d8 | 669 | SYSERROR("Failed to copy \"cpuset.mems\" settings."); |
e3a3fecf SH |
670 | free(cgpath); |
671 | free(clonechildrenpath); | |
672 | return false; | |
673 | } | |
674 | free(cgpath); | |
675 | ||
676 | if (lxc_write_to_file(clonechildrenpath, "1", 1, false) < 0) { | |
677 | /* Set clone_children so children inherit our settings */ | |
678 | SYSERROR("Failed to write 1 to %s", clonechildrenpath); | |
679 | free(clonechildrenpath); | |
680 | return false; | |
681 | } | |
682 | free(clonechildrenpath); | |
683 | return true; | |
684 | } | |
685 | ||
ccb4cabe SH |
686 | /* |
687 | * Given two null-terminated lists of strings, return true if any string | |
688 | * is in both. | |
689 | */ | |
690 | static bool controller_lists_intersect(char **l1, char **l2) | |
691 | { | |
692 | int i; | |
693 | ||
694 | if (!l1 || !l2) | |
695 | return false; | |
696 | ||
697 | for (i = 0; l1[i]; i++) { | |
698 | if (string_in_list(l2, l1[i])) | |
699 | return true; | |
700 | } | |
701 | return false; | |
702 | } | |
703 | ||
704 | /* | |
705 | * For a null-terminated list of controllers @clist, return true if any of | |
706 | * those controllers is already listed the null-terminated list of | |
707 | * hierarchies @hlist. Realistically, if one is present, all must be present. | |
708 | */ | |
709 | static bool controller_list_is_dup(struct hierarchy **hlist, char **clist) | |
710 | { | |
711 | int i; | |
712 | ||
713 | if (!hlist) | |
714 | return false; | |
715 | for (i = 0; hlist[i]; i++) | |
716 | if (controller_lists_intersect(hlist[i]->controllers, clist)) | |
717 | return true; | |
718 | return false; | |
719 | ||
720 | } | |
721 | ||
722 | /* | |
723 | * Return true if the controller @entry is found in the null-terminated | |
724 | * list of hierarchies @hlist | |
725 | */ | |
726 | static bool controller_found(struct hierarchy **hlist, char *entry) | |
727 | { | |
728 | int i; | |
d6337a5f | 729 | |
ccb4cabe SH |
730 | if (!hlist) |
731 | return false; | |
732 | ||
733 | for (i = 0; hlist[i]; i++) | |
734 | if (string_in_list(hlist[i]->controllers, entry)) | |
735 | return true; | |
d6337a5f | 736 | |
ccb4cabe SH |
737 | return false; |
738 | } | |
739 | ||
740 | /* | |
c30b61c3 SH |
741 | * Return true if all of the controllers which we require have been found. |
742 | * The required list is freezer and anything in * lxc.cgroup.use. | |
ccb4cabe | 743 | */ |
457ca9aa | 744 | static bool all_controllers_found(void) |
ccb4cabe SH |
745 | { |
746 | char *p, *saveptr = NULL; | |
457ca9aa | 747 | struct hierarchy ** hlist = hierarchies; |
ccb4cabe | 748 | |
ccb4cabe | 749 | if (!controller_found(hlist, "freezer")) { |
65d78313 | 750 | CGFSNG_DEBUG("No freezer controller mountpoint found\n"); |
ccb4cabe SH |
751 | return false; |
752 | } | |
753 | ||
457ca9aa | 754 | if (!cgroup_use) |
ccb4cabe | 755 | return true; |
c2712f64 | 756 | |
457ca9aa | 757 | for (p = strtok_r(cgroup_use, ",", &saveptr); p; |
ccb4cabe SH |
758 | p = strtok_r(NULL, ",", &saveptr)) { |
759 | if (!controller_found(hlist, p)) { | |
65d78313 | 760 | CGFSNG_DEBUG("No %s controller mountpoint found\n", p); |
ccb4cabe SH |
761 | return false; |
762 | } | |
763 | } | |
c2712f64 | 764 | |
ccb4cabe SH |
765 | return true; |
766 | } | |
767 | ||
ccb4cabe SH |
768 | /* |
769 | * Get the controllers from a mountinfo line | |
770 | * There are other ways we could get this info. For lxcfs, field 3 | |
771 | * is /cgroup/controller-list. For cgroupfs, we could parse the mount | |
772 | * options. But we simply assume that the mountpoint must be | |
773 | * /sys/fs/cgroup/controller-list | |
774 | */ | |
d6337a5f CB |
775 | static char **get_controllers_on_hybrid_layout(char **klist, char **nlist, |
776 | char *line, int type) | |
ccb4cabe | 777 | { |
6328fd9c | 778 | /* the fourth field is /sys/fs/cgroup/comma-delimited-controller-list */ |
ccb4cabe | 779 | int i; |
411ac6d8 | 780 | char *dup, *p2, *tok; |
d6337a5f | 781 | char *p = line, *saveptr = NULL, *sep = ","; |
411ac6d8 | 782 | char **aret = NULL; |
6328fd9c | 783 | |
ccb4cabe | 784 | for (i = 0; i < 4; i++) { |
235f1815 | 785 | p = strchr(p, ' '); |
ccb4cabe SH |
786 | if (!p) |
787 | return NULL; | |
788 | p++; | |
789 | } | |
a55f31bd | 790 | |
ccb4cabe SH |
791 | /* note - if we change how mountinfo works, then our caller |
792 | * will need to verify /sys/fs/cgroup/ in this field */ | |
c2712f64 | 793 | if (strncmp(p, "/sys/fs/cgroup/", 15)) { |
65d78313 | 794 | CGFSNG_DEBUG("Found hierarchy not under /sys/fs/cgroup: \"%s\"\n", p); |
ccb4cabe | 795 | return NULL; |
5059aae9 | 796 | } |
d6337a5f | 797 | |
ccb4cabe | 798 | p += 15; |
235f1815 | 799 | p2 = strchr(p, ' '); |
ccb4cabe | 800 | if (!p2) { |
65d78313 | 801 | CGFSNG_DEBUG("Corrupt mountinfo\n"); |
ccb4cabe SH |
802 | return NULL; |
803 | } | |
804 | *p2 = '\0'; | |
6328fd9c | 805 | |
d6337a5f CB |
806 | if (type == CGROUP_SUPER_MAGIC) { |
807 | /* strdup() here for v1 hierarchies. Otherwise strtok_r() will | |
808 | * destroy mountpoints such as "/sys/fs/cgroup/cpu,cpuacct". | |
809 | */ | |
810 | dup = strdup(p); | |
811 | if (!dup) | |
812 | return NULL; | |
813 | ||
814 | for (tok = strtok_r(dup, sep, &saveptr); tok; | |
815 | tok = strtok_r(NULL, sep, &saveptr)) | |
816 | must_append_controller(klist, nlist, &aret, tok); | |
817 | ||
818 | free(dup); | |
411ac6d8 | 819 | } |
d6337a5f CB |
820 | *p2 = ' '; |
821 | return aret; | |
822 | } | |
411ac6d8 | 823 | |
d6337a5f CB |
824 | static char **cg_unified_make_empty_controller(void) |
825 | { | |
826 | int newentry; | |
827 | char **aret = NULL; | |
828 | ||
829 | newentry = append_null_to_list((void ***)&aret); | |
830 | aret[newentry] = NULL; | |
831 | return aret; | |
832 | } | |
833 | ||
834 | static char **cg_unified_get_controllers(const char *file) | |
835 | { | |
836 | char *buf, *tok; | |
837 | char *saveptr = NULL, *sep = " \t\n"; | |
838 | char **aret = NULL; | |
839 | ||
840 | buf = read_file(file); | |
841 | if (!buf) | |
411ac6d8 | 842 | return NULL; |
6328fd9c | 843 | |
d6337a5f CB |
844 | for (tok = strtok_r(buf, sep, &saveptr); tok; |
845 | tok = strtok_r(NULL, sep, &saveptr)) { | |
846 | int newentry; | |
847 | char *copy; | |
848 | ||
849 | newentry = append_null_to_list((void ***)&aret); | |
850 | copy = must_copy_string(tok); | |
851 | aret[newentry] = copy; | |
ccb4cabe SH |
852 | } |
853 | ||
d6337a5f | 854 | free(buf); |
ccb4cabe SH |
855 | return aret; |
856 | } | |
857 | ||
d6337a5f CB |
858 | static struct hierarchy *add_hierarchy(char **clist, char *mountpoint, |
859 | char *base_cgroup, int type) | |
ccb4cabe SH |
860 | { |
861 | struct hierarchy *new; | |
862 | int newentry; | |
863 | ||
864 | new = must_alloc(sizeof(*new)); | |
865 | new->controllers = clist; | |
866 | new->mountpoint = mountpoint; | |
867 | new->base_cgroup = base_cgroup; | |
868 | new->fullcgpath = NULL; | |
d6337a5f | 869 | new->version = type; |
6328fd9c | 870 | |
457ca9aa SH |
871 | newentry = append_null_to_list((void ***)&hierarchies); |
872 | hierarchies[newentry] = new; | |
d6337a5f | 873 | return new; |
ccb4cabe SH |
874 | } |
875 | ||
876 | /* | |
877 | * Get a copy of the mountpoint from @line, which is a line from | |
878 | * /proc/self/mountinfo | |
879 | */ | |
d6337a5f | 880 | static char *get_mountpoint_on_hybrid_layout(char *line) |
ccb4cabe SH |
881 | { |
882 | int i; | |
d6337a5f | 883 | char *p2; |
ccb4cabe | 884 | size_t len; |
d6337a5f CB |
885 | char *p = line; |
886 | char *sret = NULL; | |
ccb4cabe SH |
887 | |
888 | for (i = 0; i < 4; i++) { | |
235f1815 | 889 | p = strchr(p, ' '); |
ccb4cabe SH |
890 | if (!p) |
891 | return NULL; | |
892 | p++; | |
893 | } | |
d6337a5f CB |
894 | |
895 | if (strncmp(p, "/sys/fs/cgroup/", 15)) | |
896 | return NULL; | |
897 | ||
898 | p2 = strchr(p + 15, ' '); | |
899 | if (!p2) | |
900 | return NULL; | |
901 | *p2 = '\0'; | |
902 | ||
ccb4cabe SH |
903 | len = strlen(p); |
904 | sret = must_alloc(len + 1); | |
