2017-11-18 17:09:20 +01:00
|
|
|
/* SPDX-License-Identifier: LGPL-2.1+ */
|
2010-03-31 16:29:55 +02:00
|
|
|
/***
|
|
|
|
|
This file is part of systemd.
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
Copyright 2013 Lennart Poettering
|
2010-03-31 16:29:55 +02:00
|
|
|
|
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
2012-04-12 00:20:58 +02:00
|
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
2010-03-31 16:29:55 +02:00
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
2012-04-12 00:20:58 +02:00
|
|
|
Lesser General Public License for more details.
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2012-04-12 00:20:58 +02:00
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
2010-03-31 16:29:55 +02:00
|
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
***/
|
|
|
|
|
|
2010-07-11 00:50:49 +02:00
|
|
|
#include <fcntl.h>
|
2014-03-11 17:42:24 +01:00
|
|
|
#include <fnmatch.h>
|
2010-06-21 23:27:18 +02:00
|
|
|
|
2015-10-27 03:01:06 +01:00
|
|
|
#include "alloc-util.h"
|
2017-12-22 15:22:59 +01:00
|
|
|
#include "blockdev-util.h"
|
2017-09-05 19:27:53 +02:00
|
|
|
#include "bpf-firewall.h"
|
2018-02-07 22:52:52 +01:00
|
|
|
#include "bus-error.h"
|
2015-09-10 12:32:16 +02:00
|
|
|
#include "cgroup-util.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "cgroup.h"
|
|
|
|
|
#include "fd-util.h"
|
2015-10-26 18:05:03 +01:00
|
|
|
#include "fileio.h"
|
2015-10-27 14:58:05 +01:00
|
|
|
#include "fs-util.h"
|
2015-10-26 16:18:16 +01:00
|
|
|
#include "parse-util.h"
|
2012-05-07 21:36:12 +02:00
|
|
|
#include "path-util.h"
|
2015-09-10 12:32:16 +02:00
|
|
|
#include "process-util.h"
|
2018-01-17 15:39:39 +01:00
|
|
|
#include "procfs-util.h"
|
2013-06-20 03:45:08 +02:00
|
|
|
#include "special.h"
|
2017-09-05 19:27:53 +02:00
|
|
|
#include "stdio-util.h"
|
2015-10-26 22:31:05 +01:00
|
|
|
#include "string-table.h"
|
2015-10-24 22:58:24 +02:00
|
|
|
#include "string-util.h"
|
2018-02-09 19:07:01 +01:00
|
|
|
#include "virt.h"
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2014-05-22 04:53:12 +02:00
|
|
|
#define CGROUP_CPU_QUOTA_PERIOD_USEC ((usec_t) 100 * USEC_PER_MSEC)
|
|
|
|
|
|
2018-02-09 19:07:01 +01:00
|
|
|
bool manager_owns_root_cgroup(Manager *m) {
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
/* Returns true if we are managing the root cgroup. Note that it isn't sufficient to just check whether the
|
|
|
|
|
* group root path equals "/" since that will also be the case if CLONE_NEWCGROUP is in the mix. Since there's
|
|
|
|
|
* appears to be no nice way to detect whether we are in a CLONE_NEWCGROUP namespace we instead just check if
|
|
|
|
|
* we run in any kind of container virtualization. */
|
|
|
|
|
|
|
|
|
|
if (detect_container() > 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return isempty(m->cgroup_root) || path_equal(m->cgroup_root, "/");
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-17 18:41:42 +01:00
|
|
|
bool unit_has_root_cgroup(Unit *u) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
2018-02-09 19:07:01 +01:00
|
|
|
/* Returns whether this unit manages the root cgroup. This will return true if this unit is the root slice and
|
|
|
|
|
* the manager manages the root cgroup. */
|
2018-01-17 18:41:42 +01:00
|
|
|
|
2018-02-09 19:07:01 +01:00
|
|
|
if (!manager_owns_root_cgroup(u->manager))
|
2018-01-17 18:41:42 +01:00
|
|
|
return false;
|
|
|
|
|
|
2018-02-09 19:07:01 +01:00
|
|
|
return unit_has_name(u, SPECIAL_ROOT_SLICE);
|
2018-01-17 18:41:42 +01:00
|
|
|
}
|
|
|
|
|
|
2016-06-24 15:59:24 +02:00
|
|
|
static void cgroup_compat_warn(void) {
|
2016-06-02 19:02:53 +02:00
|
|
|
static bool cgroup_compat_warned = false;
|
|
|
|
|
|
|
|
|
|
if (cgroup_compat_warned)
|
|
|
|
|
return;
|
|
|
|
|
|
2018-02-09 19:07:01 +01:00
|
|
|
log_warning("cgroup compatibility translation between legacy and unified hierarchy settings activated. "
|
|
|
|
|
"See cgroup-compat debug messages for details.");
|
|
|
|
|
|
2016-06-02 19:02:53 +02:00
|
|
|
cgroup_compat_warned = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define log_cgroup_compat(unit, fmt, ...) do { \
|
|
|
|
|
cgroup_compat_warn(); \
|
|
|
|
|
log_unit_debug(unit, "cgroup-compat: " fmt, ##__VA_ARGS__); \
|
2016-06-24 15:59:24 +02:00
|
|
|
} while (false)
|
2016-06-02 19:02:53 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
void cgroup_context_init(CGroupContext *c) {
|
|
|
|
|
assert(c);
|
|
|
|
|
|
|
|
|
|
/* Initialize everything to the kernel defaults, assuming the
|
|
|
|
|
* structure is preinitialized to 0 */
|
|
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
c->cpu_weight = CGROUP_WEIGHT_INVALID;
|
|
|
|
|
c->startup_cpu_weight = CGROUP_WEIGHT_INVALID;
|
|
|
|
|
c->cpu_quota_per_sec_usec = USEC_INFINITY;
|
|
|
|
|
|
2015-09-11 16:48:24 +02:00
|
|
|
c->cpu_shares = CGROUP_CPU_SHARES_INVALID;
|
|
|
|
|
c->startup_cpu_shares = CGROUP_CPU_SHARES_INVALID;
|
|
|
|
|
|
2016-05-27 18:10:18 +02:00
|
|
|
c->memory_high = CGROUP_LIMIT_MAX;
|
|
|
|
|
c->memory_max = CGROUP_LIMIT_MAX;
|
2016-07-04 09:03:54 +02:00
|
|
|
c->memory_swap_max = CGROUP_LIMIT_MAX;
|
2016-05-27 18:10:18 +02:00
|
|
|
|
|
|
|
|
c->memory_limit = CGROUP_LIMIT_MAX;
|
2014-04-25 13:27:25 +02:00
|
|
|
|
2016-05-05 22:42:55 +02:00
|
|
|
c->io_weight = CGROUP_WEIGHT_INVALID;
|
|
|
|
|
c->startup_io_weight = CGROUP_WEIGHT_INVALID;
|
|
|
|
|
|
2015-09-11 16:48:24 +02:00
|
|
|
c->blockio_weight = CGROUP_BLKIO_WEIGHT_INVALID;
|
|
|
|
|
c->startup_blockio_weight = CGROUP_BLKIO_WEIGHT_INVALID;
|
|
|
|
|
|
|
|
|
|
c->tasks_max = (uint64_t) -1;
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
void cgroup_context_free_device_allow(CGroupContext *c, CGroupDeviceAllow *a) {
|
|
|
|
|
assert(c);
|
|
|
|
|
assert(a);
|
|
|
|
|
|
2013-10-14 06:10:14 +02:00
|
|
|
LIST_REMOVE(device_allow, c->device_allow, a);
|
2013-06-27 04:14:27 +02:00
|
|
|
free(a->path);
|
|
|
|
|
free(a);
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-05 22:42:55 +02:00
|
|
|
void cgroup_context_free_io_device_weight(CGroupContext *c, CGroupIODeviceWeight *w) {
|
|
|
|
|
assert(c);
|
|
|
|
|
assert(w);
|
|
|
|
|
|
|
|
|
|
LIST_REMOVE(device_weights, c->io_device_weights, w);
|
|
|
|
|
free(w->path);
|
|
|
|
|
free(w);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cgroup_context_free_io_device_limit(CGroupContext *c, CGroupIODeviceLimit *l) {
|
|
|
|
|
assert(c);
|
|
|
|
|
assert(l);
|
|
|
|
|
|
|
|
|
|
LIST_REMOVE(device_limits, c->io_device_limits, l);
|
|
|
|
|
free(l->path);
|
|
|
|
|
free(l);
|
|
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
void cgroup_context_free_blockio_device_weight(CGroupContext *c, CGroupBlockIODeviceWeight *w) {
|
|
|
|
|
assert(c);
|
|
|
|
|
assert(w);
|
|
|
|
|
|
2013-10-14 06:10:14 +02:00
|
|
|
LIST_REMOVE(device_weights, c->blockio_device_weights, w);
|
2013-06-27 04:14:27 +02:00
|
|
|
free(w->path);
|
|
|
|
|
free(w);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cgroup_context_free_blockio_device_bandwidth(CGroupContext *c, CGroupBlockIODeviceBandwidth *b) {
|
|
|
|
|
assert(c);
|
2010-03-31 16:29:55 +02:00
|
|
|
assert(b);
|
|
|
|
|
|
2013-10-14 06:10:14 +02:00
|
|
|
LIST_REMOVE(device_bandwidths, c->blockio_device_bandwidths, b);
|
2013-06-27 04:14:27 +02:00
|
|
|
free(b->path);
|
|
|
|
|
free(b);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cgroup_context_done(CGroupContext *c) {
|
|
|
|
|
assert(c);
|
|
|
|
|
|
2016-05-05 22:42:55 +02:00
|
|
|
while (c->io_device_weights)
|
|
|
|
|
cgroup_context_free_io_device_weight(c, c->io_device_weights);
|
|
|
|
|
|
|
|
|
|
while (c->io_device_limits)
|
|
|
|
|
cgroup_context_free_io_device_limit(c, c->io_device_limits);
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
while (c->blockio_device_weights)
|
|
|
|
|
cgroup_context_free_blockio_device_weight(c, c->blockio_device_weights);
|
|
|
|
|
|
|
|
|
|
while (c->blockio_device_bandwidths)
|
|
|
|
|
cgroup_context_free_blockio_device_bandwidth(c, c->blockio_device_bandwidths);
|
|
|
|
|
|
|
|
|
|
while (c->device_allow)
|
|
|
|
|
cgroup_context_free_device_allow(c, c->device_allow);
|
2016-11-11 19:59:19 +01:00
|
|
|
|
|
|
|
|
c->ip_address_allow = ip_address_access_free_all(c->ip_address_allow);
|
|
|
|
|
c->ip_address_deny = ip_address_access_free_all(c->ip_address_deny);
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) {
|
2016-05-05 22:42:55 +02:00
|
|
|
CGroupIODeviceLimit *il;
|
|
|
|
|
CGroupIODeviceWeight *iw;
|
2013-06-27 04:14:27 +02:00
|
|
|
CGroupBlockIODeviceBandwidth *b;
|
|
|
|
|
CGroupBlockIODeviceWeight *w;
|
|
|
|
|
CGroupDeviceAllow *a;
|
2017-09-01 20:31:44 +02:00
|
|
|
IPAddressAccessItem *iaai;
|
2014-05-22 04:53:12 +02:00
|
|
|
char u[FORMAT_TIMESPAN_MAX];
|
2013-06-27 04:14:27 +02:00
|
|
|
|
|
|
|
|
