search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
1:255.16-alt1
[systemd_ALT.git] / src / nspawn / nspawn-cgroup.c
bloba5002437c6f7914d5b892e70afa0d2c5b06bc9d1
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <sys/mount.h>
4
5 #include "alloc-util.h"
6 #include "cgroup-setup.h"
7 #include "fd-util.h"
8 #include "fileio.h"
9 #include "format-util.h"
10 #include "fs-util.h"
11 #include "mkdir.h"
12 #include "mount-util.h"
13 #include "mountpoint-util.h"
14 #include "nspawn-cgroup.h"
15 #include "nspawn-mount.h"
16 #include "path-util.h"
17 #include "rm-rf.h"
18 #include "string-util.h"
19 #include "strv.h"
20 #include "user-util.h"
21
22 static int chown_cgroup_path(const char *path, uid_t uid_shift) {
23 _cleanup_close_ int fd = -EBADF;
24
25 fd = open(path, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
26 if (fd < 0)
27 return -errno;
28
29 FOREACH_STRING(fn,
30 ".",
31 "cgroup.clone_children",
32 "cgroup.controllers",
33 "cgroup.events",
34 "cgroup.procs",
35 "cgroup.stat",
36 "cgroup.subtree_control",
37 "cgroup.threads",
38 "memory.oom.group",
39 "memory.reclaim",
40 "notify_on_release",
41 "tasks")
42 if (fchownat(fd, fn, uid_shift, uid_shift, 0) < 0)
43 log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
44 "Failed to chown \"%s/%s\", ignoring: %m", path, fn);
45
46 return 0;
47 }
48
49 int chown_cgroup(pid_t pid, CGroupUnified unified_requested, uid_t uid_shift) {
50 _cleanup_free_ char *path = NULL, *fs = NULL;
51 int r;
52
53 r = cg_pid_get_path(NULL, pid, &path);
54 if (r < 0)
55 return log_error_errno(r, "Failed to get container cgroup path: %m");
56
57 r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
58 if (r < 0)
59 return log_error_errno(r, "Failed to get file system path for container cgroup: %m");
60
61 r = chown_cgroup_path(fs, uid_shift);
62 if (r < 0)
63 return log_error_errno(r, "Failed to chown() cgroup %s: %m", fs);
64
65 if (unified_requested == CGROUP_UNIFIED_SYSTEMD || (unified_requested == CGROUP_UNIFIED_NONE && cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER) > 0)) {
66 _cleanup_free_ char *lfs = NULL;
67 /* Always propagate access rights from unified to legacy controller */
68
69 r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER_LEGACY, path, NULL, &lfs);
70 if (r < 0)
71 return log_error_errno(r, "Failed to get file system path for container cgroup: %m");
72
73 r = chown_cgroup_path(lfs, uid_shift);
74 if (r < 0)
75 return log_error_errno(r, "Failed to chown() cgroup %s: %m", lfs);
76 }
77
78 return 0;
79 }
80
81 int sync_cgroup(pid_t pid, CGroupUnified unified_requested, uid_t uid_shift) {
82 _cleanup_free_ char *cgroup = NULL;
83 char tree[] = "/tmp/unifiedXXXXXX", pid_string[DECIMAL_STR_MAX(pid) + 1];
84 bool undo_mount = false;
85 const char *fn;
86 int r, unified_controller;
87
88 unified_controller = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
89 if (unified_controller < 0)
90 return log_error_errno(unified_controller, "Failed to determine whether the systemd hierarchy is unified: %m");
91 if ((unified_controller > 0) == (unified_requested >= CGROUP_UNIFIED_SYSTEMD))
92 return 0;
93
94 /* When the host uses the legacy cgroup setup, but the
95 * container shall use the unified hierarchy, let's make sure
96 * we copy the path from the name=systemd hierarchy into the
97 * unified hierarchy. Similar for the reverse situation. */
98
99 r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
100 if (r < 0)
101 return log_error_errno(r, "Failed to get control group of " PID_FMT ": %m", pid);
102
103 /* In order to access the unified hierarchy we need to mount it */
104 if (!mkdtemp(tree))
105 return log_error_errno(errno, "Failed to generate temporary mount point for unified hierarchy: %m");
106
107 if (unified_controller > 0)
108 r = mount_nofollow_verbose(LOG_ERR, "cgroup", tree, "cgroup",
109 MS_NOSUID|MS_NOEXEC|MS_NODEV, "none,name=systemd,xattr");
110 else