905 | memcpy(sret, p, len); | |
906 | sret[len] = '\0'; | |
907 | return sret; | |
908 | } | |
909 | ||
910 | /* | |
911 | * Given a multi-line string, return a null-terminated copy of the | |
912 | * current line. | |
913 | */ | |
914 | static char *copy_to_eol(char *p) | |
915 | { | |
235f1815 | 916 | char *p2 = strchr(p, '\n'), *sret; |
ccb4cabe SH |
917 | size_t len; |
918 | ||
919 | if (!p2) | |
920 | return NULL; | |
921 | ||
922 | len = p2 - p; | |
923 | sret = must_alloc(len + 1); | |
924 | memcpy(sret, p, len); | |
925 | sret[len] = '\0'; | |
926 | return sret; | |
927 | } | |
928 | ||
929 | /* | |
930 | * cgline: pointer to character after the first ':' in a line in a | |
931 | * \n-terminated /proc/self/cgroup file. Check whether * controller c is | |
932 | * present. | |
933 | */ | |
934 | static bool controller_in_clist(char *cgline, char *c) | |
935 | { | |
936 | char *tok, *saveptr = NULL, *eol, *tmp; | |
937 | size_t len; | |
938 | ||
235f1815 | 939 | eol = strchr(cgline, ':'); |
ccb4cabe SH |
940 | if (!eol) |
941 | return false; | |
942 | ||
943 | len = eol - cgline; | |
944 | tmp = alloca(len + 1); | |
945 | memcpy(tmp, cgline, len); | |
946 | tmp[len] = '\0'; | |
947 | ||
948 | for (tok = strtok_r(tmp, ",", &saveptr); tok; | |
d6337a5f | 949 | tok = strtok_r(NULL, ",", &saveptr)) { |
ccb4cabe SH |
950 | if (strcmp(tok, c) == 0) |
951 | return true; | |
952 | } | |
d6337a5f | 953 | |
ccb4cabe SH |
954 | return false; |
955 | } | |
956 | ||
957 | /* | |
958 | * @basecginfo is a copy of /proc/$$/cgroup. Return the current | |
959 | * cgroup for @controller | |
960 | */ | |
d6337a5f | 961 | static char *get_current_cgroup(char *basecginfo, char *controller, int type) |
ccb4cabe SH |
962 | { |
963 | char *p = basecginfo; | |
6328fd9c | 964 | |
d6337a5f CB |
965 | for (;;) { |
966 | bool is_cgv2_base_cgroup = false; | |
967 | ||
6328fd9c | 968 | /* cgroup v2 entry in "/proc/<pid>/cgroup": "0::/some/path" */ |
d6337a5f CB |
969 | if ((type == CGROUP2_SUPER_MAGIC) && (*p == '0')) |
970 | is_cgv2_base_cgroup = true; | |
ccb4cabe | 971 | |
235f1815 | 972 | p = strchr(p, ':'); |
ccb4cabe SH |
973 | if (!p) |
974 | return NULL; | |
975 | p++; | |
d6337a5f CB |
976 | |
977 | if (is_cgv2_base_cgroup || (controller && controller_in_clist(p, controller))) { | |
235f1815 | 978 | p = strchr(p, ':'); |
ccb4cabe SH |
979 | if (!p) |
980 | return NULL; | |
981 | p++; | |
982 | return copy_to_eol(p); | |
983 | } | |
984 | ||
235f1815 | 985 | p = strchr(p, '\n'); |
ccb4cabe SH |
986 | if (!p) |
987 | return NULL; | |
988 | p++; | |
989 | } | |
990 | } | |
991 | ||
ccb4cabe SH |
992 | static void must_append_string(char ***list, char *entry) |
993 | { | |
994 | int newentry = append_null_to_list((void ***)list); | |
995 | char *copy; | |
996 | ||
997 | copy = must_copy_string(entry); | |
998 | (*list)[newentry] = copy; | |
999 | } | |
1000 | ||
d6337a5f | 1001 | static int get_existing_subsystems(char ***klist, char ***nlist) |
ccb4cabe SH |
1002 | { |
1003 | FILE *f; | |
1004 | char *line = NULL; | |
1005 | size_t len = 0; | |
1006 | ||
d6337a5f CB |
1007 | f = fopen("/proc/self/cgroup", "r"); |
1008 | if (!f) | |
1009 | return -1; | |
1010 | ||
ccb4cabe SH |
1011 | while (getline(&line, &len, f) != -1) { |
1012 | char *p, *p2, *tok, *saveptr = NULL; | |
235f1815 | 1013 | p = strchr(line, ':'); |
ccb4cabe SH |
1014 | if (!p) |
1015 | continue; | |
1016 | p++; | |
235f1815 | 1017 | p2 = strchr(p, ':'); |
ccb4cabe SH |
1018 | if (!p2) |
1019 | continue; | |
1020 | *p2 = '\0'; | |
ff8d6ee9 | 1021 | |
6328fd9c CB |
1022 | /* If the kernel has cgroup v2 support, then /proc/self/cgroup |
1023 | * contains an entry of the form: | |
ff8d6ee9 CB |
1024 | * |
1025 | * 0::/some/path | |
1026 | * | |
6328fd9c | 1027 | * In this case we use "cgroup2" as controller name. |
ff8d6ee9 | 1028 | */ |
6328fd9c CB |
1029 | if ((p2 - p) == 0) { |
1030 | must_append_string(klist, "cgroup2"); | |
ff8d6ee9 | 1031 | continue; |
6328fd9c | 1032 | } |
ff8d6ee9 | 1033 | |
ccb4cabe | 1034 | for (tok = strtok_r(p, ",", &saveptr); tok; |
d6337a5f | 1035 | tok = strtok_r(NULL, ",", &saveptr)) { |
ccb4cabe SH |
1036 | if (strncmp(tok, "name=", 5) == 0) |
1037 | must_append_string(nlist, tok); | |
1038 | else | |
1039 | must_append_string(klist, tok); | |
1040 | } | |
1041 | } | |
1042 | ||
1043 | free(line); | |
1044 | fclose(f); | |
d6337a5f | 1045 | return 0; |
ccb4cabe SH |
1046 | } |
1047 | ||
1048 | static void trim(char *s) | |
1049 | { | |
1050 | size_t len = strlen(s); | |
2c28d76b | 1051 | while ((len > 1) && (s[len - 1] == '\n')) |
ccb4cabe SH |
1052 | s[--len] = '\0'; |
1053 | } | |
1054 | ||
e4aeecf5 CB |
1055 | static void lxc_cgfsng_print_handler_data(const struct cgfsng_handler_data *d) |
1056 | { | |
1057 | printf("Cgroup information:\n"); | |
1058 | printf(" container name: %s\n", d->name ? d->name : "(null)"); | |
1059 | printf(" lxc.cgroup.use: %s\n", cgroup_use ? cgroup_use : "(null)"); | |
43654d34 CB |
1060 | printf(" lxc.cgroup.pattern: %s\n", |
1061 | d->cgroup_pattern ? d->cgroup_pattern : "(null)"); | |
1062 | printf(" lxc.cgroup.dir: %s\n", | |
1063 | d->cgroup_meta.dir ? d->cgroup_meta.dir : "(null)"); | |
1064 | printf(" cgroup: %s\n", | |
1065 | d->container_cgroup ? d->container_cgroup : "(null)"); | |
e4aeecf5 CB |
1066 | } |
1067 | ||
1068 | static void lxc_cgfsng_print_hierarchies() | |
ccb4cabe | 1069 | { |
a7b0cc4c | 1070 | struct hierarchy **it; |
ccb4cabe | 1071 | int i; |
41c33dbe | 1072 | |
457ca9aa | 1073 | if (!hierarchies) { |
c2712f64 | 1074 | printf(" No hierarchies found\n"); |
ccb4cabe SH |
1075 | return; |
1076 | } | |
e4aeecf5 | 1077 | printf(" Hierarchies:\n"); |
a7b0cc4c CB |
1078 | for (i = 0, it = hierarchies; it && *it; it++, i++) { |
1079 | char **cit; | |
ccb4cabe | 1080 | int j; |
c2712f64 CB |
1081 | printf(" %d: base_cgroup: %s\n", i, (*it)->base_cgroup ? (*it)->base_cgroup : "(null)"); |
1082 | printf(" mountpoint: %s\n", (*it)->mountpoint ? (*it)->mountpoint : "(null)"); | |
e4aeecf5 | 1083 | printf(" controllers:\n"); |
a7b0cc4c | 1084 | for (j = 0, cit = (*it)->controllers; cit && *cit; cit++, j++) |
e4aeecf5 | 1085 | printf(" %d: %s\n", j, *cit); |
ccb4cabe SH |
1086 | } |
1087 | } | |
41c33dbe | 1088 | |
e4aeecf5 | 1089 | static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist, char **nlist) |
41c33dbe SH |
1090 | { |
1091 | int k; | |
a7b0cc4c | 1092 | char **it; |
41c33dbe | 1093 | |
a7b0cc4c CB |
1094 | printf("basecginfo is:\n"); |
1095 | printf("%s\n", basecginfo); | |
41c33dbe | 1096 | |
a7b0cc4c CB |
1097 | for (k = 0, it = klist; it && *it; it++, k++) |
1098 | printf("kernel subsystem %d: %s\n", k, *it); | |
1099 | for (k = 0, it = nlist; it && *it; it++, k++) | |
1100 | printf("named subsystem %d: %s\n", k, *it); | |
41c33dbe | 1101 | } |
ccb4cabe | 1102 | |
e4aeecf5 CB |
1103 | static void lxc_cgfsng_print_debuginfo(const struct cgfsng_handler_data *d) |
1104 | { | |
1105 | lxc_cgfsng_print_handler_data(d); | |
1106 | lxc_cgfsng_print_hierarchies(); | |
1107 | } | |
1108 | ||
ccb4cabe SH |
1109 | /* |
1110 | * At startup, parse_hierarchies finds all the info we need about | |
1111 | * cgroup mountpoints and current cgroups, and stores it in @d. | |
1112 | */ | |
d6337a5f | 1113 | static bool cg_init_hybrid(void) |
ccb4cabe | 1114 | { |
d6337a5f CB |
1115 | int ret; |
1116 | char *basecginfo; | |
1117 | bool will_escape; | |
ccb4cabe | 1118 | FILE *f; |
ccb4cabe | 1119 | size_t len = 0; |
d6337a5f CB |
1120 | char *line = NULL; |
1121 | char **klist = NULL, **nlist = NULL; | |
ccb4cabe | 1122 | |
d30ec4cb SH |
1123 | /* |
1124 | * Root spawned containers escape the current cgroup, so use init's | |
1125 | * cgroups as our base in that case. | |
1126 | */ | |
d6337a5f CB |
1127 | will_escape = (geteuid() == 0); |
1128 | if (will_escape) | |
ccb4cabe | 1129 | basecginfo = read_file("/proc/1/cgroup"); |
d6337a5f CB |
1130 | else |
1131 | basecginfo = read_file("/proc/self/cgroup"); | |