assert(c);
|
|
|
|
|
assert(f);
|
|
|
|
|
|
|
|
|
|
prefix = strempty(prefix);
|
|
|
|
|
|
|
|
|
|
fprintf(f,
|
|
|
|
|
"%sCPUAccounting=%s\n"
|
2016-05-05 22:42:55 +02:00
|
|
|
"%sIOAccounting=%s\n"
|
2013-06-27 04:14:27 +02:00
|
|
|
"%sBlockIOAccounting=%s\n"
|
|
|
|
|
"%sMemoryAccounting=%s\n"
|
2015-09-11 16:48:24 +02:00
|
|
|
"%sTasksAccounting=%s\n"
|
2017-09-01 20:31:44 +02:00
|
|
|
"%sIPAccounting=%s\n"
|
2016-08-07 15:45:39 +02:00
|
|
|
"%sCPUWeight=%" PRIu64 "\n"
|
|
|
|
|
"%sStartupCPUWeight=%" PRIu64 "\n"
|
2015-09-11 16:48:24 +02:00
|
|
|
"%sCPUShares=%" PRIu64 "\n"
|
|
|
|
|
"%sStartupCPUShares=%" PRIu64 "\n"
|
2014-04-25 13:27:25 +02:00
|
|
|
"%sCPUQuotaPerSecSec=%s\n"
|
2016-05-05 22:42:55 +02:00
|
|
|
"%sIOWeight=%" PRIu64 "\n"
|
|
|
|
|
"%sStartupIOWeight=%" PRIu64 "\n"
|
2015-09-11 16:48:24 +02:00
|
|
|
"%sBlockIOWeight=%" PRIu64 "\n"
|
|
|
|
|
"%sStartupBlockIOWeight=%" PRIu64 "\n"
|
2016-05-27 18:10:18 +02:00
|
|
|
"%sMemoryLow=%" PRIu64 "\n"
|
|
|
|
|
"%sMemoryHigh=%" PRIu64 "\n"
|
|
|
|
|
"%sMemoryMax=%" PRIu64 "\n"
|
2016-07-04 09:03:54 +02:00
|
|
|
"%sMemorySwapMax=%" PRIu64 "\n"
|
2013-06-27 04:14:27 +02:00
|
|
|
"%sMemoryLimit=%" PRIu64 "\n"
|
2015-09-10 12:32:16 +02:00
|
|
|
"%sTasksMax=%" PRIu64 "\n"
|
2014-11-05 17:57:23 +01:00
|
|
|
"%sDevicePolicy=%s\n"
|
|
|
|
|
"%sDelegate=%s\n",
|
2013-06-27 04:14:27 +02:00
|
|
|
prefix, yes_no(c->cpu_accounting),
|
2016-05-05 22:42:55 +02:00
|
|
|
prefix, yes_no(c->io_accounting),
|
2013-06-27 04:14:27 +02:00
|
|
|
prefix, yes_no(c->blockio_accounting),
|
|
|
|
|
prefix, yes_no(c->memory_accounting),
|
2015-09-11 16:48:24 +02:00
|
|
|
prefix, yes_no(c->tasks_accounting),
|
2017-09-01 20:31:44 +02:00
|
|
|
prefix, yes_no(c->ip_accounting),
|
2016-08-07 15:45:39 +02:00
|
|
|
prefix, c->cpu_weight,
|
|
|
|
|
prefix, c->startup_cpu_weight,
|
2013-06-27 04:14:27 +02:00
|
|
|
prefix, c->cpu_shares,
|
2014-05-15 17:09:34 +02:00
|
|
|
prefix, c->startup_cpu_shares,
|
2014-09-29 14:31:14 +02:00
|
|
|
prefix, format_timespan(u, sizeof(u), c->cpu_quota_per_sec_usec, 1),
|
2016-05-05 22:42:55 +02:00
|
|
|
prefix, c->io_weight,
|
|
|
|
|
prefix, c->startup_io_weight,
|
2013-06-27 04:14:27 +02:00
|
|
|
prefix, c->blockio_weight,
|
2014-05-15 17:09:34 +02:00
|
|
|
prefix, c->startup_blockio_weight,
|
2016-05-27 18:10:18 +02:00
|
|
|
prefix, c->memory_low,
|
|
|
|
|
prefix, c->memory_high,
|
|
|
|
|
prefix, c->memory_max,
|
2016-07-04 09:03:54 +02:00
|
|
|
prefix, c->memory_swap_max,
|
2013-06-27 04:14:27 +02:00
|
|
|
prefix, c->memory_limit,
|
2015-09-10 12:32:16 +02:00
|
|
|
prefix, c->tasks_max,
|
2014-11-05 17:57:23 +01:00
|
|
|
prefix, cgroup_device_policy_to_string(c->device_policy),
|
|
|
|
|
prefix, yes_no(c->delegate));
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2017-11-09 15:29:34 +01:00
|
|
|
if (c->delegate) {
|
|
|
|
|
_cleanup_free_ char *t = NULL;
|
|
|
|
|
|
|
|
|
|
(void) cg_mask_to_string(c->delegate_controllers, &t);
|
|
|
|
|
|
2017-11-14 21:29:40 +01:00
|
|
|
fprintf(f, "%sDelegateControllers=%s\n",
|
2017-11-09 15:29:34 +01:00
|
|
|
prefix,
|
|
|
|
|
strempty(t));
|
|
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
LIST_FOREACH(device_allow, a, c->device_allow)
|
|
|
|
|
fprintf(f,
|
|
|
|
|
"%sDeviceAllow=%s %s%s%s\n",
|
|
|
|
|
prefix,
|
|
|
|
|
a->path,
|
|
|
|
|
a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "");
|
|
|
|
|
|
2016-05-05 22:42:55 +02:00
|
|
|
LIST_FOREACH(device_weights, iw, c->io_device_weights)
|
|
|
|
|
fprintf(f,
|
|
|
|
|
"%sIODeviceWeight=%s %" PRIu64,
|
|
|
|
|
prefix,
|
|
|
|
|
iw->path,
|
|
|
|
|
iw->weight);
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH(device_limits, il, c->io_device_limits) {
|
|
|
|
|
char buf[FORMAT_BYTES_MAX];
|
2016-05-18 22:50:56 +02:00
|
|
|
CGroupIOLimitType type;
|
|
|
|
|
|
|
|
|
|
for (type = 0; type < _CGROUP_IO_LIMIT_TYPE_MAX; type++)
|
|
|
|
|
if (il->limits[type] != cgroup_io_limit_defaults[type])
|
|
|
|
|
fprintf(f,
|
|
|
|
|
"%s%s=%s %s\n",
|
|
|
|
|
prefix,
|
|
|
|
|
cgroup_io_limit_type_to_string(type),
|
|
|
|
|
il->path,
|
|
|
|
|
format_bytes(buf, sizeof(buf), il->limits[type]));
|
2016-05-05 22:42:55 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
LIST_FOREACH(device_weights, w, c->blockio_device_weights)
|
|
|
|
|
fprintf(f,
|
2015-09-11 16:48:24 +02:00
|
|
|
"%sBlockIODeviceWeight=%s %" PRIu64,
|
2013-06-27 04:14:27 +02:00
|
|
|
prefix,
|
|
|
|
|
w->path,
|
|
|
|
|
w->weight);
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) {
|
|
|
|
|
char buf[FORMAT_BYTES_MAX];
|
|
|
|
|
|
2016-05-18 22:51:46 +02:00
|
|
|
if (b->rbps != CGROUP_LIMIT_MAX)
|
|
|
|
|
fprintf(f,
|
|
|
|
|
"%sBlockIOReadBandwidth=%s %s\n",
|
|
|
|
|
prefix,
|
|
|
|
|
b->path,
|
|
|
|
|
format_bytes(buf, sizeof(buf), b->rbps));
|
|
|
|
|
if (b->wbps != CGROUP_LIMIT_MAX)
|
|
|
|
|
fprintf(f,
|
|
|
|
|
"%sBlockIOWriteBandwidth=%s %s\n",
|
|
|
|
|
prefix,
|
|
|
|
|
b->path,
|
|
|
|
|
format_bytes(buf, sizeof(buf), b->wbps));
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
2017-09-01 20:31:44 +02:00
|
|
|
|
|
|
|
|
LIST_FOREACH(items, iaai, c->ip_address_allow) {
|
|
|
|
|
_cleanup_free_ char *k = NULL;
|
|
|
|
|
|
|
|
|
|
(void) in_addr_to_string(iaai->family, &iaai->address, &k);
|
|
|
|
|
fprintf(f, "%sIPAddressAllow=%s/%u\n", prefix, strnull(k), iaai->prefixlen);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH(items, iaai, c->ip_address_deny) {
|
|
|
|
|
_cleanup_free_ char *k = NULL;
|
|
|
|
|
|
|
|
|
|
(void) in_addr_to_string(iaai->family, &iaai->address, &k);
|
|
|
|
|
fprintf(f, "%sIPAddressDeny=%s/%u\n", prefix, strnull(k), iaai->prefixlen);
|
|
|
|
|
}
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
2016-05-05 22:42:55 +02:00
|
|
|
static int lookup_block_device(const char *p, dev_t *dev) {
|
2013-06-27 04:14:27 +02:00
|
|
|
struct stat st;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(p);
|
|
|
|
|
assert(dev);
|
|
|
|
|
|
|
|
|
|
r = stat(p, &st);
|
2014-11-28 19:57:32 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_warning_errno(errno, "Couldn't stat device %s: %m", p);
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (S_ISBLK(st.st_mode))
|
|
|
|
|
*dev = st.st_rdev;
|
|
|
|
|
else if (major(st.st_dev) != 0) {
|
|
|
|
|
/* If this is not a device node then find the block
|
|
|
|
|
* device this file is stored on */
|
|
|
|
|
*dev = st.st_dev;
|
|
|
|
|
|
|
|
|
|
/* If this is a partition, try to get the originating
|
|
|
|
|
* block device */
|
2017-12-22 15:22:59 +01:00
|
|
|
(void) block_get_whole_disk(*dev, dev);
|
2013-06-27 04:14:27 +02:00
|
|
|
} else {
|
|
|
|
|
log_warning("%s is not a block device and file system block device cannot be determined or is not local.", p);
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
}
|
2010-03-31 16:29:55 +02:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
static int whitelist_device(const char *path, const char *node, const char *acc) {
|
|
|
|
|
char buf[2+DECIMAL_STR_MAX(dev_t)*2+2+4];
|
|
|
|
|
struct stat st;
|
2016-12-02 15:23:23 +01:00
|
|
|
bool ignore_notfound;
|
2010-06-21 23:27:18 +02:00
|
|
|
int r;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(path);
|
|
|
|
|
assert(acc);
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2016-12-02 15:23:23 +01:00
|
|
|
if (node[0] == '-') {
|
|
|
|
|
/* Non-existent paths starting with "-" must be silently ignored */
|
|
|
|
|
node++;
|
|
|
|
|
ignore_notfound = true;
|
|
|
|
|
} else
|
|
|
|
|
ignore_notfound = false;
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (stat(node, &st) < 0) {
|
2016-12-02 15:23:23 +01:00
|
|
|
if (errno == ENOENT && ignore_notfound)
|
2016-11-29 20:16:55 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return log_warning_errno(errno, "Couldn't stat device %s: %m", node);
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
|
|
|
|
|
log_warning("%s is not a device.", node);
|
|
|
|
|
return -ENODEV;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sprintf(buf,
|
|
|
|
|
"%c %u:%u %s",
|
|
|
|
|
S_ISCHR(st.st_mode) ? 'c' : 'b',
|
|
|
|
|
major(st.st_rdev), minor(st.st_rdev),
|
|
|
|
|
acc);
|
|
|
|
|
|
|
|
|
|
r = cg_set_attribute("devices", path, "devices.allow", buf);
|
2014-08-15 18:14:37 +02:00
|
|
|
if (r < 0)
|
2015-11-17 00:01:00 +01:00
|
|
|
log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
2014-12-30 01:56:42 +01:00
|
|
|
"Failed to set devices.allow on %s: %m", path);
|
2013-06-27 04:14:27 +02:00
|
|
|
|
|
|
|
|
return r;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
2014-02-22 02:47:29 +01:00
|
|
|
static int whitelist_major(const char *path, const char *name, char type, const char *acc) {
|
|
|
|
|
_cleanup_fclose_ FILE *f = NULL;
|
|
|
|
|
char line[LINE_MAX];
|
|
|
|
|