111 r = mount_nofollow_verbose(LOG_ERR, "cgroup", tree, "cgroup2",
112 MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
113 if (r < 0)
114 goto finish;
115
116 undo_mount = true;
117
118 /* If nspawn dies abruptly the cgroup hierarchy created below
119 * its unit isn't cleaned up. So, let's remove it
120 * https://github.com/systemd/systemd/pull/4223#issuecomment-252519810 */
121 fn = strjoina(tree, cgroup);
122 (void) rm_rf(fn, REMOVE_ROOT|REMOVE_ONLY_DIRECTORIES);
123
124 fn = strjoina(tree, cgroup, "/cgroup.procs");
125
126 sprintf(pid_string, PID_FMT, pid);
127 r = write_string_file(fn, pid_string, WRITE_STRING_FILE_DISABLE_BUFFER|WRITE_STRING_FILE_MKDIR_0755);
128 if (r < 0) {
129 log_error_errno(r, "Failed to move process: %m");
130 goto finish;
131 }
132
133 fn = strjoina(tree, cgroup);
134 r = chown_cgroup_path(fn, uid_shift);
135 if (r < 0)
136 log_error_errno(r, "Failed to chown() cgroup %s: %m", fn);
137 finish:
138 if (undo_mount)
139 (void) umount_verbose(LOG_ERR, tree, UMOUNT_NOFOLLOW);
140
141 (void) rmdir(tree);
142 return r;
143 }
144
145 int create_subcgroup(pid_t pid, bool keep_unit, CGroupUnified unified_requested) {
146 _cleanup_free_ char *cgroup = NULL, *payload = NULL;
147 CGroupMask supported;
148 char *e;
149 int r;
150
151 assert(pid > 1);
152
153 /* In the unified hierarchy inner nodes may only contain subgroups, but not processes. Hence, if we running in
154 * the unified hierarchy and the container does the same, and we did not create a scope unit for the container
155 * move us and the container into two separate subcgroups.
156 *
157 * Moreover, container payloads such as systemd try to manage the cgroup they run in full (i.e. including
158 * its attributes), while the host systemd will only delegate cgroups for children of the cgroup created for a
159 * delegation unit, instead of the cgroup itself. This means, if we'd pass on the cgroup allocated from the
160 * host systemd directly to the payload, the host and payload systemd might fight for the cgroup
161 * attributes. Hence, let's insert an intermediary cgroup to cover that case too.
162 *
163 * Note that we only bother with the main hierarchy here, not with any secondary ones. On the unified setup
164 * that's fine because there's only one hierarchy anyway and controllers are enabled directly on it. On the
165 * legacy setup, this is fine too, since delegation of controllers is generally not safe there, hence we won't
166 * do it. */
167
168 r = cg_mask_supported(&supported);
169 if (r < 0)
170 return log_error_errno(r, "Failed to determine supported controllers: %m");
171
172 if (keep_unit)
173 r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
174 else
175 r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
176 if (r < 0)
177 return log_error_errno(r, "Failed to get our control group: %m");
178
179 /* If the service manager already placed us in the supervisor cgroup, let's handle that. */
180 e = endswith(cgroup, "/supervisor");
181 if (e)
182 *e = 0; /* chop off, we want the main path delegated to us */
183
184 payload = path_join(cgroup, "payload");
185 if (!payload)
186 return log_oom();
187
188 r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, payload, pid);
189 if (r < 0)
190 return log_error_errno(r, "Failed to create %s subcgroup: %m", payload);
191
192 if (keep_unit) {
193 _cleanup_free_ char *supervisor = NULL;
194
195 supervisor = path_join(cgroup, "supervisor");
196 if (!supervisor)
197 return log_oom();
198
199 r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, supervisor, 0);
200 if (r < 0)
201 return log_error_errno(r, "Failed to create %s subcgroup: %m", supervisor);
202 }
203
204 /* Try to enable as many controllers as possible for the new payload. */
205 (void) cg_enable_everywhere(supported, supported, cgroup, NULL);
206 return 0;
207 }
208
209 /* Retrieve existing subsystems. This function is called in a new cgroup
210 * namespace.