ccb4cabe SH |
1132 | if (!basecginfo) |
1133 | return false; | |
1134 | ||
d6337a5f CB |
1135 | ret = get_existing_subsystems(&klist, &nlist); |
1136 | if (ret < 0) { | |
1137 | CGFSNG_DEBUG("Failed to retrieve available cgroup v1 controllers\n"); | |
1138 | free(basecginfo); | |
ccb4cabe SH |
1139 | return false; |
1140 | } | |
1141 | ||
d6337a5f CB |
1142 | f = fopen("/proc/self/mountinfo", "r"); |
1143 | if (!f) { | |
1144 | CGFSNG_DEBUG("Failed to open \"/proc/self/mountinfo\"\n"); | |
1145 | return false; | |
1146 | } | |
41c33dbe | 1147 | |
e4aeecf5 CB |
1148 | if (lxc_cgfsng_debug) |
1149 | lxc_cgfsng_print_basecg_debuginfo(basecginfo, klist, nlist); | |
ccb4cabe | 1150 | |
ccb4cabe | 1151 | while (getline(&line, &len, f) != -1) { |
49ff3958 | 1152 | int type; |
d6337a5f CB |
1153 | bool writeable; |
1154 | struct hierarchy *new; | |
1155 | char *mountpoint = NULL, *base_cgroup = NULL; | |
1156 | char **controller_list = NULL; | |
ccb4cabe | 1157 | |
49ff3958 | 1158 | type = get_cgroup_version(line); |
d6337a5f | 1159 | if (type == 0) |
ccb4cabe SH |
1160 | continue; |
1161 | ||
d6337a5f | 1162 | if (type == CGROUP2_SUPER_MAGIC && unified) |
ccb4cabe SH |
1163 | continue; |
1164 | ||
d6337a5f CB |
1165 | if (cgroup_layout == CGROUP_LAYOUT_UNKNOWN) { |
1166 | if (type == CGROUP2_SUPER_MAGIC) | |
1167 | cgroup_layout = CGROUP_LAYOUT_UNIFIED; | |
1168 | else if (type == CGROUP_SUPER_MAGIC) | |
1169 | cgroup_layout = CGROUP_LAYOUT_LEGACY; | |
1170 | } else if (cgroup_layout == CGROUP_LAYOUT_UNIFIED) { | |
1171 | if (type == CGROUP_SUPER_MAGIC) | |
1172 | cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
1173 | } else if (cgroup_layout == CGROUP_LAYOUT_LEGACY) { | |
1174 | if (type == CGROUP2_SUPER_MAGIC) | |
1175 | cgroup_layout = CGROUP_LAYOUT_HYBRID; | |
ccb4cabe SH |
1176 | } |
1177 | ||
d6337a5f CB |
1178 | controller_list = get_controllers_on_hybrid_layout(klist, nlist, line, type); |
1179 | if (!controller_list && type == CGROUP_SUPER_MAGIC) | |
1180 | continue; | |
1181 | ||
1182 | if (type == CGROUP_SUPER_MAGIC) | |
1183 | if (controller_list_is_dup(hierarchies, controller_list)) | |
1184 | goto next; | |
1185 | ||
1186 | mountpoint = get_mountpoint_on_hybrid_layout(line); | |
ccb4cabe | 1187 | if (!mountpoint) { |
65d78313 | 1188 | CGFSNG_DEBUG("Failed parsing mountpoint from \"%s\"\n", line); |
d6337a5f | 1189 | goto next; |
ccb4cabe SH |
1190 | } |
1191 | ||
d6337a5f CB |
1192 | if (type == CGROUP_SUPER_MAGIC) |
1193 | base_cgroup = get_current_cgroup(basecginfo, controller_list[0], CGROUP_SUPER_MAGIC); | |
1194 | else | |
1195 | base_cgroup = get_current_cgroup(basecginfo, NULL, CGROUP2_SUPER_MAGIC); | |
ccb4cabe | 1196 | if (!base_cgroup) { |
d6337a5f CB |
1197 | CGFSNG_DEBUG("Failed to find current cgroup\n"); |
1198 | goto next; | |
ccb4cabe | 1199 | } |
6328fd9c | 1200 | |
ccb4cabe SH |
1201 | trim(base_cgroup); |
1202 | prune_init_scope(base_cgroup); | |
d6337a5f | 1203 | if (type == CGROUP2_SUPER_MAGIC) |
6328fd9c CB |
1204 | writeable = test_writeable_v2(mountpoint, base_cgroup); |
1205 | else | |
1206 | writeable = test_writeable_v1(mountpoint, base_cgroup); | |
d6337a5f CB |
1207 | if (!writeable) |
1208 | goto next; | |
1209 | ||
1210 | if (type == CGROUP2_SUPER_MAGIC) { | |
1211 | char *cgv2_ctrl_path; | |
1212 | ||
1213 | cgv2_ctrl_path = must_make_path(mountpoint, base_cgroup, | |
1214 | "cgroup.controllers", | |
1215 | NULL); | |
1216 | ||
1217 | controller_list = cg_unified_get_controllers(cgv2_ctrl_path); | |
1218 | free(cgv2_ctrl_path); | |
1219 | if (!controller_list) | |
1220 | controller_list = cg_unified_make_empty_controller(); | |
ccb4cabe | 1221 | } |
d6337a5f CB |
1222 | new = add_hierarchy(controller_list, mountpoint, base_cgroup, type); |
1223 | if (type == CGROUP2_SUPER_MAGIC && !unified) | |
1224 | unified = new; | |
1225 | ||
1226 | continue; | |
1227 | ||
1228 | next: | |
1229 | free_string_list(controller_list); | |
1230 | free(mountpoint); | |
1231 | free(base_cgroup); | |
ccb4cabe SH |
1232 | } |
1233 | ||
1234 | free_string_list(klist); | |
1235 | free_string_list(nlist); | |
1236 | ||
1237 | free(basecginfo); | |
1238 | ||
1239 | fclose(f); | |
1240 | free(line); | |
1241 | ||
e4aeecf5 CB |
1242 | if (lxc_cgfsng_debug) { |
1243 | printf("writeable subsystems:\n"); | |
1244 | lxc_cgfsng_print_hierarchies(); | |
1245 | } | |
1246 | ||
ccb4cabe SH |
1247 | /* verify that all controllers in cgroup.use and all crucial |
1248 | * controllers are accounted for | |
1249 | */ | |
c2712f64 | 1250 | if (!all_controllers_found()) |
ccb4cabe SH |
1251 | return false; |
1252 | ||
1253 | return true; | |
1254 | } | |
1255 | ||
d6337a5f CB |
1256 | static int cg_is_pure_unified(void) { |
1257 | ||
1258 | int ret; | |
1259 | struct statfs fs; | |
1260 | ||
1261 | ret = statfs("/sys/fs/cgroup", &fs); | |
1262 | if (ret < 0) | |
1263 | return -ENOMEDIUM; | |
1264 | ||
1265 | if (is_fs_type(&fs, CGROUP2_SUPER_MAGIC)) | |
1266 | return CGROUP2_SUPER_MAGIC; | |
1267 | ||
1268 | return 0; | |
1269 | } | |
1270 | ||
1271 | /* Get current cgroup from /proc/self/cgroup for the cgroupfs v2 hierarchy. */ | |
1272 | static char *cg_get_current_cgroup_unified(void) | |
457ca9aa | 1273 | { |
d6337a5f CB |
1274 | char *basecginfo; |
1275 | char *base_cgroup; | |
1276 | bool will_escape; | |
1277 | char *copy = NULL; | |
1278 | ||
1279 | will_escape = (geteuid() == 0); | |
1280 | if (will_escape) | |
1281 | basecginfo = read_file("/proc/1/cgroup"); | |
1282 | else | |
1283 | basecginfo = read_file("/proc/self/cgroup"); | |
1284 | if (!basecginfo) | |
1285 | return NULL; | |
1286 | ||
1287 | base_cgroup = strstr(basecginfo, "0::/"); | |
1288 | if (!base_cgroup) | |
1289 | goto cleanup_on_err; | |
1290 | ||
1291 | base_cgroup = base_cgroup + 3; | |
1292 | copy = copy_to_eol(base_cgroup); | |
1293 | if (!copy) | |
1294 | goto cleanup_on_err; | |
1295 | ||
1296 | cleanup_on_err: | |
1297 | free(basecginfo); | |
1298 | if (copy) | |
1299 | trim(copy); | |
1300 | ||
1301 | return copy; | |
1302 | } | |
1303 | ||
1304 | static int cg_init_unified(void) | |
1305 | { | |
1306 | int ret; | |
1307 | char *mountpoint, *subtree_path; | |
1308 | char **delegatable; | |
1309 | char *base_cgroup = NULL; | |
1310 | ||
1311 | ret = cg_is_pure_unified(); | |
1312 | if (ret == -ENOMEDIUM) | |
1313 | return -ENOMEDIUM; | |
1314 | ||
1315 | if (ret != CGROUP2_SUPER_MAGIC) | |
1316 | return 0; | |
1317 | ||
1318 | base_cgroup = cg_get_current_cgroup_unified(); | |
1319 | if (!base_cgroup) | |
1320 | return -EINVAL; | |
1321 | prune_init_scope(base_cgroup); | |
1322 | ||
1323 | /* We assume that we have already been given controllers to delegate | |
1324 | * further down the hierarchy. If not it is up to the user to delegate | |
1325 | * them to us. | |
1326 | */ | |
1327 | mountpoint = must_copy_string("/sys/fs/cgroup"); | |
1328 | subtree_path = must_make_path(mountpoint, base_cgroup, | |
1329 | "cgroup.subtree_control", NULL); | |
1330 | delegatable = cg_unified_get_controllers(subtree_path); | |
1331 | free(subtree_path); | |
1332 | if (!delegatable) | |
1333 | delegatable = cg_unified_make_empty_controller(); | |
1334 | if (!delegatable[0]) | |
1335 | CGFSNG_DEBUG("No controllers are enabled for delegation\n"); | |
1336 | ||
1337 | /* TODO: If the user requested specific controllers via lxc.cgroup.use | |
1338 | * we should verify here. The reason I'm not doing it right is that I'm | |
1339 | * not convinced that lxc.cgroup.use will be the future since it is a | |
1340 | * global property. I much rather have an option that lets you request | |
1341 | * controllers per container. | |
1342 | */ | |
1343 | ||
1344 | add_hierarchy(delegatable, mountpoint, base_cgroup, CGROUP2_SUPER_MAGIC); | |
1345 | unified = hierarchies[0]; | |
1346 | ||
1347 | cgroup_layout = CGROUP_LAYOUT_UNIFIED; | |
1348 | return CGROUP2_SUPER_MAGIC; | |
1349 | } | |
1350 | ||
1351 | static bool cg_init(void) | |
1352 | { | |
1353 | int ret; | |