bool good = false;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(path);
|
|
|
|
|
assert(acc);
|
2017-10-04 16:01:32 +02:00
|
|
|
assert(IN_SET(type, 'b', 'c'));
|
2014-02-22 02:47:29 +01:00
|
|
|
|
|
|
|
|
f = fopen("/proc/devices", "re");
|
2014-11-28 19:57:32 +01:00
|
|
|
if (!f)
|
|
|
|
|
return log_warning_errno(errno, "Cannot open /proc/devices to resolve %s (%c): %m", name, type);
|
2014-02-22 02:47:29 +01:00
|
|
|
|
|
|
|
|
FOREACH_LINE(line, f, goto fail) {
|
|
|
|
|
char buf[2+DECIMAL_STR_MAX(unsigned)+3+4], *p, *w;
|
|
|
|
|
unsigned maj;
|
|
|
|
|
|
|
|
|
|
truncate_nl(line);
|
|
|
|
|
|
|
|
|
|
if (type == 'c' && streq(line, "Character devices:")) {
|
|
|
|
|
good = true;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (type == 'b' && streq(line, "Block devices:")) {
|
|
|
|
|
good = true;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (isempty(line)) {
|
|
|
|
|
good = false;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!good)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
p = strstrip(line);
|
|
|
|
|
|
|
|
|
|
w = strpbrk(p, WHITESPACE);
|
|
|
|
|
if (!w)
|
|
|
|
|
continue;
|
|
|
|
|
*w = 0;
|
|
|
|
|
|
|
|
|
|
r = safe_atou(p, &maj);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
continue;
|
|
|
|
|
if (maj <= 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
w++;
|
|
|
|
|
w += strspn(w, WHITESPACE);
|
2014-03-11 17:42:24 +01:00
|
|
|
|
|
|
|
|
if (fnmatch(name, w, 0) != 0)
|
2014-02-22 02:47:29 +01:00
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
sprintf(buf,
|
|
|
|
|
"%c %u:* %s",
|
|
|
|
|
type,
|
|
|
|
|
maj,
|
|
|
|
|
acc);
|
|
|
|
|
|
|
|
|
|
r = cg_set_attribute("devices", path, "devices.allow", buf);
|
2014-08-15 18:14:37 +02:00
|
|
|
if (r < 0)
|
2015-11-17 00:01:00 +01:00
|
|
|
log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
2014-12-30 01:56:42 +01:00
|
|
|
"Failed to set devices.allow on %s: %m", path);
|
2014-02-22 02:47:29 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
fail:
|
2017-05-13 17:26:55 +02:00
|
|
|
return log_warning_errno(errno, "Failed to read /proc/devices: %m");
|
2014-02-22 02:47:29 +01:00
|
|
|
}
|
|
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
static bool cgroup_context_has_cpu_weight(CGroupContext *c) {
|
|
|
|
|
return c->cpu_weight != CGROUP_WEIGHT_INVALID ||
|
|
|
|
|
c->startup_cpu_weight != CGROUP_WEIGHT_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool cgroup_context_has_cpu_shares(CGroupContext *c) {
|
|
|
|
|
return c->cpu_shares != CGROUP_CPU_SHARES_INVALID ||
|
|
|
|
|
c->startup_cpu_shares != CGROUP_CPU_SHARES_INVALID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static uint64_t cgroup_context_cpu_weight(CGroupContext *c, ManagerState state) {
|
|
|
|
|
if (IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING) &&
|
|
|
|
|
c->startup_cpu_weight != CGROUP_WEIGHT_INVALID)
|
|
|
|
|
return c->startup_cpu_weight;
|
|
|
|
|
else if (c->cpu_weight != CGROUP_WEIGHT_INVALID)
|
|
|
|
|
return c->cpu_weight;
|
|
|
|
|
else
|
|
|
|
|
return CGROUP_WEIGHT_DEFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static uint64_t cgroup_context_cpu_shares(CGroupContext *c, ManagerState state) {
|
|
|
|
|
if (IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING) &&
|
|
|
|
|
c->startup_cpu_shares != CGROUP_CPU_SHARES_INVALID)
|
|
|
|
|
return c->startup_cpu_shares;
|
|
|
|
|
else if (c->cpu_shares != CGROUP_CPU_SHARES_INVALID)
|
|
|
|
|
return c->cpu_shares;
|
|
|
|
|
else
|
|
|
|
|
return CGROUP_CPU_SHARES_DEFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cgroup_apply_unified_cpu_config(Unit *u, uint64_t weight, uint64_t quota) {
|
|
|
|
|
char buf[MAX(DECIMAL_STR_MAX(uint64_t) + 1, (DECIMAL_STR_MAX(usec_t) + 1) * 2)];
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
xsprintf(buf, "%" PRIu64 "\n", weight);
|
|
|
|
|
r = cg_set_attribute("cpu", u->cgroup_path, "cpu.weight", buf);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set cpu.weight: %m");
|
|
|
|
|
|
|
|
|
|
if (quota != USEC_INFINITY)
|
|
|
|
|
xsprintf(buf, USEC_FMT " " USEC_FMT "\n",
|
|
|
|
|
quota * CGROUP_CPU_QUOTA_PERIOD_USEC / USEC_PER_SEC, CGROUP_CPU_QUOTA_PERIOD_USEC);
|
|
|
|
|
else
|
|
|
|
|
xsprintf(buf, "max " USEC_FMT "\n", CGROUP_CPU_QUOTA_PERIOD_USEC);
|
|
|
|
|
|
|
|
|
|
r = cg_set_attribute("cpu", u->cgroup_path, "cpu.max", buf);
|
|
|
|
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set cpu.max: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cgroup_apply_legacy_cpu_config(Unit *u, uint64_t shares, uint64_t quota) {
|
|
|
|
|
char buf[MAX(DECIMAL_STR_MAX(uint64_t), DECIMAL_STR_MAX(usec_t)) + 1];
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
xsprintf(buf, "%" PRIu64 "\n", shares);
|
|
|
|
|
r = cg_set_attribute("cpu", u->cgroup_path, "cpu.shares", buf);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set cpu.shares: %m");
|
|
|
|
|
|
|
|
|
|
xsprintf(buf, USEC_FMT "\n", CGROUP_CPU_QUOTA_PERIOD_USEC);
|
|
|
|
|
r = cg_set_attribute("cpu", u->cgroup_path, "cpu.cfs_period_us", buf);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set cpu.cfs_period_us: %m");
|
|
|
|
|
|
|
|
|
|
if (quota != USEC_INFINITY) {
|
|
|
|
|
xsprintf(buf, USEC_FMT "\n", quota * CGROUP_CPU_QUOTA_PERIOD_USEC / USEC_PER_SEC);
|
|
|
|
|
r = cg_set_attribute("cpu", u->cgroup_path, "cpu.cfs_quota_us", buf);
|
|
|
|
|
} else
|
|
|
|
|
r = cg_set_attribute("cpu", u->cgroup_path, "cpu.cfs_quota_us", "-1");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set cpu.cfs_quota_us: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static uint64_t cgroup_cpu_shares_to_weight(uint64_t shares) {
|
|
|
|
|
return CLAMP(shares * CGROUP_WEIGHT_DEFAULT / CGROUP_CPU_SHARES_DEFAULT,
|
|
|
|
|
CGROUP_WEIGHT_MIN, CGROUP_WEIGHT_MAX);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static uint64_t cgroup_cpu_weight_to_shares(uint64_t weight) {
|
|
|
|
|
return CLAMP(weight * CGROUP_CPU_SHARES_DEFAULT / CGROUP_WEIGHT_DEFAULT,
|
|
|
|
|
CGROUP_CPU_SHARES_MIN, CGROUP_CPU_SHARES_MAX);
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 22:46:42 +02:00
|
|
|
static bool cgroup_context_has_io_config(CGroupContext *c) {
|
2016-05-19 02:35:12 +02:00
|
|
|
return c->io_accounting ||
|
|
|
|
|
c->io_weight != CGROUP_WEIGHT_INVALID ||
|
|
|
|
|
c->startup_io_weight != CGROUP_WEIGHT_INVALID ||
|
|
|
|
|
c->io_device_weights ||
|
|
|
|
|
c->io_device_limits;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 22:46:42 +02:00
|
|
|
static bool cgroup_context_has_blockio_config(CGroupContext *c) {
|
2016-05-19 02:35:12 +02:00
|
|
|
return c->blockio_accounting ||
|
|
|
|
|
c->blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID ||
|
|
|
|
|
c->startup_blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID ||
|
|
|
|
|
c->blockio_device_weights ||
|
|
|
|
|
c->blockio_device_bandwidths;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 22:46:42 +02:00
|
|
|
static uint64_t cgroup_context_io_weight(CGroupContext *c, ManagerState state) {
|
2016-05-18 22:51:46 +02:00
|
|
|
if (IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING) &&
|
|
|
|
|
c->startup_io_weight != CGROUP_WEIGHT_INVALID)
|
|
|
|
|
return c->startup_io_weight;
|
|
|
|
|
else if (c->io_weight != CGROUP_WEIGHT_INVALID)
|
|
|
|
|
return c->io_weight;
|
|
|
|
|
else
|
|
|
|
|
return CGROUP_WEIGHT_DEFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 22:46:42 +02:00
|
|
|
static uint64_t cgroup_context_blkio_weight(CGroupContext *c, ManagerState state) {
|
2016-05-18 22:51:46 +02:00
|
|
|
if (IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING) &&
|
|
|
|
|
c->startup_blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID)
|
|
|
|
|
return c->startup_blockio_weight;
|
|
|
|
|
else if (c->blockio_weight != CGROUP_BLKIO_WEIGHT_INVALID)
|
|
|
|
|
return c->blockio_weight;
|
|
|
|
|
else
|
|
|
|
|
return CGROUP_BLKIO_WEIGHT_DEFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 22:46:42 +02:00
|
|
|
static uint64_t cgroup_weight_blkio_to_io(uint64_t blkio_weight) {
|
2016-05-19 02:35:12 +02:00
|
|
|
return CLAMP(blkio_weight * CGROUP_WEIGHT_DEFAULT / CGROUP_BLKIO_WEIGHT_DEFAULT,
|
|
|
|
|
CGROUP_WEIGHT_MIN, CGROUP_WEIGHT_MAX);
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 22:46:42 +02:00
|
|
|
static uint64_t cgroup_weight_io_to_blkio(uint64_t io_weight) {
|
2016-05-19 02:35:12 +02:00
|
|
|
return CLAMP(io_weight * CGROUP_BLKIO_WEIGHT_DEFAULT / CGROUP_WEIGHT_DEFAULT,
|
|
|
|
|
CGROUP_BLKIO_WEIGHT_MIN, CGROUP_BLKIO_WEIGHT_MAX);
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
static void cgroup_apply_io_device_weight(Unit *u, const char *dev_path, uint64_t io_weight) {
|
2016-05-18 22:51:46 +02:00
|
|
|
char buf[DECIMAL_STR_MAX(dev_t)*2+2+DECIMAL_STR_MAX(uint64_t)+1];
|
|
|
|
|