211 */
212 static int get_process_controllers(Set **ret) {
213 _cleanup_set_free_ Set *controllers = NULL;
214 _cleanup_fclose_ FILE *f = NULL;
215 int r;
216
217 assert(ret);
218
219 f = fopen("/proc/self/cgroup", "re");
220 if (!f)
221 return errno == ENOENT ? -ESRCH : -errno;
222
223 for (;;) {
224 _cleanup_free_ char *line = NULL;
225 char *e, *l;
226
227 r = read_line(f, LONG_LINE_MAX, &line);
228 if (r < 0)
229 return r;
230 if (r == 0)
231 break;
232
233 l = strchr(line, ':');
234 if (!l)
235 continue;
236
237 l++;
238 e = strchr(l, ':');
239 if (!e)
240 continue;
241
242 *e = 0;
243
244 if (STR_IN_SET(l, "", "name=systemd", "name=unified"))
245 continue;
246
247 r = set_put_strdup(&controllers, l);
248 if (r < 0)
249 return r;
250 }
251
252 *ret = TAKE_PTR(controllers);
253
254 return 0;
255 }
256
257 static int mount_legacy_cgroup_hierarchy(
258 const char *dest,
259 const char *controller,
260 const char *hierarchy,
261 bool read_only) {
262
263 const char *to, *fstype, *opts;
264 int r;
265
266 to = strjoina(strempty(dest), "/sys/fs/cgroup/", hierarchy);
267
268 r = path_is_mount_point(to, dest, 0);
269 if (r < 0 && r != -ENOENT)
270 return log_error_errno(r, "Failed to determine if %s is mounted already: %m", to);
271 if (r > 0)
272 return 0;
273
274 (void) mkdir_p(to, 0755);
275
276 /* The superblock mount options of the mount point need to be
277 * identical to the hosts', and hence writable... */
278 if (streq(controller, SYSTEMD_CGROUP_CONTROLLER_HYBRID)) {
279 fstype = "cgroup2";
280 opts = NULL;
281 } else if (streq(controller, SYSTEMD_CGROUP_CONTROLLER_LEGACY)) {
282 fstype = "cgroup";
283 opts = "none,name=systemd,xattr";
284 } else {
285 fstype = "cgroup";
286 opts = controller;
287 }
288
289 r = mount_nofollow_verbose(LOG_ERR, "cgroup", to, fstype, MS_NOSUID|MS_NOEXEC|MS_NODEV, opts);
290 if (r < 0)
291 return r;
292
293 /* ... hence let's only make the bind mount read-only, not the superblock. */
294 if (read_only) {
295 r = mount_nofollow_verbose(LOG_ERR, NULL, to, NULL,
296 MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL);
297 if (r < 0)
298 return r;
299 }
300
301 return 1;
302 }
303
304 /* Mount a legacy cgroup hierarchy when cgroup namespaces are supported. */
305 static int mount_legacy_cgns_supported(
306 const char *dest,
307 CGroupUnified unified_requested,
308 bool userns,
309 uid_t uid_shift,
310 uid_t uid_range,
311 const char *selinux_apifs_context) {
312
313 _cleanup_set_free_ Set *controllers = NULL;
314 const char *cgroup_root = "/sys/fs/cgroup", *c;
315 int r;
316
317 (void) mkdir_p(cgroup_root, 0755);
318
319 /* Mount a tmpfs to /sys/fs/cgroup if it's not mounted there yet. */
320 r = path_is_mount_point(cgroup_root, dest, AT_SYMLINK_FOLLOW);
321 if (r < 0)
322 return log_error_errno(r, "Failed to determine if /sys/fs/cgroup is already mounted: %m");
323 if (r == 0) {
324 _cleanup_free_ char *options = NULL;
325
326 /* When cgroup namespaces are enabled and user namespaces are
327 * used then the mount of the cgroupfs is done *inside* the new
328 * user namespace. We're root in the new user namespace and the
329 * kernel will happily translate our uid/gid to the correct
330 * uid/gid as seen from e.g. /proc/1/mountinfo. So we simply
331 * pass uid 0 and not uid_shift to tmpfs_patch_options().
332 */
333 r = tmpfs_patch_options("mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP, 0, selinux_apifs_context, &options);
334 if (r < 0)
335 return log_oom();
336
337 r = mount_nofollow_verbose(LOG_ERR, "tmpfs", cgroup_root, "tmpfs",
338 MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, options);
339 if (r < 0)
340 return r;
341 }
342
343 r = cg_all_unified();
344 if (r < 0)
345 return r;
346 if (r > 0)
347 goto skip_controllers;
348
349 r = get_process_controllers(&controllers);
350 if (r < 0)
351 return log_error_errno(r, "Failed to determine cgroup controllers: %m");
352
353 for (;;) {
354 _cleanup_free_ const char *controller = NULL;
355
356 controller = set_steal_first(controllers);
357 if (!controller)
358 break;
359
360 r = mount_legacy_cgroup_hierarchy("", controller, controller, !userns);
361 if (r < 0)
362 return r;
363
364 /* When multiple hierarchies are co-mounted, make their
365 * constituting individual hierarchies a symlink to the
366 * co-mount.