457ca9aa | 1354 | const char *tmp; |
d6337a5f | 1355 | |
457ca9aa SH |
1356 | errno = 0; |
1357 | tmp = lxc_global_config_value("lxc.cgroup.use"); | |
1a0e70ac | 1358 | if (!cgroup_use && errno != 0) { /* lxc.cgroup.use can be NULL */ |
65d78313 | 1359 | CGFSNG_DEBUG("Failed to retrieve list of cgroups to use\n"); |
457ca9aa SH |
1360 | return false; |
1361 | } | |
1362 | cgroup_use = must_copy_string(tmp); | |
1363 | ||
d6337a5f CB |
1364 | ret = cg_init_unified(); |
1365 | if (ret < 0) | |
1366 | return false; | |
1367 | ||
1368 | if (ret == CGROUP2_SUPER_MAGIC) | |
1369 | return true; | |
1370 | ||
1371 | return cg_init_hybrid(); | |
457ca9aa SH |
1372 | } |
1373 | ||
43654d34 | 1374 | static void *cgfsng_init(struct lxc_handler *handler) |
ccb4cabe | 1375 | { |
457ca9aa | 1376 | const char *cgroup_pattern; |
43654d34 | 1377 | struct cgfsng_handler_data *d; |
ccb4cabe SH |
1378 | |
1379 | d = must_alloc(sizeof(*d)); | |
1380 | memset(d, 0, sizeof(*d)); | |
1381 | ||
43654d34 CB |
1382 | /* copy container name */ |
1383 | d->name = must_copy_string(handler->name); | |
1384 | ||
1385 | /* copy per-container cgroup information */ | |
ae5e6c08 CB |
1386 | d->cgroup_meta.dir = NULL; |
1387 | d->cgroup_meta.controllers = NULL; | |
9b5396f9 CB |
1388 | if (handler->conf) { |
1389 | d->cgroup_meta.dir = must_copy_string(handler->conf->cgroup_meta.dir); | |
1390 | d->cgroup_meta.controllers = must_copy_string(handler->conf->cgroup_meta.controllers); | |
1391 | } | |
ccb4cabe | 1392 | |
43654d34 | 1393 | /* copy system-wide cgroup information */ |
ccb4cabe | 1394 | cgroup_pattern = lxc_global_config_value("lxc.cgroup.pattern"); |
43654d34 CB |
1395 | if (!cgroup_pattern) { |
1396 | /* lxc.cgroup.pattern is only NULL on error. */ | |
ccb4cabe SH |
1397 | ERROR("Error getting cgroup pattern"); |
1398 | goto out_free; | |
1399 | } | |
1400 | d->cgroup_pattern = must_copy_string(cgroup_pattern); | |
1401 | ||
d6337a5f CB |
1402 | d->cgroup_layout = cgroup_layout; |
1403 | if (d->cgroup_layout == CGROUP_LAYOUT_LEGACY) | |
1404 | TRACE("Running with legacy cgroup layout"); | |
1405 | else if (d->cgroup_layout == CGROUP_LAYOUT_HYBRID) | |
1406 | TRACE("Running with hybrid cgroup layout"); | |
1407 | else if (d->cgroup_layout == CGROUP_LAYOUT_UNIFIED) | |
1408 | TRACE("Running with unified cgroup layout"); | |
1409 | else | |
1410 | WARN("Running with unknown cgroup layout"); | |
1411 | ||
e4aeecf5 CB |
1412 | if (lxc_cgfsng_debug) |
1413 | lxc_cgfsng_print_debuginfo(d); | |
ccb4cabe SH |
1414 | |
1415 | return d; | |
1416 | ||
1417 | out_free: | |
1418 | free_handler_data(d); | |
1419 | return NULL; | |
1420 | } | |
1421 | ||
bd8ef4e4 | 1422 | static int recursive_destroy(char *dirname) |
ccb4cabe | 1423 | { |
a17f8b3f | 1424 | int ret; |
74f96976 | 1425 | struct dirent *direntp; |
ccb4cabe SH |
1426 | DIR *dir; |
1427 | int r = 0; | |
1428 | ||
1429 | dir = opendir(dirname); | |
1430 | if (!dir) | |
1431 | return -1; | |
1432 | ||
74f96976 | 1433 | while ((direntp = readdir(dir))) { |
ccb4cabe | 1434 | char *pathname; |
a17f8b3f | 1435 | struct stat mystat; |
ccb4cabe | 1436 | |
ccb4cabe SH |
1437 | if (!strcmp(direntp->d_name, ".") || |
1438 | !strcmp(direntp->d_name, "..")) | |
1439 | continue; | |
1440 | ||
1441 | pathname = must_make_path(dirname, direntp->d_name, NULL); | |
1442 | ||
a17f8b3f CB |
1443 | ret = lstat(pathname, &mystat); |
1444 | if (ret < 0) { | |
ccb4cabe | 1445 | if (!r) |
a17f8b3f | 1446 | WARN("Failed to stat %s", pathname); |
ccb4cabe SH |
1447 | r = -1; |
1448 | goto next; | |
1449 | } | |
1450 | ||
1451 | if (!S_ISDIR(mystat.st_mode)) | |
1452 | goto next; | |
a17f8b3f | 1453 | |
bd8ef4e4 | 1454 | ret = recursive_destroy(pathname); |
a17f8b3f | 1455 | if (ret < 0) |
ccb4cabe | 1456 | r = -1; |
bd8ef4e4 | 1457 | next: |
ccb4cabe SH |
1458 | free(pathname); |
1459 | } | |
1460 | ||
a17f8b3f CB |
1461 | ret = rmdir(dirname); |
1462 | if (ret < 0) { | |
ccb4cabe | 1463 | if (!r) |
bd8ef4e4 CB |
1464 | WARN("%s - Failed to delete \"%s\"", strerror(errno), |
1465 | dirname); | |
ccb4cabe SH |
1466 | r = -1; |
1467 | } | |
1468 | ||
a17f8b3f CB |
1469 | ret = closedir(dir); |
1470 | if (ret < 0) { | |
ccb4cabe | 1471 | if (!r) |
bd8ef4e4 CB |
1472 | WARN("%s - Failed to delete \"%s\"", strerror(errno), |
1473 | dirname); | |
ccb4cabe SH |
1474 | r = -1; |
1475 | } | |
a17f8b3f | 1476 | |
ccb4cabe SH |
1477 | return r; |
1478 | } | |
1479 | ||
bd8ef4e4 CB |
1480 | static int cgroup_rmdir(char *container_cgroup) |
1481 | { | |
1482 | int i; | |
1483 | ||
1484 | if (!container_cgroup || !hierarchies) | |
1485 | return 0; | |
1486 | ||
1487 | for (i = 0; hierarchies[i]; i++) { | |
1488 | int ret; | |
1489 | struct hierarchy *h = hierarchies[i]; | |
1490 | ||
1491 | if (!h->fullcgpath) | |
1492 | continue; | |
1493 | ||
1494 | ret = recursive_destroy(h->fullcgpath); | |
1495 | if (ret < 0) | |
1496 | WARN("Failed to destroy \"%s\"", h->fullcgpath); | |
1497 | ||
1498 | free(h->fullcgpath); | |
1499 | h->fullcgpath = NULL; | |
1500 | } | |
1501 | ||
1502 | return 0; | |
1503 | } | |
1504 | ||
4160c3a0 CB |
1505 | struct generic_userns_exec_data { |
1506 | struct cgfsng_handler_data *d; | |
1507 | struct lxc_conf *conf; | |
1508 | uid_t origuid; /* target uid in parent namespace */ | |
1509 | char *path; | |
1510 | }; | |
1511 | ||
bd8ef4e4 | 1512 | static int cgroup_rmdir_wrapper(void *data) |
ccb4cabe | 1513 | { |
4160c3a0 CB |
1514 | struct generic_userns_exec_data *arg = data; |
1515 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1516 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
ccb4cabe | 1517 | |
4160c3a0 | 1518 | if (setresgid(nsgid, nsgid, nsgid) < 0) |
ccb4cabe | 1519 | SYSERROR("Failed to setgid to 0"); |
4160c3a0 | 1520 | if (setresuid(nsuid, nsuid, nsuid) < 0) |
ccb4cabe | 1521 | SYSERROR("Failed to setuid to 0"); |
a19b974f | 1522 | if (setgroups(0, NULL) < 0 && errno != EPERM) |
ccb4cabe SH |
1523 | SYSERROR("Failed to clear groups"); |
1524 | ||
bd8ef4e4 | 1525 | return cgroup_rmdir(arg->d->container_cgroup); |
ccb4cabe SH |
1526 | } |
1527 | ||
bd8ef4e4 | 1528 | static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) |
ccb4cabe | 1529 | { |
bd8ef4e4 CB |
1530 | int ret; |
1531 | struct cgfsng_handler_data *d = hdata; | |
4160c3a0 CB |
1532 | struct generic_userns_exec_data wrap; |
1533 | ||
bd8ef4e4 CB |
1534 | if (!d) |
1535 | return; | |
1536 | ||
4160c3a0 | 1537 | wrap.origuid = 0; |
bd8ef4e4 | 1538 | wrap.d = hdata; |
4160c3a0 CB |
1539 | wrap.conf = conf; |
1540 | ||
ccb4cabe | 1541 | if (conf && !lxc_list_empty(&conf->id_map)) |
bd8ef4e4 CB |
1542 | ret = userns_exec_1(conf, cgroup_rmdir_wrapper, &wrap, |
1543 | "cgroup_rmdir_wrapper"); | |
ccb4cabe | 1544 | else |
bd8ef4e4 CB |
1545 | ret = cgroup_rmdir(d->container_cgroup); |
1546 | if (ret < 0) { | |
1547 | WARN("Failed to destroy cgroups"); | |
ccb4cabe | 1548 | return; |
ccb4cabe SH |
1549 | } |
1550 | ||
1551 | free_handler_data(d); | |
1552 | } | |
1553 | ||
1554 | struct cgroup_ops *cgfsng_ops_init(void) | |
1555 | { | |
e4aeecf5 CB |
1556 | if (getenv("LXC_DEBUG_CGFSNG")) |
1557 | lxc_cgfsng_debug = true; | |
1558 | ||
d6337a5f | 1559 | if (!cg_init()) |
457ca9aa | 1560 | return NULL; |
e4aeecf5 | 1561 | |
ccb4cabe SH |
1562 | return &cgfsng_ops; |
1563 | } | |
1564 | ||
1565 | static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) | |
1566 | { | |
e3a3fecf | 1567 | h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL); |
1a0e70ac | 1568 | if (dir_exists(h->fullcgpath)) { /* it must not already exist */ |
6f9584d8 | 1569 | ERROR("Path \"%s\" already existed.", h->fullcgpath); |
d8da679e | 1570 | return false; |
6f9584d8 CB |
1571 | } |
1572 | if (!handle_cpuset_hierarchy(h, cgname)) { | |
1573 | ERROR("Failed to handle cgroupfs v1 cpuset controller."); | |
e3a3fecf | 1574 | return false; |
6f9584d8 | 1575 | } |
e3a3fecf | 1576 | return mkdir_p(h->fullcgpath, 0755) == 0; |
ccb4cabe SH |