dev_t dev;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = lookup_block_device(dev_path, &dev);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
xsprintf(buf, "%u:%u %" PRIu64 "\n", major(dev), minor(dev), io_weight);
|
2016-06-02 19:02:49 +02:00
|
|
|
r = cg_set_attribute("io", u->cgroup_path, "io.weight", buf);
|
2016-05-18 22:51:46 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set io.weight: %m");
|
2016-05-18 22:51:46 +02:00
|
|
|
}
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
static void cgroup_apply_blkio_device_weight(Unit *u, const char *dev_path, uint64_t blkio_weight) {
|
2016-05-18 22:51:46 +02:00
|
|
|
char buf[DECIMAL_STR_MAX(dev_t)*2+2+DECIMAL_STR_MAX(uint64_t)+1];
|
|
|
|
|
dev_t dev;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = lookup_block_device(dev_path, &dev);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
xsprintf(buf, "%u:%u %" PRIu64 "\n", major(dev), minor(dev), blkio_weight);
|
2016-06-02 19:02:49 +02:00
|
|
|
r = cg_set_attribute("blkio", u->cgroup_path, "blkio.weight_device", buf);
|
2016-05-18 22:51:46 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set blkio.weight_device: %m");
|
2016-05-18 22:51:46 +02:00
|
|
|
}
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
static unsigned cgroup_apply_io_device_limit(Unit *u, const char *dev_path, uint64_t *limits) {
|
2016-05-18 22:51:46 +02:00
|
|
|
char limit_bufs[_CGROUP_IO_LIMIT_TYPE_MAX][DECIMAL_STR_MAX(uint64_t)];
|
|
|
|
|
char buf[DECIMAL_STR_MAX(dev_t)*2+2+(6+DECIMAL_STR_MAX(uint64_t)+1)*4];
|
|
|
|
|
CGroupIOLimitType type;
|
|
|
|
|
dev_t dev;
|
|
|
|
|
unsigned n = 0;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = lookup_block_device(dev_path, &dev);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
for (type = 0; type < _CGROUP_IO_LIMIT_TYPE_MAX; type++) {
|
|
|
|
|
if (limits[type] != cgroup_io_limit_defaults[type]) {
|
|
|
|
|
xsprintf(limit_bufs[type], "%" PRIu64, limits[type]);
|
|
|
|
|
n++;
|
|
|
|
|
} else {
|
|
|
|
|
xsprintf(limit_bufs[type], "%s", limits[type] == CGROUP_LIMIT_MAX ? "max" : "0");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
xsprintf(buf, "%u:%u rbps=%s wbps=%s riops=%s wiops=%s\n", major(dev), minor(dev),
|
|
|
|
|
limit_bufs[CGROUP_IO_RBPS_MAX], limit_bufs[CGROUP_IO_WBPS_MAX],
|
|
|
|
|
limit_bufs[CGROUP_IO_RIOPS_MAX], limit_bufs[CGROUP_IO_WIOPS_MAX]);
|
2016-06-02 19:02:49 +02:00
|
|
|
r = cg_set_attribute("io", u->cgroup_path, "io.max", buf);
|
2016-05-18 22:51:46 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set io.max: %m");
|
2016-05-18 22:51:46 +02:00
|
|
|
return n;
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
static unsigned cgroup_apply_blkio_device_limit(Unit *u, const char *dev_path, uint64_t rbps, uint64_t wbps) {
|
2016-05-18 22:51:46 +02:00
|
|
|
char buf[DECIMAL_STR_MAX(dev_t)*2+2+DECIMAL_STR_MAX(uint64_t)+1];
|
|
|
|
|
dev_t dev;
|
|
|
|
|
unsigned n = 0;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
r = lookup_block_device(dev_path, &dev);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (rbps != CGROUP_LIMIT_MAX)
|
|
|
|
|
n++;
|
|
|
|
|
sprintf(buf, "%u:%u %" PRIu64 "\n", major(dev), minor(dev), rbps);
|
2016-06-02 19:02:49 +02:00
|
|
|
r = cg_set_attribute("blkio", u->cgroup_path, "blkio.throttle.read_bps_device", buf);
|
2016-05-18 22:51:46 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set blkio.throttle.read_bps_device: %m");
|
2016-05-18 22:51:46 +02:00
|
|
|
|
|
|
|
|
if (wbps != CGROUP_LIMIT_MAX)
|
|
|
|
|
n++;
|
|
|
|
|
sprintf(buf, "%u:%u %" PRIu64 "\n", major(dev), minor(dev), wbps);
|
2016-06-02 19:02:49 +02:00
|
|
|
r = cg_set_attribute("blkio", u->cgroup_path, "blkio.throttle.write_bps_device", buf);
|
2016-05-18 22:51:46 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set blkio.throttle.write_bps_device: %m");
|
2016-05-18 22:51:46 +02:00
|
|
|
|
|
|
|
|
return n;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-27 18:10:18 +02:00
|
|
|
static bool cgroup_context_has_unified_memory_config(CGroupContext *c) {
|
2016-07-04 09:03:54 +02:00
|
|
|
return c->memory_low > 0 || c->memory_high != CGROUP_LIMIT_MAX || c->memory_max != CGROUP_LIMIT_MAX || c->memory_swap_max != CGROUP_LIMIT_MAX;
|
2016-05-27 18:10:18 +02:00
|
|
|
}
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
static void cgroup_apply_unified_memory_limit(Unit *u, const char *file, uint64_t v) {
|
2016-05-27 18:10:18 +02:00
|
|
|
char buf[DECIMAL_STR_MAX(uint64_t) + 1] = "max";
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
if (v != CGROUP_LIMIT_MAX)
|
|
|
|
|
xsprintf(buf, "%" PRIu64 "\n", v);
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
r = cg_set_attribute("memory", u->cgroup_path, file, buf);
|
2016-05-27 18:10:18 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set %s: %m", file);
|
2016-05-27 18:10:18 +02:00
|
|
|
}
|
|
|
|
|
|
2017-11-24 19:37:01 +01:00
|
|
|
static void cgroup_apply_firewall(Unit *u) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
2018-02-16 15:35:49 +01:00
|
|
|
/* Best-effort: let's apply IP firewalling and/or accounting if that's enabled */
|
2017-09-05 19:27:53 +02:00
|
|
|
|
2018-02-16 15:35:49 +01:00
|
|
|
if (bpf_firewall_compile(u) < 0)
|
2017-09-05 19:27:53 +02:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
(void) bpf_firewall_install(u);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void cgroup_context_apply(
|
|
|
|
|
Unit *u,
|
|
|
|
|
CGroupMask apply_mask,
|
|
|
|
|
bool apply_bpf,
|
|
|
|
|
ManagerState state) {
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
const char *path;
|
|
|
|
|
CGroupContext *c;
|
2014-02-24 03:38:24 +01:00
|
|
|
bool is_root;
|
2013-06-27 04:14:27 +02:00
|
|
|
int r;
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
assert(u);
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
/* Nothing to do? Exit early! */
|
|
|
|
|
if (apply_mask == 0 && !apply_bpf)
|
2013-06-27 04:14:27 +02:00
|
|
|
return;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2018-01-17 18:41:42 +01:00
|
|
|
/* Some cgroup attributes are not supported on the root cgroup, hence silently ignore */
|
|
|
|
|
is_root = unit_has_root_cgroup(u);
|
|
|
|
|
|
|
|
|
|
assert_se(c = unit_get_cgroup_context(u));
|
|
|
|
|
assert_se(path = u->cgroup_path);
|
|
|
|
|
|
|
|
|
|
if (is_root) /* Make sure we don't try to display messages with an empty path. */
|
2015-01-06 01:03:23 +01:00
|
|
|
path = "/";
|
2014-02-24 03:38:24 +01:00
|
|
|
|
2014-12-30 01:56:42 +01:00
|
|
|
/* We generally ignore errors caused by read-only mounted
|
|
|
|
|
* cgroup trees (assuming we are running in a container then),
|
|
|
|
|
* and missing cgroups, i.e. EROFS and ENOENT. */
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
if ((apply_mask & CGROUP_MASK_CPU) && !is_root) {
|
|
|
|
|
bool has_weight, has_shares;
|
|
|
|
|
|
|
|
|
|
has_weight = cgroup_context_has_cpu_weight(c);
|
|
|
|
|
has_shares = cgroup_context_has_cpu_shares(c);
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2017-02-24 17:52:58 +01:00
|
|
|
if (cg_all_unified() > 0) {
|
2016-08-07 15:45:39 +02:00
|
|
|
uint64_t weight;
|
2014-04-25 13:27:25 +02:00
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
if (has_weight)
|
|
|
|
|
weight = cgroup_context_cpu_weight(c, state);
|
|
|
|
|
else if (has_shares) {
|
|
|
|
|
uint64_t shares = cgroup_context_cpu_shares(c, state);
|
2014-04-25 13:27:25 +02:00
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
weight = cgroup_cpu_shares_to_weight(shares);
|
|
|
|
|
|
|
|
|
|
log_cgroup_compat(u, "Applying [Startup]CpuShares %" PRIu64 " as [Startup]CpuWeight %" PRIu64 " on %s",
|
|
|
|
|
shares, weight, path);
|
|
|
|
|
} else
|
|
|
|
|
weight = CGROUP_WEIGHT_DEFAULT;
|
|
|
|
|
|
|
|
|
|
cgroup_apply_unified_cpu_config(u, weight, c->cpu_quota_per_sec_usec);
|
|
|
|
|
} else {
|
|
|
|
|
uint64_t shares;
|
|
|
|
|
|
2016-10-15 03:07:16 +02:00
|
|
|
if (has_weight) {
|
2016-08-07 15:45:39 +02:00
|
|
|
uint64_t weight = cgroup_context_cpu_weight(c, state);
|
|
|
|
|
|
|
|
|
|
shares = cgroup_cpu_weight_to_shares(weight);
|
|
|
|
|
|
|
|
|
|
log_cgroup_compat(u, "Applying [Startup]CpuWeight %" PRIu64 " as [Startup]CpuShares %" PRIu64 " on %s",
|
|
|
|
|
weight, shares, path);
|
2016-10-15 03:07:16 +02:00
|
|
|
} else if (has_shares)
|
|
|
|
|
shares = cgroup_context_cpu_shares(c, state);
|
|
|
|
|
else
|
2016-08-07 15:45:39 +02:00
|
|
|
shares = CGROUP_CPU_SHARES_DEFAULT;
|
|
|
|
|
|
|
|
|
|
cgroup_apply_legacy_cpu_config(u, shares, c->cpu_quota_per_sec_usec);
|
|
|
|
|
}
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
if (apply_mask & CGROUP_MASK_IO) {
|
2016-05-19 02:35:12 +02:00
|
|
|
bool has_io = cgroup_context_has_io_config(c);
|
|
|
|
|
bool has_blockio = cgroup_context_has_blockio_config(c);