367 */
368 c = controller;
369 for (;;) {
370 _cleanup_free_ char *target = NULL, *tok = NULL;
371
372 r = extract_first_word(&c, &tok, ",", 0);
373 if (r < 0)
374 return log_error_errno(r, "Failed to extract co-mounted cgroup controller: %m");
375 if (r == 0)
376 break;
377
378 if (streq(controller, tok))
379 break;
380
381 target = path_join("/sys/fs/cgroup/", tok);
382 if (!target)
383 return log_oom();
384
385 r = symlink_idempotent(controller, target, false);
386 if (r == -EINVAL)
387 return log_error_errno(r, "Invalid existing symlink for combined hierarchy: %m");
388 if (r < 0)
389 return log_error_errno(r, "Failed to create symlink for combined hierarchy: %m");
390 }
391 }
392
393 skip_controllers:
394 if (unified_requested >= CGROUP_UNIFIED_SYSTEMD) {
395 r = mount_legacy_cgroup_hierarchy("", SYSTEMD_CGROUP_CONTROLLER_HYBRID, "unified", false);
396 if (r < 0)
397 return r;
398 }
399
400 r = mount_legacy_cgroup_hierarchy("", SYSTEMD_CGROUP_CONTROLLER_LEGACY, "systemd", false);
401 if (r < 0)
402 return r;
403
404 if (!userns)
405 return mount_nofollow_verbose(LOG_ERR, NULL, cgroup_root, NULL,
406 MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
407 "mode=0755");
408
409 return 0;
410 }
411
412 /* Mount legacy cgroup hierarchy when cgroup namespaces are unsupported. */
413 static int mount_legacy_cgns_unsupported(
414 const char *dest,
415 CGroupUnified unified_requested,
416 bool userns,
417 uid_t uid_shift,
418 uid_t uid_range,
419 const char *selinux_apifs_context) {
420
421 _cleanup_set_free_ Set *controllers = NULL;
422 const char *cgroup_root;
423 int r;
424
425 cgroup_root = prefix_roota(dest, "/sys/fs/cgroup");
426
427 (void) mkdir_p(cgroup_root, 0755);
428
429 /* Mount a tmpfs to /sys/fs/cgroup if it's not mounted there yet. */
430 r = path_is_mount_point(cgroup_root, dest, AT_SYMLINK_FOLLOW);
431 if (r < 0)
432 return log_error_errno(r, "Failed to determine if /sys/fs/cgroup is already mounted: %m");
433 if (r == 0) {
434 _cleanup_free_ char *options = NULL;
435
436 r = tmpfs_patch_options("mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP,
437 uid_shift == 0 ? UID_INVALID : uid_shift,
438 selinux_apifs_context,
439 &options);
440 if (r < 0)
441 return log_oom();
442
443 r = mount_nofollow_verbose(LOG_ERR, "tmpfs", cgroup_root, "tmpfs",
444 MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, options);
445 if (r < 0)
446 return r;
447 }
448
449 r = cg_all_unified();
450 if (r < 0)
451 return r;
452 if (r > 0)
453 goto skip_controllers;
454
455 r = cg_kernel_controllers(&controllers);
456 if (r < 0)
457 return log_error_errno(r, "Failed to determine cgroup controllers: %m");
458
459 for (;;) {
460 _cleanup_free_ char *controller = NULL, *origin = NULL, *combined = NULL;
461
462 controller = set_steal_first(controllers);
463 if (!controller)
464 break;
465
466 origin = path_join("/sys/fs/cgroup/", controller);
467 if (!origin)
468 return log_oom();
469
470 r = readlink_malloc(origin, &combined);
471 if (r == -EINVAL) {
472 /* Not a symbolic link, but directly a single cgroup hierarchy */
473
474 r = mount_legacy_cgroup_hierarchy(dest, controller, controller, true);
475 if (r < 0)
476 return r;
477
478 } else if (r < 0)
479 return log_error_errno(r, "Failed to read link %s: %m", origin);
480 else {
481 _cleanup_free_ char *target = NULL;
482
483 target = path_join(dest, origin);
484 if (!target)
485 return log_oom();
486
487 /* A symbolic link, a combination of controllers in one hierarchy */
488
489 if (!filename_is_valid(combined)) {
490 log_warning("Ignoring invalid combined hierarchy %s.", combined);
491 continue;
492 }
493
494 r = mount_legacy_cgroup_hierarchy(dest, combined, combined, true);
495 if (r < 0)
496 return r;
497
498 r = symlink_idempotent(combined, target, false);
499 if (r == -EINVAL)