1577 | } |
1578 | ||
1579 | static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) | |
1580 | { | |
1581 | if (rmdir(h->fullcgpath) < 0) | |
1582 | SYSERROR("Failed to clean up cgroup %s from failed creation attempt", h->fullcgpath); | |
1583 | free(h->fullcgpath); | |
1584 | h->fullcgpath = NULL; | |
1585 | } | |
1586 | ||
1587 | /* | |
d30ec4cb | 1588 | * Try to create the same cgroup in all hierarchies. |
ccb4cabe SH |
1589 | * Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999 |
1590 | */ | |
1591 | static inline bool cgfsng_create(void *hdata) | |
1592 | { | |
bb30b52a | 1593 | int i; |
ccb4cabe | 1594 | size_t len; |
7d531e9b CB |
1595 | char *cgname, *offset, *tmp; |
1596 | int idx = 0; | |
1597 | struct cgfsng_handler_data *d = hdata; | |
ccb4cabe SH |
1598 | |
1599 | if (!d) | |
1600 | return false; | |
43654d34 | 1601 | |
ccb4cabe SH |
1602 | if (d->container_cgroup) { |
1603 | WARN("cgfsng_create called a second time"); | |
1604 | return false; | |
1605 | } | |
1606 | ||
43654d34 | 1607 | if (d->cgroup_meta.dir) |
7d531e9b | 1608 | tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false); |
43654d34 CB |
1609 | else |
1610 | tmp = lxc_string_replace("%n", d->name, d->cgroup_pattern); | |
ccb4cabe SH |
1611 | if (!tmp) { |
1612 | ERROR("Failed expanding cgroup name pattern"); | |
1613 | return false; | |
1614 | } | |
1a0e70ac | 1615 | len = strlen(tmp) + 5; /* leave room for -NNN\0 */ |
ccb4cabe SH |
1616 | cgname = must_alloc(len); |
1617 | strcpy(cgname, tmp); | |
1618 | free(tmp); | |
1619 | offset = cgname + len - 5; | |
1620 | ||
1621 | again: | |
95adfe93 SH |
1622 | if (idx == 1000) { |
1623 | ERROR("Too many conflicting cgroup names"); | |
ccb4cabe | 1624 | goto out_free; |
95adfe93 | 1625 | } |
66b66624 | 1626 | if (idx) { |
bb30b52a CB |
1627 | int ret; |
1628 | ||
66b66624 CB |
1629 | ret = snprintf(offset, 5, "-%d", idx); |
1630 | if (ret < 0 || (size_t)ret >= 5) { | |
1631 | FILE *f = fopen("/dev/null", "w"); | |
97ebced3 | 1632 | if (f) { |
66b66624 CB |
1633 | fprintf(f, "Workaround for GCC7 bug: " |
1634 | "https://gcc.gnu.org/bugzilla/" | |
1635 | "show_bug.cgi?id=78969"); | |
1636 | fclose(f); | |
1637 | } | |
1638 | } | |
1639 | } | |
457ca9aa SH |
1640 | for (i = 0; hierarchies[i]; i++) { |
1641 | if (!create_path_for_hierarchy(hierarchies[i], cgname)) { | |
ccb4cabe | 1642 | int j; |
1a0e70ac | 1643 | ERROR("Failed to create \"%s\"", hierarchies[i]->fullcgpath); |
457ca9aa SH |
1644 | free(hierarchies[i]->fullcgpath); |
1645 | hierarchies[i]->fullcgpath = NULL; | |
ccb4cabe | 1646 | for (j = 0; j < i; j++) |
457ca9aa | 1647 | remove_path_for_hierarchy(hierarchies[j], cgname); |
ccb4cabe SH |
1648 | idx++; |
1649 | goto again; | |
1650 | } | |
1651 | } | |
1652 | /* Done */ | |
1653 | d->container_cgroup = cgname; | |
1654 | return true; | |
1655 | ||
1656 | out_free: | |
1657 | free(cgname); | |
1658 | return false; | |
1659 | } | |
1660 | ||
ccb4cabe SH |
1661 | static bool cgfsng_enter(void *hdata, pid_t pid) |
1662 | { | |
ccb4cabe SH |
1663 | char pidstr[25]; |
1664 | int i, len; | |
1665 | ||
1666 | len = snprintf(pidstr, 25, "%d", pid); | |
1667 | if (len < 0 || len > 25) | |
1668 | return false; | |
1669 | ||
457ca9aa SH |
1670 | for (i = 0; hierarchies[i]; i++) { |
1671 | char *fullpath = must_make_path(hierarchies[i]->fullcgpath, | |
ccb4cabe SH |
1672 | "cgroup.procs", NULL); |
1673 | if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { | |
d3b00a8f | 1674 | SYSERROR("Failed to enter %s", fullpath); |
ccb4cabe SH |
1675 | free(fullpath); |
1676 | return false; | |
1677 | } | |
1678 | free(fullpath); | |
1679 | } | |
1680 | ||
1681 | return true; | |
1682 | } | |
1683 | ||
c0888dfe SH |
1684 | /* |
1685 | * chgrp the container cgroups to container group. We leave | |
1686 | * the container owner as cgroup owner. So we must make the | |
1687 | * directories 775 so that the container can create sub-cgroups. | |
43647298 SH |
1688 | * |
1689 | * Also chown the tasks and cgroup.procs files. Those may not | |
1690 | * exist depending on kernel version. | |
c0888dfe | 1691 | */ |
ccb4cabe SH |
1692 | static int chown_cgroup_wrapper(void *data) |
1693 | { | |
ccb4cabe | 1694 | int i; |
4160c3a0 CB |
1695 | uid_t destuid; |
1696 | struct generic_userns_exec_data *arg = data; | |
1697 | uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid; | |
1698 | gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid; | |
ccb4cabe | 1699 | |
4160c3a0 | 1700 | if (setresgid(nsgid, nsgid, nsgid) < 0) |
ccb4cabe | 1701 | SYSERROR("Failed to setgid to 0"); |
4160c3a0 | 1702 | if (setresuid(nsuid, nsuid, nsuid) < 0) |
ccb4cabe | 1703 | SYSERROR("Failed to setuid to 0"); |
a19b974f | 1704 | if (setgroups(0, NULL) < 0 && errno != EPERM) |
ccb4cabe SH |
1705 | SYSERROR("Failed to clear groups"); |
1706 | ||
1707 | destuid = get_ns_uid(arg->origuid); | |
1708 | ||
457ca9aa SH |
1709 | for (i = 0; hierarchies[i]; i++) { |
1710 | char *fullpath, *path = hierarchies[i]->fullcgpath; | |
43647298 | 1711 | |
4160c3a0 | 1712 | if (chown(path, destuid, nsgid) < 0) { |
ab8f5424 | 1713 | SYSERROR("Error chowning %s to %d", path, (int) destuid); |
ccb4cabe SH |
1714 | return -1; |
1715 | } | |
c0888dfe | 1716 | |
43647298 | 1717 | if (chmod(path, 0775) < 0) { |
ab8f5424 | 1718 | SYSERROR("Error chmoding %s", path); |
c0888dfe SH |
1719 | return -1; |
1720 | } | |
ccb4cabe | 1721 | |
ab8f5424 SH |
1722 | /* |
1723 | * Failures to chown these are inconvenient but not detrimental | |
1724 | * We leave these owned by the container launcher, so that container | |
1725 | * root can write to the files to attach. We chmod them 664 so that | |
1726 | * container systemd can write to the files (which systemd in wily | |
1727 | * insists on doing) | |
1728 | */ | |
43647298 | 1729 | fullpath = must_make_path(path, "tasks", NULL); |
4160c3a0 | 1730 | if (chown(fullpath, destuid, nsgid) < 0 && errno != ENOENT) |
13277ec4 | 1731 | WARN("Failed chowning %s to %d: %s", fullpath, (int) destuid, |
1732 | strerror(errno)); | |
ab8f5424 | 1733 | if (chmod(fullpath, 0664) < 0) |
13277ec4 | 1734 | WARN("Error chmoding %s: %s", path, strerror(errno)); |
43647298 SH |
1735 | free(fullpath); |
1736 | ||
1737 | fullpath = must_make_path(path, "cgroup.procs", NULL); | |
1738 | if (chown(fullpath, destuid, 0) < 0 && errno != ENOENT) | |
13277ec4 | 1739 | WARN("Failed chowning %s to %d: %s", fullpath, (int) destuid, |
1740 | strerror(errno)); | |
ab8f5424 | 1741 | if (chmod(fullpath, 0664) < 0) |
13277ec4 | 1742 | WARN("Error chmoding %s: %s", path, strerror(errno)); |
ccb4cabe | 1743 | free(fullpath); |
0e17357c | 1744 | |
d6337a5f | 1745 | if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC) |
0e17357c CB |
1746 | continue; |
1747 | ||
1748 | fullpath = must_make_path(path, "cgroup.subtree_control", NULL); | |
4160c3a0 | 1749 | if (chown(fullpath, destuid, nsgid) < 0 && errno != ENOENT) |
0e17357c CB |
1750 | WARN("Failed chowning %s to %d: %s", fullpath, (int) destuid, |
1751 | strerror(errno)); | |
1752 | if (chmod(fullpath, 0664) < 0) | |
1753 | WARN("Error chmoding %s: %s", path, strerror(errno)); | |
1754 | free(fullpath); | |
1755 | ||
1756 | fullpath = must_make_path(path, "cgroup.threads", NULL); | |
4160c3a0 | 1757 | if (chown(fullpath, destuid, nsgid) < 0 && errno != ENOENT) |
0e17357c CB |
1758 | WARN("Failed chowning %s to %d: %s", fullpath, (int) destuid, |
1759 | strerror(errno)); | |
1760 | if (chmod(fullpath, 0664) < 0) | |
1761 | WARN("Error chmoding %s: %s", path, strerror(errno)); | |
1762 | free(fullpath); | |
ccb4cabe SH |
1763 | } |
1764 | ||
1765 | return 0; | |
1766 | } | |
1767 | ||
058c1cb6 | 1768 | static bool cgfsng_chown(void *hdata, struct lxc_conf *conf) |
ccb4cabe SH |
1769 | { |
1770 | struct cgfsng_handler_data *d = hdata; | |
4160c3a0 | 1771 | struct generic_userns_exec_data wrap; |
ccb4cabe SH |
1772 | |
1773 | if (!d) | |
1774 | return false; | |
1775 | ||