|
2016-05-05 22:42:55 +02:00
|
|
|
|
|
|
|
|
if (!is_root) {
|
2016-05-18 22:51:46 +02:00
|
|
|
char buf[8+DECIMAL_STR_MAX(uint64_t)+1];
|
|
|
|
|
uint64_t weight;
|
2016-05-05 22:42:55 +02:00
|
|
|
|
2016-05-19 02:35:12 +02:00
|
|
|
if (has_io)
|
|
|
|
|
weight = cgroup_context_io_weight(c, state);
|
2016-06-02 19:02:53 +02:00
|
|
|
else if (has_blockio) {
|
|
|
|
|
uint64_t blkio_weight = cgroup_context_blkio_weight(c, state);
|
|
|
|
|
|
|
|
|
|
weight = cgroup_weight_blkio_to_io(blkio_weight);
|
|
|
|
|
|
|
|
|
|
log_cgroup_compat(u, "Applying [Startup]BlockIOWeight %" PRIu64 " as [Startup]IOWeight %" PRIu64,
|
|
|
|
|
blkio_weight, weight);
|
|
|
|
|
} else
|
2016-05-19 02:35:12 +02:00
|
|
|
weight = CGROUP_WEIGHT_DEFAULT;
|
2016-05-05 22:42:55 +02:00
|
|
|
|
|
|
|
|
xsprintf(buf, "default %" PRIu64 "\n", weight);
|
|
|
|
|
r = cg_set_attribute("io", path, "io.weight", buf);
|
|
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set io.weight: %m");
|
2016-05-05 22:42:55 +02:00
|
|
|
|
2016-05-19 02:35:12 +02:00
|
|
|
if (has_io) {
|
|
|
|
|
CGroupIODeviceWeight *w;
|
|
|
|
|
|
|
|
|
|
/* FIXME: no way to reset this list */
|
|
|
|
|
LIST_FOREACH(device_weights, w, c->io_device_weights)
|
2016-06-02 19:02:49 +02:00
|
|
|
cgroup_apply_io_device_weight(u, w->path, w->weight);
|
2016-05-19 02:35:12 +02:00
|
|
|
} else if (has_blockio) {
|
|
|
|
|
CGroupBlockIODeviceWeight *w;
|
|
|
|
|
|
|
|
|
|
/* FIXME: no way to reset this list */
|
2016-06-02 19:02:53 +02:00
|
|
|
LIST_FOREACH(device_weights, w, c->blockio_device_weights) {
|
|
|
|
|
weight = cgroup_weight_blkio_to_io(w->weight);
|
|
|
|
|
|
|
|
|
|
log_cgroup_compat(u, "Applying BlockIODeviceWeight %" PRIu64 " as IODeviceWeight %" PRIu64 " for %s",
|
|
|
|
|
w->weight, weight, w->path);
|
|
|
|
|
|
|
|
|
|
cgroup_apply_io_device_weight(u, w->path, weight);
|
|
|
|
|
}
|
2016-05-19 02:35:12 +02:00
|
|
|
}
|
2016-05-05 22:42:55 +02:00
|
|
|
}
|
|
|
|
|
|
2016-05-18 22:51:46 +02:00
|
|
|
/* Apply limits and free ones without config. */
|
2016-05-19 02:35:12 +02:00
|
|
|
if (has_io) {
|
|
|
|
|
CGroupIODeviceLimit *l, *next;
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH_SAFE(device_limits, l, next, c->io_device_limits) {
|
2016-06-02 19:02:49 +02:00
|
|
|
if (!cgroup_apply_io_device_limit(u, l->path, l->limits))
|
2016-05-19 02:35:12 +02:00
|
|
|
cgroup_context_free_io_device_limit(c, l);
|
|
|
|
|
}
|
|
|
|
|
} else if (has_blockio) {
|
|
|
|
|
CGroupBlockIODeviceBandwidth *b, *next;
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH_SAFE(device_bandwidths, b, next, c->blockio_device_bandwidths) {
|
|
|
|
|
uint64_t limits[_CGROUP_IO_LIMIT_TYPE_MAX];
|
|
|
|
|
CGroupIOLimitType type;
|
|
|
|
|
|
|
|
|
|
for (type = 0; type < _CGROUP_IO_LIMIT_TYPE_MAX; type++)
|
|
|
|
|
limits[type] = cgroup_io_limit_defaults[type];
|
|
|
|
|
|
|
|
|
|
limits[CGROUP_IO_RBPS_MAX] = b->rbps;
|
|
|
|
|
limits[CGROUP_IO_WBPS_MAX] = b->wbps;
|
|
|
|
|
|
2016-06-02 19:02:53 +02:00
|
|
|
log_cgroup_compat(u, "Applying BlockIO{Read|Write}Bandwidth %" PRIu64 " %" PRIu64 " as IO{Read|Write}BandwidthMax for %s",
|
|
|
|
|
b->rbps, b->wbps, b->path);
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
if (!cgroup_apply_io_device_limit(u, b->path, limits))
|
2016-05-19 02:35:12 +02:00
|
|
|
cgroup_context_free_blockio_device_bandwidth(c, b);
|
|
|
|
|
}
|
2016-05-05 22:42:55 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
if (apply_mask & CGROUP_MASK_BLKIO) {
|
2016-05-19 02:35:12 +02:00
|
|
|
bool has_io = cgroup_context_has_io_config(c);
|
|
|
|
|
bool has_blockio = cgroup_context_has_blockio_config(c);
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2014-02-24 03:38:24 +01:00
|
|
|
if (!is_root) {
|
2016-05-18 22:51:46 +02:00
|
|
|
char buf[DECIMAL_STR_MAX(uint64_t)+1];
|
|
|
|
|
uint64_t weight;
|
|
|
|
|
|
2016-10-15 03:07:16 +02:00
|
|
|
if (has_io) {
|
2016-06-02 19:02:53 +02:00
|
|
|
uint64_t io_weight = cgroup_context_io_weight(c, state);
|
|
|
|
|
|
2016-05-19 02:35:12 +02:00
|
|
|
weight = cgroup_weight_io_to_blkio(cgroup_context_io_weight(c, state));
|
2016-06-02 19:02:53 +02:00
|
|
|
|
|
|
|
|
log_cgroup_compat(u, "Applying [Startup]IOWeight %" PRIu64 " as [Startup]BlockIOWeight %" PRIu64,
|
|
|
|
|
io_weight, weight);
|
2016-10-15 03:07:16 +02:00
|
|
|
} else if (has_blockio)
|
|
|
|
|
weight = cgroup_context_blkio_weight(c, state);
|
|
|
|
|
else
|
2016-05-19 02:35:12 +02:00
|
|
|
weight = CGROUP_BLKIO_WEIGHT_DEFAULT;
|
2016-05-18 22:51:46 +02:00
|
|
|
|
|
|
|
|
xsprintf(buf, "%" PRIu64 "\n", weight);
|
2014-02-24 03:38:24 +01:00
|
|
|
r = cg_set_attribute("blkio", path, "blkio.weight", buf);
|
2014-08-15 18:14:37 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set blkio.weight: %m");
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2016-10-15 03:07:16 +02:00
|
|
|
if (has_io) {
|
2016-05-19 02:35:12 +02:00
|
|
|
CGroupIODeviceWeight *w;
|
|
|
|
|
|
|
|
|
|
/* FIXME: no way to reset this list */
|
2016-06-02 19:02:53 +02:00
|
|
|
LIST_FOREACH(device_weights, w, c->io_device_weights) {
|
|
|
|
|
weight = cgroup_weight_io_to_blkio(w->weight);
|
|
|
|
|
|
|
|
|
|
log_cgroup_compat(u, "Applying IODeviceWeight %" PRIu64 " as BlockIODeviceWeight %" PRIu64 " for %s",
|
|
|
|
|
w->weight, weight, w->path);
|
|
|
|
|
|
|
|
|
|
cgroup_apply_blkio_device_weight(u, w->path, weight);
|
|
|
|
|
}
|
2016-10-15 03:07:16 +02:00
|
|
|
} else if (has_blockio) {
|
|
|
|
|
CGroupBlockIODeviceWeight *w;
|
|
|
|
|
|
|
|
|
|
/* FIXME: no way to reset this list */
|
|
|
|
|
LIST_FOREACH(device_weights, w, c->blockio_device_weights)
|
|
|
|
|
cgroup_apply_blkio_device_weight(u, w->path, w->weight);
|
2016-05-19 02:35:12 +02:00
|
|
|
}
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
2016-05-18 22:51:46 +02:00
|
|
|
/* Apply limits and free ones without config. */
|
2016-10-15 03:07:16 +02:00
|
|
|
if (has_io) {
|
2016-05-19 02:35:12 +02:00
|
|
|
CGroupIODeviceLimit *l, *next;
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH_SAFE(device_limits, l, next, c->io_device_limits) {
|
2016-06-02 19:02:53 +02:00
|
|
|
log_cgroup_compat(u, "Applying IO{Read|Write}Bandwidth %" PRIu64 " %" PRIu64 " as BlockIO{Read|Write}BandwidthMax for %s",
|
|
|
|
|
l->limits[CGROUP_IO_RBPS_MAX], l->limits[CGROUP_IO_WBPS_MAX], l->path);
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
if (!cgroup_apply_blkio_device_limit(u, l->path, l->limits[CGROUP_IO_RBPS_MAX], l->limits[CGROUP_IO_WBPS_MAX]))
|
2016-05-19 02:35:12 +02:00
|
|
|
cgroup_context_free_io_device_limit(c, l);
|
|
|
|
|
}
|
2016-10-15 03:07:16 +02:00
|
|
|
} else if (has_blockio) {
|
|
|
|
|
CGroupBlockIODeviceBandwidth *b, *next;
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH_SAFE(device_bandwidths, b, next, c->blockio_device_bandwidths)
|
|
|
|
|
if (!cgroup_apply_blkio_device_limit(u, b->path, b->rbps, b->wbps))
|
|
|
|
|
cgroup_context_free_blockio_device_bandwidth(c, b);
|
2010-11-17 21:27:53 +01:00
|
|
|
}
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
if ((apply_mask & CGROUP_MASK_MEMORY) && !is_root) {
|
2017-02-24 17:52:58 +01:00
|
|
|
if (cg_all_unified() > 0) {
|
|
|
|
|
uint64_t max, swap_max = CGROUP_LIMIT_MAX;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2016-07-04 09:03:54 +02:00
|
|
|
if (cgroup_context_has_unified_memory_config(c)) {
|
2016-05-27 18:10:18 +02:00
|
|
|
max = c->memory_max;
|
2016-07-04 09:03:54 +02:00
|
|
|
swap_max = c->memory_swap_max;
|
|
|
|
|
} else {
|
2016-05-27 18:10:18 +02:00
|
|
|
max = c->memory_limit;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2016-06-02 19:02:53 +02:00
|
|
|
if (max != CGROUP_LIMIT_MAX)
|
|
|
|
|
log_cgroup_compat(u, "Applying MemoryLimit %" PRIu64 " as MemoryMax", max);
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-02 19:02:49 +02:00
|
|
|
cgroup_apply_unified_memory_limit(u, "memory.low", c->memory_low);
|
|
|
|
|
cgroup_apply_unified_memory_limit(u, "memory.high", c->memory_high);
|
|
|
|
|
cgroup_apply_unified_memory_limit(u, "memory.max", max);
|
2016-07-04 09:03:54 +02:00
|
|
|
cgroup_apply_unified_memory_limit(u, "memory.swap.max", swap_max);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
} else {
|
2016-05-27 18:10:18 +02:00
|
|
|
char buf[DECIMAL_STR_MAX(uint64_t) + 1];
|
2016-10-15 03:07:16 +02:00
|
|
|
uint64_t val;
|
2016-05-27 18:10:18 +02:00
|
|
|
|
2016-10-15 03:07:16 +02:00
|
|
|
if (cgroup_context_has_unified_memory_config(c)) {
|
cgroup: fix memory cgroup limit regression on kernel 3.10 (#3673)
Commit da4d897e ("core: add cgroup memory controller support on the unified
hierarchy (#3315)") changed the code in src/core/cgroup.c to always write
the real numeric value from the cgroup parameters to the
"memory.limit_in_bytes" attribute file.