500 return log_error_errno(r, "Invalid existing symlink for combined hierarchy: %m");
501 if (r < 0)
502 return log_error_errno(r, "Failed to create symlink for combined hierarchy: %m");
503 }
504 }
505
506 skip_controllers:
507 if (unified_requested >= CGROUP_UNIFIED_SYSTEMD) {
508 r = mount_legacy_cgroup_hierarchy(dest, SYSTEMD_CGROUP_CONTROLLER_HYBRID, "unified", false);
509 if (r < 0)
510 return r;
511 }
512
513 r = mount_legacy_cgroup_hierarchy(dest, SYSTEMD_CGROUP_CONTROLLER_LEGACY, "systemd", false);
514 if (r < 0)
515 return r;
516
517 return mount_nofollow_verbose(LOG_ERR, NULL, cgroup_root, NULL,
518 MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
519 "mode=0755");
520 }
521
522 static int mount_unified_cgroups(const char *dest) {
523 const char *p;
524 int r;
525
526 assert(dest);
527
528 p = prefix_roota(dest, "/sys/fs/cgroup");
529
530 (void) mkdir_p(p, 0755);
531
532 r = path_is_mount_point(p, dest, AT_SYMLINK_FOLLOW);
533 if (r < 0)
534 return log_error_errno(r, "Failed to determine if %s is mounted already: %m", p);
535 if (r > 0) {
536 p = prefix_roota(dest, "/sys/fs/cgroup/cgroup.procs");
537 if (access(p, F_OK) >= 0)
538 return 0;
539 if (errno != ENOENT)
540 return log_error_errno(errno, "Failed to determine if mount point %s contains the unified cgroup hierarchy: %m", p);
541
542 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
543 "%s is already mounted but not a unified cgroup hierarchy. Refusing.", p);
544 }
545
546 return mount_nofollow_verbose(LOG_ERR, "cgroup", p, "cgroup2", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
547 }
548
549 int mount_cgroups(
550 const char *dest,
551 CGroupUnified unified_requested,
552 bool userns,
553 uid_t uid_shift,
554 uid_t uid_range,
555 const char *selinux_apifs_context,
556 bool use_cgns) {
557
558 if (unified_requested >= CGROUP_UNIFIED_ALL)
559 return mount_unified_cgroups(dest);
560 if (use_cgns)
561 return mount_legacy_cgns_supported(dest, unified_requested, userns, uid_shift, uid_range, selinux_apifs_context);
562
563 return mount_legacy_cgns_unsupported(dest, unified_requested, userns, uid_shift, uid_range, selinux_apifs_context);
564 }
565
566 static int mount_systemd_cgroup_writable_one(const char *root, const char *own) {
567 int r;
568
569 assert(root);
570 assert(own);
571
572 /* Make our own cgroup a (writable) bind mount */
573 r = mount_nofollow_verbose(LOG_ERR, own, own, NULL, MS_BIND, NULL);
574 if (r < 0)
575 return r;
576
577 /* And then remount the systemd cgroup root read-only */
578 return mount_nofollow_verbose(LOG_ERR, NULL, root, NULL,
579 MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL);
580 }
581
582 int mount_systemd_cgroup_writable(
583 const char *dest,
584 CGroupUnified unified_requested) {
585
586 _cleanup_free_ char *own_cgroup_path = NULL;
587 const char *root, *own;
588 int r;
589
590 assert(dest);
591
592 r = cg_pid_get_path(NULL, 0, &own_cgroup_path);
593 if (r < 0)
594 return log_error_errno(r, "Failed to determine our own cgroup path: %m");
595
596 /* If we are living in the top-level, then there's nothing to do... */
597 if (path_equal(own_cgroup_path, "/"))
598 return 0;
599
600 if (unified_requested >= CGROUP_UNIFIED_ALL) {
601
602 root = prefix_roota(dest, "/sys/fs/cgroup");
603 own = strjoina(root, own_cgroup_path);
604
605 } else {
606
607 if (unified_requested >= CGROUP_UNIFIED_SYSTEMD) {
608 root = prefix_roota(dest, "/sys/fs/cgroup/unified");
609 own = strjoina(root, own_cgroup_path);
610
611 r = mount_systemd_cgroup_writable_one(root, own);
612 if (r < 0)
613 return r;
614 }
615
616 root = prefix_roota(dest, "/sys/fs/cgroup/systemd");
617 own = strjoina(root, own_cgroup_path);
618 }
619
620 return mount_systemd_cgroup_writable_one(root, own);
621 }
A System and Session Manager (ALT Linux package)