1776 | if (lxc_list_empty(&conf->id_map)) | |
1777 | return true; | |
1778 | ||
ccb4cabe | 1779 | wrap.origuid = geteuid(); |
4160c3a0 CB |
1780 | wrap.path = NULL; |
1781 | wrap.d = d; | |
1782 | wrap.conf = conf; | |
ccb4cabe | 1783 | |
c9b7c33e CB |
1784 | if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, |
1785 | "chown_cgroup_wrapper") < 0) { | |
ccb4cabe SH |
1786 | ERROR("Error requesting cgroup chown in new namespace"); |
1787 | return false; | |
1788 | } | |
1789 | ||
1790 | return true; | |
1791 | } | |
1792 | ||
8aa1044f SH |
1793 | /* |
1794 | * We've safe-mounted a tmpfs as parent, so we don't need to protect against | |
1795 | * symlinks any more - just use mount | |
1796 | */ | |
1797 | ||
1798 | /* mount cgroup-full if requested */ | |
1799 | static int mount_cgroup_full(int type, struct hierarchy *h, char *dest, | |
1800 | char *container_cgroup) | |
1801 | { | |
1802 | if (type < LXC_AUTO_CGROUP_FULL_RO || type > LXC_AUTO_CGROUP_FULL_MIXED) | |
1803 | return 0; | |
1804 | if (mount(h->mountpoint, dest, "cgroup", MS_BIND, NULL) < 0) { | |
1805 | SYSERROR("Error bind-mounting %s cgroup onto %s", h->mountpoint, | |
1806 | dest); | |
1807 | return -1; | |
1808 | } | |
1809 | if (type != LXC_AUTO_CGROUP_FULL_RW) { | |
5b6f9369 SH |
1810 | unsigned long flags = MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV | |
1811 | MS_REMOUNT | MS_RDONLY; | |
1812 | if (mount(NULL, dest, "cgroup", flags, NULL) < 0) { | |
8aa1044f SH |
1813 | SYSERROR("Error remounting %s readonly", dest); |
1814 | return -1; | |
1815 | } | |
1816 | } | |
1817 | ||
1818 | INFO("Bind mounted %s onto %s", h->mountpoint, dest); | |
1819 | if (type != LXC_AUTO_CGROUP_FULL_MIXED) | |
1820 | return 0; | |
1821 | ||
1822 | /* mount just the container path rw */ | |
1823 | char *source = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL); | |
5b6f9369 | 1824 | char *rwpath = must_make_path(dest, h->base_cgroup, container_cgroup, NULL); |
8aa1044f | 1825 | if (mount(source, rwpath, "cgroup", MS_BIND, NULL) < 0) |
13277ec4 | 1826 | WARN("Failed to mount %s read-write: %s", rwpath, |
1827 | strerror(errno)); | |
8aa1044f SH |
1828 | INFO("Made %s read-write", rwpath); |
1829 | free(rwpath); | |
1830 | free(source); | |
1831 | return 0; | |
1832 | } | |
1833 | ||
1834 | /* cgroup-full:* is done, no need to create subdirs */ | |
1835 | static bool cg_mount_needs_subdirs(int type) | |
1836 | { | |
1837 | if (type >= LXC_AUTO_CGROUP_FULL_RO) | |
1838 | return false; | |
1839 | return true; | |
1840 | } | |
1841 | ||
1842 | /* | |
1843 | * After $rootfs/sys/fs/container/controller/the/cg/path has been | |
1844 | * created, remount controller ro if needed and bindmount the | |
1845 | * cgroupfs onto controll/the/cg/path | |
1846 | */ | |
1847 | static int | |
1848 | do_secondstage_mounts_if_needed(int type, struct hierarchy *h, | |
1849 | char *controllerpath, char *cgpath, | |
1850 | const char *container_cgroup) | |
1851 | { | |
1852 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_MIXED) { | |
1853 | if (mount(controllerpath, controllerpath, "cgroup", MS_BIND, NULL) < 0) { | |
1854 | SYSERROR("Error bind-mounting %s", controllerpath); | |
1855 | return -1; | |
1856 | } | |
1857 | if (mount(controllerpath, controllerpath, "cgroup", | |
1858 | MS_REMOUNT | MS_BIND | MS_RDONLY, NULL) < 0) { | |
1859 | SYSERROR("Error remounting %s read-only", controllerpath); | |
1860 | return -1; | |
1861 | } | |
1862 | INFO("Remounted %s read-only", controllerpath); | |
1863 | } | |
1864 | char *sourcepath = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL); | |
1865 | int flags = MS_BIND; | |
1866 | if (type == LXC_AUTO_CGROUP_RO) | |
1867 | flags |= MS_RDONLY; | |
1868 | INFO("Mounting %s onto %s", sourcepath, cgpath); | |
1869 | if (mount(sourcepath, cgpath, "cgroup", flags, NULL) < 0) { | |
1870 | free(sourcepath); | |
1871 | SYSERROR("Error mounting cgroup %s onto %s", h->controllers[0], | |
1872 | cgpath); | |
1873 | return -1; | |
1874 | } | |
1875 | free(sourcepath); | |
1876 | INFO("Completed second stage cgroup automounts for %s", cgpath); | |
1877 | return 0; | |
1878 | } | |
1879 | ||
a760603e | 1880 | static int mount_cgroup_cgns_supported(int type, struct hierarchy *h, const char *controllerpath) |
b635e92d CB |
1881 | { |
1882 | int ret; | |
1883 | char *controllers = NULL; | |
a760603e CB |
1884 | char *fstype = "cgroup2"; |
1885 | unsigned long flags = 0; | |
b635e92d | 1886 | |
a760603e CB |
1887 | flags |= MS_NOSUID; |
1888 | flags |= MS_NOEXEC; | |
1889 | flags |= MS_NODEV; | |
1890 | flags |= MS_RELATIME; | |
1891 | ||
1892 | if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO) | |
1893 | flags |= MS_RDONLY; | |
1894 | ||
d6337a5f | 1895 | if (h->version != CGROUP2_SUPER_MAGIC) { |
a760603e CB |
1896 | controllers = lxc_string_join(",", (const char **)h->controllers, false); |
1897 | if (!controllers) | |
1898 | return -ENOMEM; | |
1899 | fstype = "cgroup"; | |
b635e92d CB |
1900 | } |
1901 | ||
a760603e | 1902 | ret = mount("cgroup", controllerpath, fstype, flags, controllers); |
b635e92d CB |
1903 | free(controllers); |
1904 | if (ret < 0) { | |
a760603e | 1905 | SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1906 | return -1; |
1907 | } | |
1908 | ||
a760603e | 1909 | DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, fstype); |
b635e92d CB |
1910 | return 0; |
1911 | } | |
1912 | ||
ccb4cabe SH |
1913 | static bool cgfsng_mount(void *hdata, const char *root, int type) |
1914 | { | |
b635e92d | 1915 | int i; |
8aa1044f SH |
1916 | char *tmpfspath = NULL; |
1917 | bool retval = false; | |
b635e92d CB |
1918 | struct lxc_handler *handler = hdata; |
1919 | struct cgfsng_handler_data *d = handler->cgroup_data; | |
1920 | bool has_cgns = false, has_sys_admin = true; | |
8aa1044f SH |
1921 | |
1922 | if ((type & LXC_AUTO_CGROUP_MASK) == 0) | |
1923 | return true; | |
1924 | ||
b635e92d CB |
1925 | has_cgns = cgns_supported(); |
1926 | if (!lxc_list_empty(&handler->conf->keepcaps)) | |
1927 | has_sys_admin = in_caplist(CAP_SYS_ADMIN, &handler->conf->keepcaps); | |
1928 | else | |
1929 | has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &handler->conf->caps); | |
1930 | ||
1931 | if (has_cgns && has_sys_admin) | |
ccb4cabe | 1932 | return true; |
8aa1044f SH |
1933 | |
1934 | tmpfspath = must_make_path(root, "/sys/fs/cgroup", NULL); | |
1935 | ||
1936 | if (type == LXC_AUTO_CGROUP_NOSPEC) | |
1937 | type = LXC_AUTO_CGROUP_MIXED; | |
1938 | else if (type == LXC_AUTO_CGROUP_FULL_NOSPEC) | |
1939 | type = LXC_AUTO_CGROUP_FULL_MIXED; | |
1940 | ||
1941 | /* Mount tmpfs */ | |
1942 | if (safe_mount("cgroup_root", tmpfspath, "tmpfs", | |
1943 | MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, | |
1944 | "size=10240k,mode=755", | |
1945 | root) < 0) | |
1946 | goto bad; | |
1947 | ||
457ca9aa | 1948 | for (i = 0; hierarchies[i]; i++) { |
8aa1044f | 1949 | char *controllerpath, *path2; |
457ca9aa | 1950 | struct hierarchy *h = hierarchies[i]; |
8aa1044f SH |
1951 | char *controller = strrchr(h->mountpoint, '/'); |
1952 | int r; | |
1953 | ||
1954 | if (!controller) | |
1955 | continue; | |
1956 | controller++; | |
1957 | controllerpath = must_make_path(tmpfspath, controller, NULL); | |
1958 | if (dir_exists(controllerpath)) { | |
1959 | free(controllerpath); | |
1960 | continue; | |
1961 | } | |
1962 | if (mkdir(controllerpath, 0755) < 0) { | |
1963 | SYSERROR("Error creating cgroup path: %s", controllerpath); | |
1964 | free(controllerpath); | |
1965 | goto bad; | |
1966 | } | |
b635e92d CB |
1967 | |
1968 | if (has_cgns && !has_sys_admin) { | |
1969 | /* If cgroup namespaces are supported but the container | |
1970 | * will not have CAP_SYS_ADMIN after it has started we | |
1971 | * need to mount the cgroups manually. | |
1972 | */ | |
a760603e | 1973 | r = mount_cgroup_cgns_supported(type, h, controllerpath); |
b635e92d CB |
1974 | free(controllerpath); |
1975 | if (r < 0) | |
1976 | goto bad; | |
1977 | continue; | |