For parameters set to CGROUP_LIMIT_MAX, this results in the string
"18446744073709551615" being written into that file, which is UINT64_MAX.
Before that commit, CGROUP_LIMIT_MAX was special-cased to the string "-1".
This causes a regression on CentOS 7, which is based on kernel 3.10, as the
value is interpreted as *signed* 64 bit, and clamped to 0:
[root@n54 ~]# echo 18446744073709551615 >/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
[root@n54 ~]# cat /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
0
[root@n54 ~]# echo -1 >/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
[root@n54 ~]# cat /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
9223372036854775807
Hence, all units that are subject to the limits enforced by the memory
controller will crash immediately, even though they have no actual limit
set. This happens to for the user.slice, for instance:
[ 453.577153] Hardware name: SeaMicro SM15000-64-CC-AA-1Ox1/AMD Server CRB, BIOS Estoc.3.72.19.0018 08/19/2014
[ 453.587024] ffff880810c56780 00000000aae9501f ffff880813d7fcd0 ffffffff816360fc
[ 453.594544] ffff880813d7fd60 ffffffff8163109c ffff88080ffc5000 ffff880813d7fd28
[ 453.602120] ffffffff00000202 fffeefff00000000 0000000000000001 ffff880810c56c03
[ 453.609680] Call Trace:
[ 453.612156] [<ffffffff816360fc>] dump_stack+0x19/0x1b
[ 453.617324] [<ffffffff8163109c>] dump_header+0x8e/0x214
[ 453.622671] [<ffffffff8116d20e>] oom_kill_process+0x24e/0x3b0
[ 453.628559] [<ffffffff81088dae>] ? has_capability_noaudit+0x1e/0x30
[ 453.634969] [<ffffffff811d4155>] mem_cgroup_oom_synchronize+0x575/0x5a0
[ 453.641721] [<ffffffff811d3520>] ? mem_cgroup_charge_common+0xc0/0xc0
[ 453.648299] [<ffffffff8116da84>] pagefault_out_of_memory+0x14/0x90
[ 453.654621] [<ffffffff8162f4cc>] mm_fault_error+0x68/0x12b
[ 453.660233] [<ffffffff81642012>] __do_page_fault+0x3e2/0x450
[ 453.666017] [<ffffffff816420a3>] do_page_fault+0x23/0x80
[ 453.671467] [<ffffffff8163e308>] page_fault+0x28/0x30
[ 453.676656] Task in /user.slice/user-0.slice/user@0.service killed as a result of limit of /user.slice/user-0.slice/user@0.service
[ 453.688477] memory: usage 0kB, limit 0kB, failcnt 7
[ 453.693391] memory+swap: usage 0kB, limit 9007199254740991kB, failcnt 0
[ 453.700039] kmem: usage 0kB, limit 9007199254740991kB, failcnt 0
[ 453.706076] Memory cgroup stats for /user.slice/user-0.slice/user@0.service: cache:0KB rss:0KB rss_huge:0KB mapped_file:0KB swap:0KB inactive_anon:0KB active_anon:0KB inactive_file:0KB active_file:0KB unevictable:0KB
[ 453.725702] [ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name
[ 453.733614] [ 2837] 0 2837 11950 899 23 0 0 (systemd)
[ 453.741919] Memory cgroup out of memory: Kill process 2837 ((systemd)) score 1 or sacrifice child
[ 453.750831] Killed process 2837 ((systemd)) total-vm:47800kB, anon-rss:3188kB, file-rss:408kB
Fix this issue by special-casing the UINT64_MAX case again.
2016-07-08 04:29:35 +02:00
|
|
|
val = c->memory_max;
|
2016-10-15 03:07:16 +02:00
|
|
|
log_cgroup_compat(u, "Applying MemoryMax %" PRIi64 " as MemoryLimit", val);
|
|
|
|
|
} else
|
|
|
|
|
val = c->memory_limit;
|
2016-06-02 19:02:53 +02:00
|
|
|
|
cgroup: fix memory cgroup limit regression on kernel 3.10 (#3673)
Commit da4d897e ("core: add cgroup memory controller support on the unified
hierarchy (#3315)") changed the code in src/core/cgroup.c to always write
the real numeric value from the cgroup parameters to the
"memory.limit_in_bytes" attribute file.
For parameters set to CGROUP_LIMIT_MAX, this results in the string
"18446744073709551615" being written into that file, which is UINT64_MAX.
Before that commit, CGROUP_LIMIT_MAX was special-cased to the string "-1".
This causes a regression on CentOS 7, which is based on kernel 3.10, as the
value is interpreted as *signed* 64 bit, and clamped to 0:
[root@n54 ~]# echo 18446744073709551615 >/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
[root@n54 ~]# cat /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
0
[root@n54 ~]# echo -1 >/sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
[root@n54 ~]# cat /sys/fs/cgroup/memory/user.slice/memory.limit_in_bytes
9223372036854775807
Hence, all units that are subject to the limits enforced by the memory
controller will crash immediately, even though they have no actual limit
set. This happens to for the user.slice, for instance:
[ 453.577153] Hardware name: SeaMicro SM15000-64-CC-AA-1Ox1/AMD Server CRB, BIOS Estoc.3.72.19.0018 08/19/2014
[ 453.587024] ffff880810c56780 00000000aae9501f ffff880813d7fcd0 ffffffff816360fc
[ 453.594544] ffff880813d7fd60 ffffffff8163109c ffff88080ffc5000 ffff880813d7fd28
[ 453.602120] ffffffff00000202 fffeefff00000000 0000000000000001 ffff880810c56c03
[ 453.609680] Call Trace:
[ 453.612156] [<ffffffff816360fc>] dump_stack+0x19/0x1b
[ 453.617324] [<ffffffff8163109c>] dump_header+0x8e/0x214
[ 453.622671] [<ffffffff8116d20e>] oom_kill_process+0x24e/0x3b0
[ 453.628559] [<ffffffff81088dae>] ? has_capability_noaudit+0x1e/0x30
[ 453.634969] [<ffffffff811d4155>] mem_cgroup_oom_synchronize+0x575/0x5a0
[ 453.641721] [<ffffffff811d3520>] ? mem_cgroup_charge_common+0xc0/0xc0
[ 453.648299] [<ffffffff8116da84>] pagefault_out_of_memory+0x14/0x90
[ 453.654621] [<ffffffff8162f4cc>] mm_fault_error+0x68/0x12b
[ 453.660233] [<ffffffff81642012>] __do_page_fault+0x3e2/0x450
[ 453.666017] [<ffffffff816420a3>] do_page_fault+0x23/0x80
[ 453.671467] [<ffffffff8163e308>] page_fault+0x28/0x30
[ 453.676656] Task in /user.slice/user-0.slice/user@0.service killed as a result of limit of /user.slice/user-0.slice/user@0.service
[ 453.688477] memory: usage 0kB, limit 0kB, failcnt 7
[ 453.693391] memory+swap: usage 0kB, limit 9007199254740991kB, failcnt 0
[ 453.700039] kmem: usage 0kB, limit 9007199254740991kB, failcnt 0
[ 453.706076] Memory cgroup stats for /user.slice/user-0.slice/user@0.service: cache:0KB rss:0KB rss_huge:0KB mapped_file:0KB swap:0KB inactive_anon:0KB active_anon:0KB inactive_file:0KB active_file:0KB unevictable:0KB
[ 453.725702] [ pid ] uid tgid total_vm rss nr_ptes swapents oom_score_adj name
[ 453.733614] [ 2837] 0 2837 11950 899 23 0 0 (systemd)
[ 453.741919] Memory cgroup out of memory: Kill process 2837 ((systemd)) score 1 or sacrifice child
[ 453.750831] Killed process 2837 ((systemd)) total-vm:47800kB, anon-rss:3188kB, file-rss:408kB
Fix this issue by special-casing the UINT64_MAX case again.
2016-07-08 04:29:35 +02:00
|
|
|
if (val == CGROUP_LIMIT_MAX)
|
|
|
|
|
strncpy(buf, "-1\n", sizeof(buf));
|
|
|
|
|
else
|
|
|
|
|
xsprintf(buf, "%" PRIu64 "\n", val);
|
|
|
|
|
|
2016-05-27 18:10:18 +02:00
|
|
|
r = cg_set_attribute("memory", path, "memory.limit_in_bytes", buf);
|
|
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set memory.limit_in_bytes: %m");
|
2016-05-27 18:10:18 +02:00
|
|
|
}
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
if ((apply_mask & CGROUP_MASK_DEVICES) && !is_root) {
|
2013-06-27 04:14:27 +02:00
|
|
|
CGroupDeviceAllow *a;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2014-12-30 01:56:42 +01:00
|
|
|
/* Changing the devices list of a populated cgroup
|
|
|
|
|
* might result in EINVAL, hence ignore EINVAL
|
|
|
|
|
* here. */
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (c->device_allow || c->device_policy != CGROUP_AUTO)
|
|
|
|
|
r = cg_set_attribute("devices", path, "devices.deny", "a");
|
|
|
|
|
else
|
|
|
|
|
r = cg_set_attribute("devices", path, "devices.allow", "a");
|
2014-08-15 18:14:37 +02:00
|
|
|
if (r < 0)
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EINVAL, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to reset devices.list: %m");
|
2010-07-10 17:34:42 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (c->device_policy == CGROUP_CLOSED ||
|
|
|
|
|
(c->device_policy == CGROUP_AUTO && c->device_allow)) {
|
|
|
|
|
static const char auto_devices[] =
|
2014-03-19 22:00:43 +01:00
|
|
|
"/dev/null\0" "rwm\0"
|
|
|
|
|
"/dev/zero\0" "rwm\0"
|
|
|
|
|
"/dev/full\0" "rwm\0"
|
|
|
|
|
"/dev/random\0" "rwm\0"
|
|
|
|
|
"/dev/urandom\0" "rwm\0"
|
|
|
|
|
"/dev/tty\0" "rwm\0"
|
2018-01-18 13:07:31 +01:00
|
|
|
"/dev/ptmx\0" "rwm\0"
|
2016-07-22 12:00:49 +02:00
|
|
|
/* Allow /run/systemd/inaccessible/{chr,blk} devices for mapping InaccessiblePaths */
|
2016-11-29 20:16:55 +01:00
|
|
|
"-/run/systemd/inaccessible/chr\0" "rwm\0"
|
|
|
|
|
"-/run/systemd/inaccessible/blk\0" "rwm\0";
|
2013-06-27 04:14:27 +02:00
|
|
|
|
|
|
|
|
const char *x, *y;
|
|
|
|
|
|
|
|
|
|
NULSTR_FOREACH_PAIR(x, y, auto_devices)
|
|
|
|
|
whitelist_device(path, x, y);
|
2014-03-19 22:00:43 +01:00
|
|
|
|
2018-01-18 13:07:31 +01:00
|
|
|
/* PTS (/dev/pts) devices may not be duplicated, but accessed */
|
2014-03-19 22:00:43 +01:00
|
|
|
whitelist_major(path, "pts", 'c', "rw");
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
LIST_FOREACH(device_allow, a, c->device_allow) {
|
2016-10-22 22:11:41 +02:00
|
|
|
char acc[4], *val;
|
2013-06-27 04:14:27 +02:00
|
|
|
unsigned k = 0;
|
|
|
|
|
|
|
|
|
|
if (a->r)
|
|
|
|
|
acc[k++] = 'r';
|
|
|
|
|
if (a->w)
|
|
|
|
|
acc[k++] = 'w';
|
|
|
|
|
if (a->m)
|
|
|
|
|
acc[k++] = 'm';
|
2010-07-10 17:34:42 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (k == 0)
|
|
|
|
|
continue;
|
2010-07-10 17:34:42 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
acc[k++] = 0;
|
2014-02-22 02:47:29 +01:00
|
|
|
|
2017-08-09 19:03:39 +02:00
|
|
|
if (path_startswith(a->path, "/dev/"))
|
2014-02-22 02:47:29 +01:00
|
|
|
whitelist_device(path, a->path, acc);
|
2016-10-22 22:11:41 +02:00
|
|
|
else if ((val = startswith(a->path, "block-")))
|
|
|
|
|
whitelist_major(path, val, 'b', acc);
|
|
|
|
|
else if ((val = startswith(a->path, "char-")))
|
|
|
|
|
whitelist_major(path, val, 'c', acc);
|
2014-02-22 02:47:29 +01:00
|
|
|
else
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_debug(u, "Ignoring device %s while writing cgroup attribute.", a->path);
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
}
|
2015-09-10 12:32:16 +02:00
|
|
|
|
2018-01-17 18:50:27 +01:00
|
|
|
if (apply_mask & CGROUP_MASK_PIDS) {
|
|
|
|
|
|
|
|
|
|
if (is_root) {
|
|
|
|
|
/* So, the "pids" controller does not expose anything on the root cgroup, in order not to
|
|
|
|
|
* replicate knobs exposed elsewhere needlessly. We abstract this away here however, and when
|
|
|
|
|
* the knobs of the root cgroup are modified propagate this to the relevant sysctls. There's a
|
|
|
|
|
* non-obvious asymmetry however: unlike the cgroup properties we don't really want to take
|
|
|
|
|
* exclusive ownership of the sysctls, but we still want to honour things if the user sets
|
|
|
|
|
* limits. Hence we employ sort of a one-way strategy: when the user sets a bounded limit
|
|
|
|
|
* through us it counts. When the user afterwards unsets it again (i.e. sets it to unbounded)
|
|
|
|
|
* it also counts. But if the user never set a limit through us (i.e. we are the default of
|
|
|
|
|
* "unbounded") we leave things unmodified. For this we manage a global boolean that we turn on
|
|
|
|
|
* the first time we set a limit. Note that this boolean is flushed out on manager reload,
|
|
|
|
|
* which is desirable so that there's an offical way to release control of the sysctl from
|
|
|
|
|
* systemd: set the limit to unbounded and reload. */
|
|
|
|
|
|
|
|
|
|
if (c->tasks_max != CGROUP_LIMIT_MAX) {
|
|
|
|
|
u->manager->sysctl_pid_max_changed = true;
|
|
|
|
|
r = procfs_tasks_set_limit(c->tasks_max);
|
|
|
|
|
} else if (u->manager->sysctl_pid_max_changed)
|
|
|
|
|
r = procfs_tasks_set_limit(TASKS_MAX);
|
|
|
|
|
else
|
|
|
|
|
r = 0;
|
2015-09-10 12:32:16 +02:00
|
|
|
|
2018-01-17 18:50:27 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to write to tasks limit sysctls: %m");
|
2015-09-10 12:32:16 +02:00
|
|
|
|
2018-01-17 18:50:27 +01:00
|
|
|
} else {
|
|
|
|
|
if (c->tasks_max != CGROUP_LIMIT_MAX) {
|
|
|
|
|
char buf[DECIMAL_STR_MAX(uint64_t) + 2];
|
2015-09-10 12:32:16 +02:00
|
|
|
|
2018-01-17 18:50:27 +01:00
|
|
|
sprintf(buf, "%" PRIu64 "\n", c->tasks_max);
|
|
|
|
|
r = cg_set_attribute("pids", path, "pids.max", buf);
|
|
|
|
|
} else
|
|
|
|
|
r = cg_set_attribute("pids", path, "pids.max", "max");
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_full(u, IN_SET(r, -ENOENT, -EROFS, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
|
|
|
|
|
"Failed to set pids.max: %m");
|
|
|
|
|
}
|
2015-09-10 12:32:16 +02:00
|
|
|
}
|
2017-09-05 19:27:53 +02:00
|
|
|
|
|
|
|
|
if (apply_bpf)
|
2017-11-24 19:37:01 +01:00
|
|
|
cgroup_apply_firewall(u);
|
2010-07-10 17:34:42 +02:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask cgroup_context_get_mask(CGroupContext *c) {
|
|
|
|
|
CGroupMask mask = 0;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
/* Figure out which controllers we need */
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2014-04-25 13:27:25 +02:00
|
|
|
if (c->cpu_accounting ||
|
2016-08-07 15:45:39 +02:00
|
|
|
cgroup_context_has_cpu_weight(c) ||
|
|
|
|
|
cgroup_context_has_cpu_shares(c) ||
|
2014-07-29 12:23:31 +02:00
|
|
|
c->cpu_quota_per_sec_usec != USEC_INFINITY)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
mask |= CGROUP_MASK_CPUACCT | CGROUP_MASK_CPU;
|
2012-04-13 23:24:47 +02:00
|
|
|
|
2016-05-19 02:35:12 +02:00
|
|
|
if (cgroup_context_has_io_config(c) || cgroup_context_has_blockio_config(c))
|
|
|
|
|
mask |= CGROUP_MASK_IO | CGROUP_MASK_BLKIO;
|
2012-04-13 23:24:47 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (c->memory_accounting ||
|
2016-05-27 18:10:18 +02:00
|
|
|
c->memory_limit != CGROUP_LIMIT_MAX ||
|
|
|
|
|
cgroup_context_has_unified_memory_config(c))
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
mask |= CGROUP_MASK_MEMORY;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2014-11-05 17:57:23 +01:00
|
|
|
if (c->device_allow ||
|
|
|
|
|
c->device_policy != CGROUP_AUTO)
|
2015-09-08 18:15:50 +02:00
|
|
|
mask |= CGROUP_MASK_DEVICES;
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2015-09-10 12:32:16 +02:00
|
|
|
if (c->tasks_accounting ||
|
2018-01-17 15:39:16 +01:00
|
|
|
c->tasks_max != CGROUP_LIMIT_MAX)
|
2015-09-10 12:32:16 +02:00
|
|
|
mask |= CGROUP_MASK_PIDS;
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
return mask;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask unit_get_own_mask(Unit *u) {
|
2013-06-27 04:14:27 +02:00
|
|
|
CGroupContext *c;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
/* Returns the mask of controllers the unit needs for itself */
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
c = unit_get_cgroup_context(u);
|
|
|
|
|
if (!c)
|
|
|
|
|
return 0;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2017-11-17 19:25:18 +01:00
|
|
|
return cgroup_context_get_mask(c) | unit_get_delegate_mask(u);
|
2017-11-09 15:29:34 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CGroupMask unit_get_delegate_mask(Unit *u) {
|
|
|
|
|
CGroupContext *c;
|
|
|
|
|
|
|
|
|
|
/* If delegation is turned on, then turn on selected controllers, unless we are on the legacy hierarchy and the
|
|
|
|
|
* process we fork into is known to drop privileges, and hence shouldn't get access to the controllers.
|
2015-09-04 09:23:07 +02:00
|
|
|
*
|
2017-11-09 15:29:34 +01:00
|
|
|
* Note that on the unified hierarchy it is safe to delegate controllers to unprivileged services. */
|
2014-11-05 17:57:23 +01:00
|
|
|
|
2018-02-06 11:57:35 +01:00
|
|
|
if (!unit_cgroup_delegate(u))
|
2017-11-09 15:29:34 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (cg_all_unified() <= 0) {
|
2014-11-05 17:57:23 +01:00
|
|
|
ExecContext *e;
|
|
|
|
|
|
|
|
|
|
e = unit_get_exec_context(u);
|
2017-11-09 15:29:34 +01:00
|
|
|
if (e && !exec_context_maintains_privileges(e))
|
|
|
|
|
return 0;
|
2014-11-05 17:57:23 +01:00
|
|
|
}
|
|
|
|
|
|
2018-02-06 11:57:35 +01:00
|
|
|
assert_se(c = unit_get_cgroup_context(u));
|
2017-11-09 15:29:34 +01:00
|
|
|
return c->delegate_controllers;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask unit_get_members_mask(Unit *u) {
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(u);
|
2014-02-14 19:11:07 +01:00
|
|
|
|
2017-11-09 15:29:34 +01:00
|
|
|
/* Returns the mask of controllers all of the unit's children require, merged */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2014-02-14 19:11:07 +01:00
|
|
|
if (u->cgroup_members_mask_valid)
|
|
|
|
|
return u->cgroup_members_mask;
|
|
|
|
|
|
2017-11-17 19:25:18 +01:00
|
|
|
u->cgroup_members_mask = 0;
|
2014-02-14 19:11:07 +01:00
|
|
|
|
|
|
|
|
if (u->type == UNIT_SLICE) {
|
core: track why unit dependencies came to be
This replaces the dependencies Set* objects by Hashmap* objects, where
the key is the depending Unit, and the value is a bitmask encoding why
the specific dependency was created.
The bitmask contains a number of different, defined bits, that indicate
why dependencies exist, for example whether they are created due to
explicitly configured deps in files, by udev rules or implicitly.
Note that memory usage is not increased by this change, even though we
store more information, as we manage to encode the bit mask inside the
value pointer each Hashmap entry contains.
Why this all? When we know how a dependency came to be, we can update
dependencies correctly when a configuration source changes but others
are left unaltered. Specifically:
1. We can fix UDEV_WANTS dependency generation: so far we kept adding
dependencies configured that way, but if a device lost such a
dependency we couldn't them again as there was no scheme for removing
of dependencies in place.
2. We can implement "pin-pointed" reload of unit files. If we know what
dependencies were created as result of configuration in a unit file,
then we know what to flush out when we want to reload it.
3. It's useful for debugging: "systemd-analyze dump" now shows
this information, helping substantially with understanding how
systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
|
|
|
void *v;
|
2014-02-14 19:11:07 +01:00
|
|
|
Unit *member;
|
|
|
|
|
Iterator i;
|
|
|
|
|
|
core: track why unit dependencies came to be
This replaces the dependencies Set* objects by Hashmap* objects, where
the key is the depending Unit, and the value is a bitmask encoding why
the specific dependency was created.
The bitmask contains a number of different, defined bits, that indicate
why dependencies exist, for example whether they are created due to
explicitly configured deps in files, by udev rules or implicitly.
Note that memory usage is not increased by this change, even though we
store more information, as we manage to encode the bit mask inside the
value pointer each Hashmap entry contains.
Why this all? When we know how a dependency came to be, we can update
dependencies correctly when a configuration source changes but others
are left unaltered. Specifically:
1. We can fix UDEV_WANTS dependency generation: so far we kept adding
dependencies configured that way, but if a device lost such a
dependency we couldn't them again as there was no scheme for removing
of dependencies in place.
2. We can implement "pin-pointed" reload of unit files. If we know what
dependencies were created as result of configuration in a unit file,
then we know what to flush out when we want to reload it.