1978 | } | |
1979 | ||
8aa1044f SH |
1980 | if (mount_cgroup_full(type, h, controllerpath, d->container_cgroup) < 0) { |
1981 | free(controllerpath); | |
1982 | goto bad; | |
1983 | } | |
1984 | if (!cg_mount_needs_subdirs(type)) { | |
1985 | free(controllerpath); | |
1986 | continue; | |
1987 | } | |
ef4413fa | 1988 | path2 = must_make_path(controllerpath, h->base_cgroup, d->container_cgroup, NULL); |
8aa1044f SH |
1989 | if (mkdir_p(path2, 0755) < 0) { |
1990 | free(controllerpath); | |
8e0c6620 | 1991 | free(path2); |
8aa1044f SH |
1992 | goto bad; |
1993 | } | |
2f62fb00 | 1994 | |
8aa1044f SH |
1995 | r = do_secondstage_mounts_if_needed(type, h, controllerpath, path2, |
1996 | d->container_cgroup); | |
1997 | free(controllerpath); | |
1998 | free(path2); | |
1999 | if (r < 0) | |
2000 | goto bad; | |
2001 | } | |
2002 | retval = true; | |
2003 | ||
2004 | bad: | |
2005 | free(tmpfspath); | |
2006 | return retval; | |
ccb4cabe SH |
2007 | } |
2008 | ||
2009 | static int recursive_count_nrtasks(char *dirname) | |
2010 | { | |
74f96976 | 2011 | struct dirent *direntp; |
ccb4cabe SH |
2012 | DIR *dir; |
2013 | int count = 0, ret; | |
2014 | char *path; | |
2015 | ||
2016 | dir = opendir(dirname); | |
2017 | if (!dir) | |
2018 | return 0; | |
2019 | ||
74f96976 | 2020 | while ((direntp = readdir(dir))) { |
ccb4cabe SH |
2021 | struct stat mystat; |
2022 | ||
2023 | if (!direntp) | |
2024 | break; | |
2025 | ||
2026 | if (!strcmp(direntp->d_name, ".") || | |
2027 | !strcmp(direntp->d_name, "..")) | |
2028 | continue; | |
2029 | ||
2030 | path = must_make_path(dirname, direntp->d_name, NULL); | |
2031 | ||
2032 | if (lstat(path, &mystat)) | |
2033 | goto next; | |
2034 | ||
2035 | if (!S_ISDIR(mystat.st_mode)) | |
2036 | goto next; | |
2037 | ||
2038 | count += recursive_count_nrtasks(path); | |
2039 | next: | |
2040 | free(path); | |
2041 | } | |
2042 | ||
2043 | path = must_make_path(dirname, "cgroup.procs", NULL); | |
2044 | ret = lxc_count_file_lines(path); | |
2045 | if (ret != -1) | |
2046 | count += ret; | |
2047 | free(path); | |
2048 | ||
2049 | (void) closedir(dir); | |
2050 | ||
2051 | return count; | |
2052 | } | |
2053 | ||
2054 | static int cgfsng_nrtasks(void *hdata) { | |
2055 | struct cgfsng_handler_data *d = hdata; | |
2056 | char *path; | |
2057 | int count; | |
2058 | ||
457ca9aa | 2059 | if (!d || !d->container_cgroup || !hierarchies) |
ccb4cabe | 2060 | return -1; |
457ca9aa | 2061 | path = must_make_path(hierarchies[0]->fullcgpath, NULL); |
ccb4cabe SH |
2062 | count = recursive_count_nrtasks(path); |
2063 | free(path); | |
2064 | return count; | |
2065 | } | |
2066 | ||
2067 | /* Only root needs to escape to the cgroup of its init */ | |
7103fe6f | 2068 | static bool cgfsng_escape() |
ccb4cabe | 2069 | { |
ccb4cabe SH |
2070 | int i; |
2071 | ||
2072 | if (geteuid()) | |
2073 | return true; | |
2074 | ||
457ca9aa SH |
2075 | for (i = 0; hierarchies[i]; i++) { |
2076 | char *fullpath = must_make_path(hierarchies[i]->mountpoint, | |
2077 | hierarchies[i]->base_cgroup, | |
ccb4cabe SH |
2078 | "cgroup.procs", NULL); |
2079 | if (lxc_write_to_file(fullpath, "0", 2, false) != 0) { | |
d3b00a8f | 2080 | SYSERROR("Failed to escape to %s", fullpath); |
ccb4cabe | 2081 | free(fullpath); |
6df334d1 | 2082 | return false; |
ccb4cabe SH |
2083 | } |
2084 | free(fullpath); | |
2085 | } | |
2086 | ||
6df334d1 | 2087 | return true; |
ccb4cabe SH |
2088 | } |
2089 | ||
36662416 TA |
2090 | static int cgfsng_num_hierarchies(void) |
2091 | { | |
2092 | int i; | |
2093 | ||
2094 | for (i = 0; hierarchies[i]; i++) | |
2095 | ; | |
2096 | ||
2097 | return i; | |
2098 | } | |
2099 | ||
2100 | static bool cgfsng_get_hierarchies(int n, char ***out) | |
2101 | { | |
2102 | int i; | |
2103 | ||
2104 | /* sanity check n */ | |
2105 | for (i = 0; i < n; i++) { | |
2106 | if (!hierarchies[i]) | |
2107 | return false; | |
2108 | } | |
2109 | ||
2110 | *out = hierarchies[i]->controllers; | |
2111 | ||
2112 | return true; | |
2113 | } | |
2114 | ||
ccb4cabe SH |
2115 | #define THAWED "THAWED" |
2116 | #define THAWED_LEN (strlen(THAWED)) | |
2117 | ||
d6337a5f CB |
2118 | /* TODO: If the unified cgroup hierarchy grows a freezer controller this needs |
2119 | * to be adapted. | |
2120 | */ | |
ccb4cabe SH |
2121 | static bool cgfsng_unfreeze(void *hdata) |
2122 | { | |
d6337a5f | 2123 | int ret; |
ccb4cabe | 2124 | char *fullpath; |
d6337a5f | 2125 | struct hierarchy *h; |
ccb4cabe | 2126 | |
d6337a5f | 2127 | h = get_hierarchy("freezer"); |
457ca9aa | 2128 | if (!h) |
ccb4cabe | 2129 | return false; |
d6337a5f | 2130 | |
ccb4cabe | 2131 | fullpath = must_make_path(h->fullcgpath, "freezer.state", NULL); |
d6337a5f | 2132 | ret = lxc_write_to_file(fullpath, THAWED, THAWED_LEN, false); |
ccb4cabe | 2133 | free(fullpath); |
d6337a5f CB |
2134 | if (ret < 0) |
2135 | return false; | |
2136 | ||
ccb4cabe SH |
2137 | return true; |
2138 | } | |
2139 | ||
2140 | static const char *cgfsng_get_cgroup(void *hdata, const char *subsystem) | |
2141 | { | |
d6337a5f CB |
2142 | struct hierarchy *h; |
2143 | ||
2144 | h = get_hierarchy(subsystem); | |
ccb4cabe SH |
2145 | if (!h) |
2146 | return NULL; | |
2147 | ||
371f834d SH |
2148 | return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL; |
2149 | } | |
2150 | ||
2151 | /* | |
2152 | * Given a cgroup path returned from lxc_cmd_get_cgroup_path, build a | |
2153 | * full path, which must be freed by the caller. | |
2154 | */ | |
2155 | static char *build_full_cgpath_from_monitorpath(struct hierarchy *h, | |
2156 | const char *inpath, | |
2157 | const char *filename) | |
2158 | { | |
371f834d | 2159 | return must_make_path(h->mountpoint, inpath, filename, NULL); |
ccb4cabe SH |
2160 | } |
2161 | ||
2162 | static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) | |
2163 | { | |
ccb4cabe SH |
2164 | char pidstr[25]; |
2165 | int i, len; | |
2166 | ||
2167 | len = snprintf(pidstr, 25, "%d", pid); | |
2168 | if (len < 0 || len > 25) | |
2169 | return false; | |
2170 | ||
457ca9aa | 2171 | for (i = 0; hierarchies[i]; i++) { |
ccb4cabe | 2172 | char *path, *fullpath; |
457ca9aa | 2173 | struct hierarchy *h = hierarchies[i]; |
ccb4cabe SH |
2174 | |
2175 | path = lxc_cmd_get_cgroup_path(name, lxcpath, h->controllers[0]); | |
1a0e70ac | 2176 | if (!path) /* not running */ |
ccb4cabe SH |
2177 | continue; |
2178 | ||
371f834d SH |
2179 | fullpath = build_full_cgpath_from_monitorpath(h, path, "cgroup.procs"); |
2180 | free(path); | |
ccb4cabe SH |
2181 | if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { |
2182 | SYSERROR("Failed to attach %d to %s", (int)pid, fullpath); | |
2183 | free(fullpath); | |
ccb4cabe SH |
2184 | return false; |
2185 | } | |
ccb4cabe SH |
2186 | free(fullpath); |
2187 | } | |
2188 | ||
ccb4cabe SH |
2189 | return true; |
2190 | } | |
2191 | ||
2192 | /* | |
2193 | * Called externally (i.e. from 'lxc-cgroup') to query cgroup limits. | |
2194 | * Here we don't have a cgroup_data set up, so we ask the running | |
2195 | * container through the commands API for the cgroup path | |
2196 | */ | |
2197 | static int cgfsng_get(const char *filename, char *value, size_t len, const char *name, const char *lxcpath) | |
2198 | { | |
2199 | char *subsystem, *p, *path; | |
ccb4cabe SH |
2200 | struct hierarchy *h; |
2201 | int ret = -1; | |
2202 | ||
2203 | subsystem = alloca(strlen(filename) + 1); | |
2204 | strcpy(subsystem, filename); | |
2205 | if ((p = strchr(subsystem, '.')) != NULL) | |
2206 | *p = '\0'; | |
2207 | ||
2208 | path = lxc_cmd_get_cgroup_path(name, lxcpath, subsystem); | |
1a0e70ac | 2209 | if (!path) /* not running */ |
ccb4cabe SH |
2210 | return -1; |
2211 | ||
457ca9aa | 2212 | h = get_hierarchy(subsystem); |
ccb4cabe | 2213 | if (h) { |
371f834d | 2214 | char *fullpath = build_full_cgpath_from_monitorpath(h, path, filename); |
ccb4cabe SH |
2215 | ret = lxc_read_from_file(fullpath, value, len); |
2216 | free(fullpath); | |
2217 | } | |
2218 | ||
ccb4cabe SH |
2219 | free(path); |
2220 | ||
2221 | return ret; | |
2222 | } | |
2223 | ||
2224 | /* | |
2225 | * Called externally (i.e. from 'lxc-cgroup') to set new cgroup limits. | |
2226 | * Here we don't have a cgroup_data set up, so we ask the running | |
2227 | * container through the commands API for the cgroup path | |
2228 | */ | |
2229 | static int cgfsng_set(const char *filename, const char *value, const char *name, const char *lxcpath) | |
2230 | { | |
2231 | char *subsystem, *p, *path; | |
ccb4cabe SH |
2232 | struct hierarchy *h; |
2233 | int ret = -1; | |
2234 | ||
2235 | subsystem = alloca(strlen(filename) + 1); | |
2236 | strcpy(subsystem, filename); | |
2237 | if ((p = strchr(subsystem, '.')) != NULL) | |
2238 | *p = '\0'; | |
2239 | ||
2240 | path = lxc_cmd_get_cgroup_path(name, lxcpath, subsystem); | |
1a0e70ac | 2241 | if (!path) /* not running */ |
ccb4cabe SH |
2242 | return -1; |
2243 | ||
457ca9aa | 2244 | h = get_hierarchy(subsystem); |
ccb4cabe | 2245 | if (h) { |
371f834d | 2246 | char *fullpath = build_full_cgpath_from_monitorpath(h, path, filename); |
ccb4cabe SH |
2247 | ret = lxc_write_to_file(fullpath, value, strlen(value), false); |
2248 | free(fullpath); | |
2249 | } | |
2250 | ||
ccb4cabe SH |
2251 | free(path); |
2252 | ||
2253 | return ret; | |
2254 | } | |
2255 | ||
72add155 SH |
2256 | /* |
2257 | * take devices cgroup line | |
2258 | * /dev/foo rwx | |
2259 | * and convert it to a valid | |
2260 | * type major:minor mode | |
2261 | * line. Return <0 on error. Dest is a preallocated buffer | |
2262 | * long enough to hold the output. | |
2263 | */ | |
2264 | static int convert_devpath(const char *invalue, char *dest) | |
2265 | { | |
2a06d041 CB |
2266 | int n_parts; |
2267 | char *p, *path, type; | |
72add155 SH |
2268 | struct stat sb; |
2269 | unsigned long minor, major; | |
2a06d041 CB |
2270 | int ret = -EINVAL; |
2271 | char *mode = NULL; | |
72add155 SH |
2272 | |
2273 | path = must_copy_string(invalue); | |
2274 | ||
2275 | /* | |
2276 | * read path followed by mode; ignore any trailing text. | |
2277 | * A ' # comment' would be legal. Technically other text | |
2278 | * is not legal, we could check for that if we cared to | |
2279 | */ | |
2280 | for (n_parts = 1, p = path; *p && n_parts < 3; p++) { | |
2c2d6c49 SH |
2281 | if (*p != ' ') |
2282 | continue; | |
2283 | *p = '\0'; | |
2284 | if (n_parts != 1) | |
2285 | break; | |
2286 | p++; | |
2287 | n_parts++; | |
2288 | while (*p == ' ') | |
2289 | p++; | |
2290 | mode = p; | |
2291 | if (*p == '\0') | |
2292 | goto out; | |
72add155 | 2293 | } |
2c2d6c49 SH |
2294 | |
2295 | if (n_parts == 1) | |
72add155 | 2296 | goto out; |
72add155 SH |
2297 | |
2298 | ret = stat(path, &sb); | |
2299 | if (ret < 0) | |
2300 | goto out; | |
2301 | ||
72add155 SH |
2302 | mode_t m = sb.st_mode & S_IFMT; |
2303 | switch (m) { | |
2304 | case S_IFBLK: | |
2305 | type = 'b'; | |
2306 | break; | |
2307 | case S_IFCHR: | |
2308 | type = 'c'; | |
2309 | break; | |
2c2d6c49 | 2310 | default: |
72add155 SH |
2311 | ERROR("Unsupported device type %i for %s", m, path); |
2312 | ret = -EINVAL; | |
2313 | goto out; | |
2314 | } | |
2c2d6c49 SH |
2315 | |
2316 | major = MAJOR(sb.st_rdev); | |
2317 | minor = MINOR(sb.st_rdev); | |
2318 | ret = snprintf(dest, 50, "%c %lu:%lu %s", type, major, minor, mode); | |
72add155 | 2319 | if (ret < 0 || ret >= 50) { |
2a06d041 CB |
2320 | ERROR("Error on configuration value \"%c %lu:%lu %s\" (max 50 " |
2321 | "chars)", type, major, minor, mode); | |
72add155 SH |
2322 | ret = -ENAMETOOLONG; |
2323 | goto out; | |
2324 | } | |
2325 | ret = 0; | |
2326 | ||
2327 | out: | |
2328 | free(path); | |
2329 | return ret; | |
2330 | } | |
2331 | ||
ccb4cabe SH |
2332 | /* |
2333 | * Called from setup_limits - here we have the container's cgroup_data because | |
2334 | * we created the cgroups | |
2335 | */ | |
2336 | static int lxc_cgroup_set_data(const char *filename, const char *value, struct cgfsng_handler_data *d) | |
2337 | { | |
b3646d7e | 2338 | char *fullpath, *p; |
1a0e70ac CB |
2339 | /* "b|c <2^64-1>:<2^64-1> r|w|m" = 47 chars max */ |
2340 | char converted_value[50]; | |
b3646d7e CB |
2341 | struct hierarchy *h; |
2342 | int ret = 0; | |
2343 | char *controller = NULL; | |
ccb4cabe | 2344 | |
b3646d7e CB |
2345 | controller = alloca(strlen(filename) + 1); |
2346 | strcpy(controller, filename); | |
2347 | if ((p = strchr(controller, '.')) != NULL) | |
ccb4cabe SH |
2348 | *p = '\0'; |
2349 | ||
c8bf519d | 2350 | if (strcmp("devices.allow", filename) == 0 && value[0] == '/') { |
72add155 SH |
2351 | ret = convert_devpath(value, converted_value); |
2352 | if (ret < 0) | |
c8bf519d | 2353 | return ret; |
72add155 SH |
2354 | value = converted_value; |
2355 | ||
c8bf519d | 2356 | } |
2357 | ||
b3646d7e CB |
2358 | h = get_hierarchy(controller); |
2359 | if (!h) { | |
2360 | ERROR("Failed to setup limits for the \"%s\" controller. " | |
2361 | "The controller seems to be unused by \"cgfsng\" cgroup " | |
2362 | "driver or not enabled on the cgroup hierarchy", | |
2363 | controller); | |
d1953b26 | 2364 | errno = ENOENT; |
b3646d7e | 2365 | return -1; |
ccb4cabe | 2366 | } |
b3646d7e CB |
2367 | |
2368 | fullpath = must_make_path(h->fullcgpath, filename, NULL); | |
2369 | ret = lxc_write_to_file(fullpath, value, strlen(value), false); | |
2370 | free(fullpath); | |
ccb4cabe SH |
2371 | return ret; |
2372 | } | |
2373 | ||
2374 | static bool cgfsng_setup_limits(void *hdata, struct lxc_list *cgroup_settings, | |
2375 | bool do_devices) | |
2376 | { | |
2377 | struct cgfsng_handler_data *d = hdata; | |
2378 | struct lxc_list *iterator, *sorted_cgroup_settings, *next; | |
2379 | struct lxc_cgroup *cg; | |
ccb4cabe SH |
2380 | bool ret = false; |
2381 | ||
2382 | if (lxc_list_empty(cgroup_settings)) | |
2383 | return true; | |
2384 | ||
2385 | sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); | |
2386 | if (!sorted_cgroup_settings) { | |
2387 | return false; | |
2388 | } | |
2389 | ||
ccb4cabe SH |
2390 | lxc_list_for_each(iterator, sorted_cgroup_settings) { |
2391 | cg = iterator->elem; | |
2392 | ||
2393 | if (do_devices == !strncmp("devices", cg->subsystem, 7)) { | |
ccb4cabe SH |
2394 | if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) { |
2395 | if (do_devices && (errno == EACCES || errno == EPERM)) { | |
2396 | WARN("Error setting %s to %s for %s", | |
2397 | cg->subsystem, cg->value, d->name); | |
2398 | continue; | |
2399 | } | |
2400 | SYSERROR("Error setting %s to %s for %s", | |
2401 | cg->subsystem, cg->value, d->name); | |
2402 | goto out; | |
2403 | } | |
6a628f4a | 2404 | DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value); |
ccb4cabe | 2405 | } |
ccb4cabe SH |
2406 | } |
2407 | ||
2408 | ret = true; | |
2409 | INFO("cgroup has been setup"); | |
2410 | out: | |
ccb4cabe SH |
2411 | lxc_list_for_each_safe(iterator, sorted_cgroup_settings, next) { |
2412 | lxc_list_del(iterator); | |
2413 | free(iterator); | |
2414 | } | |
2415 | free(sorted_cgroup_settings); | |
2416 | return ret; | |
2417 | } | |
2418 | ||
2419 | static struct cgroup_ops cgfsng_ops = { | |
2420 | .init = cgfsng_init, | |
2421 | .destroy = cgfsng_destroy, | |
2422 | .create = cgfsng_create, | |
2423 | .enter = cgfsng_enter, | |
ccb4cabe | 2424 | .escape = cgfsng_escape, |
36662416 TA |
2425 | .num_hierarchies = cgfsng_num_hierarchies, |
2426 | .get_hierarchies = cgfsng_get_hierarchies, | |
ccb4cabe SH |
2427 | .get_cgroup = cgfsng_get_cgroup, |
2428 | .get = cgfsng_get, | |
2429 | .set = cgfsng_set, | |
2430 | .unfreeze = cgfsng_unfreeze, | |
2431 | .setup_limits = cgfsng_setup_limits, | |
2432 | .name = "cgroupfs-ng", | |
2433 | .attach = cgfsng_attach, | |
058c1cb6 | 2434 | .chown = cgfsng_chown, |
ccb4cabe SH |
2435 | .mount_cgroup = cgfsng_mount, |
2436 | .nrtasks = cgfsng_nrtasks, | |
2437 | .driver = CGFSNG, | |
2438 | ||
2439 | /* unsupported */ | |
2440 | .create_legacy = NULL, | |
2441 | }; |