3. It's useful for debugging: "systemd-analyze dump" now shows
this information, helping substantially with understanding how
systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
|
|
|
HASHMAP_FOREACH_KEY(v, member, u->dependencies[UNIT_BEFORE], i) {
|
2014-02-14 19:11:07 +01:00
|
|
|
|
|
|
|
|
if (member == u)
|
|
|
|
|
continue;
|
|
|
|
|
|
2014-02-19 18:20:04 +01:00
|
|
|
if (UNIT_DEREF(member->slice) != u)
|
2014-02-14 19:11:07 +01:00
|
|
|
continue;
|
|
|
|
|
|
2017-11-08 19:16:03 +01:00
|
|
|
u->cgroup_members_mask |= unit_get_subtree_mask(member); /* note that this calls ourselves again, for the children */
|
2014-02-14 19:11:07 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
u->cgroup_members_mask_valid = true;
|
2013-11-11 10:03:31 +01:00
|
|
|
return u->cgroup_members_mask;
|
2013-01-12 04:24:12 +01:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask unit_get_siblings_mask(Unit *u) {
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(u);
|
2013-01-12 04:24:12 +01:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
/* Returns the mask of controllers all of the unit's siblings
|
|
|
|
|
* require, i.e. the members mask of the unit's parent slice
|
|
|
|
|
* if there is one. */
|
|
|
|
|
|
2014-02-14 19:11:07 +01:00
|
|
|
if (UNIT_ISSET(u->slice))
|
2014-05-22 00:50:03 +02:00
|
|
|
return unit_get_members_mask(UNIT_DEREF(u->slice));
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2017-11-17 19:25:18 +01:00
|
|
|
return unit_get_subtree_mask(u); /* we are the top-level slice */
|
2013-01-12 04:24:12 +01:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask unit_get_subtree_mask(Unit *u) {
|
|
|
|
|
|
|
|
|
|
/* Returns the mask of this subtree, meaning of the group
|
|
|
|
|
* itself and its children. */
|
|
|
|
|
|
|
|
|
|
return unit_get_own_mask(u) | unit_get_members_mask(u);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CGroupMask unit_get_target_mask(Unit *u) {
|
|
|
|
|
CGroupMask mask;
|
|
|
|
|
|
|
|
|
|
/* This returns the cgroup mask of all controllers to enable
|
|
|
|
|
* for a specific cgroup, i.e. everything it needs itself,
|
|
|
|
|
* plus all that its children need, plus all that its siblings
|
|
|
|
|
* need. This is primarily useful on the legacy cgroup
|
|
|
|
|
* hierarchy, where we need to duplicate each cgroup in each
|
|
|
|
|
* hierarchy that shall be enabled for it. */
|
2013-11-11 10:03:31 +01:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
mask = unit_get_own_mask(u) | unit_get_members_mask(u) | unit_get_siblings_mask(u);
|
|
|
|
|
mask &= u->manager->cgroup_supported;
|
|
|
|
|
|
|
|
|
|
return mask;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CGroupMask unit_get_enable_mask(Unit *u) {
|
|
|
|
|
CGroupMask mask;
|
|
|
|
|
|
|
|
|
|
/* This returns the cgroup mask of all controllers to enable
|
|
|
|
|
* for the children of a specific cgroup. This is primarily
|
|
|
|
|
* useful for the unified cgroup hierarchy, where each cgroup
|
|
|
|
|
* controls which controllers are enabled for its children. */
|
|
|
|
|
|
|
|
|
|
mask = unit_get_members_mask(u);
|
2013-11-11 10:03:31 +01:00
|
|
|
mask &= u->manager->cgroup_supported;
|
|
|
|
|
|
|
|
|
|
return mask;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
bool unit_get_needs_bpf(Unit *u) {
|
|
|
|
|
CGroupContext *c;
|
|
|
|
|
Unit *p;
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
c = unit_get_cgroup_context(u);
|
|
|
|
|
if (!c)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (c->ip_accounting ||
|
|
|
|
|
c->ip_address_allow ||
|
|
|
|
|
c->ip_address_deny)
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
/* If any parent slice has an IP access list defined, it applies too */
|
|
|
|
|
for (p = UNIT_DEREF(u->slice); p; p = UNIT_DEREF(p->slice)) {
|
|
|
|
|
c = unit_get_cgroup_context(p);
|
|
|
|
|
if (!c)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (c->ip_address_allow ||
|
|
|
|
|
c->ip_address_deny)
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-11 10:03:31 +01:00
|
|
|
/* Recurse from a unit up through its containing slices, propagating
|
|
|
|
|
* mask bits upward. A unit is also member of itself. */
|
2014-02-14 19:11:07 +01:00
|
|
|
void unit_update_cgroup_members_masks(Unit *u) {
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask m;
|
2014-02-14 19:11:07 +01:00
|
|
|
bool more;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
/* Calculate subtree mask */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
m = unit_get_subtree_mask(u);
|
2014-02-14 19:11:07 +01:00
|
|
|
|
|
|
|
|
/* See if anything changed from the previous invocation. If
|
|
|
|
|
* not, we're done. */
|
|
|
|
|
if (u->cgroup_subtree_mask_valid && m == u->cgroup_subtree_mask)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
more =
|
|
|
|
|
u->cgroup_subtree_mask_valid &&
|
|
|
|
|
((m & ~u->cgroup_subtree_mask) != 0) &&
|
|
|
|
|
((~m & u->cgroup_subtree_mask) == 0);
|
|
|
|
|
|
|
|
|
|
u->cgroup_subtree_mask = m;
|
|
|
|
|
u->cgroup_subtree_mask_valid = true;
|
|
|
|
|
|
2013-11-11 10:03:31 +01:00
|
|
|
if (UNIT_ISSET(u->slice)) {
|
|
|
|
|
Unit *s = UNIT_DEREF(u->slice);
|
2014-02-14 19:11:07 +01:00
|
|
|
|
|
|
|
|
if (more)
|
|
|
|
|
/* There's more set now than before. We
|
|
|
|
|
* propagate the new mask to the parent's mask
|
|
|
|
|
* (not caring if it actually was valid or
|
|
|
|
|
* not). */
|
|
|
|
|
|
|
|
|
|
s->cgroup_members_mask |= m;
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
/* There's less set now than before (or we
|
|
|
|
|
* don't know), we need to recalculate
|
|
|
|
|
* everything, so let's invalidate the
|
|
|
|
|
* parent's members mask */
|
|
|
|
|
|
|
|
|
|
s->cgroup_members_mask_valid = false;
|
|
|
|
|
|
|
|
|
|
/* And now make sure that this change also hits our
|
|
|
|
|
* grandparents */
|
|
|
|
|
unit_update_cgroup_members_masks(s);
|
2013-11-11 10:03:31 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
const char *unit_get_realized_cgroup_path(Unit *u, CGroupMask mask) {
|
2014-02-17 02:06:32 +01:00
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
/* Returns the realized cgroup path of the specified unit where all specified controllers are available. */
|
2014-02-17 02:06:32 +01:00
|
|
|
|
|
|
|
|
while (u) {
|
2018-02-07 22:52:52 +01:00
|
|
|
|
2014-02-17 02:06:32 +01:00
|
|
|
if (u->cgroup_path &&
|
|
|
|
|
u->cgroup_realized &&
|
|
|
|
|
(u->cgroup_realized_mask & mask) == mask)
|
|
|
|
|
return u->cgroup_path;
|
|
|
|
|
|
|
|
|
|
u = UNIT_DEREF(u->slice);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
static const char *migrate_callback(CGroupMask mask, void *userdata) {
|
|
|
|
|
return unit_get_realized_cgroup_path(userdata, mask);
|
|
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
char *unit_default_cgroup_path(Unit *u) {
|
|
|
|
|
_cleanup_free_ char *escaped = NULL, *slice = NULL;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (unit_has_name(u, SPECIAL_ROOT_SLICE))
|
|
|
|
|
return strdup(u->manager->cgroup_root);
|
|
|
|
|
|
|
|
|
|
if (UNIT_ISSET(u->slice) && !unit_has_name(UNIT_DEREF(u->slice), SPECIAL_ROOT_SLICE)) {
|
|
|
|
|
r = cg_slice_to_path(UNIT_DEREF(u->slice)->id, &slice);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
escaped = cg_escape(u->id);
|
|
|
|
|
if (!escaped)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
if (slice)
|
2016-10-23 17:43:27 +02:00
|
|
|
return strjoin(u->manager->cgroup_root, "/", slice, "/",
|
|
|
|
|
escaped);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
else
|
2016-10-23 17:43:27 +02:00
|
|
|
return strjoin(u->manager->cgroup_root, "/", escaped);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int unit_set_cgroup_path(Unit *u, const char *path) {
|
|
|
|
|
_cleanup_free_ char *p = NULL;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (path) {
|
|
|
|
|
p = strdup(path);
|
|
|
|
|
if (!p)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
} else
|
|
|
|
|
p = NULL;
|
|
|
|
|
|
|
|
|
|
if (streq_ptr(u->cgroup_path, p))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (p) {
|
|
|
|
|
r = hashmap_put(u->manager->cgroup_unit, p, u);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unit_release_cgroup(u);
|
|
|
|
|
|
2018-03-22 16:53:26 +01:00
|
|
|
u->cgroup_path = TAKE_PTR(p);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int unit_watch_cgroup(Unit *u) {
|
2016-03-25 16:38:50 +01:00
|
|
|
_cleanup_free_ char *events = NULL;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (u->cgroup_inotify_wd >= 0)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* Only applies to the unified hierarchy */
|
2017-02-24 18:00:04 +01:00
|
|
|
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
|
2017-02-24 17:52:58 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to determine whether the name=systemd hierarchy is unified: %m");
|
|
|
|
|
if (r == 0)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* Don't watch the root slice, it's pointless. */
|
|
|
|
|
if (unit_has_name(u, SPECIAL_ROOT_SLICE))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
r = hashmap_ensure_allocated(&u->manager->cgroup_inotify_wd_unit, &trivial_hash_ops);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
2016-03-25 16:38:50 +01:00
|
|
|
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.events", &events);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
2016-03-25 16:38:50 +01:00
|
|
|
u->cgroup_inotify_wd = inotify_add_watch(u->manager->cgroup_inotify_fd, events, IN_MODIFY);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if (u->cgroup_inotify_wd < 0) {
|
|
|
|
|
|
|
|
|
|
if (errno == ENOENT) /* If the directory is already
|
|
|
|
|
* gone we don't need to track
|
|
|
|
|
* it, so this is not an error */
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return log_unit_error_errno(u, errno, "Failed to add inotify watch descriptor for control group %s: %m", u->cgroup_path);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = hashmap_put(u->manager->cgroup_inotify_wd_unit, INT_TO_PTR(u->cgroup_inotify_wd), u);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_unit_error_errno(u, r, "Failed to add inotify watch descriptor to hash map: %m");
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-24 22:02:22 +01:00
|
|
|
int unit_pick_cgroup_path(Unit *u) {
|
|
|
|
|
_cleanup_free_ char *path = NULL;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (u->cgroup_path)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (!UNIT_HAS_CGROUP_CONTEXT(u))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
path = unit_default_cgroup_path(u);
|
|
|
|
|
if (!path)
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
|
|
|
r = unit_set_cgroup_path(u, path);
|
|
|
|
|
if (r == -EEXIST)
|
|
|
|
|
return log_unit_error_errno(u, r, "Control group %s exists already.", path);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_unit_error_errno(u, r, "Failed to set unit's control group path to %s: %m", path);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
static int unit_create_cgroup(
|
|
|
|
|
Unit *u,
|
|
|
|
|
CGroupMask target_mask,
|
2017-09-05 19:27:53 +02:00
|
|
|
CGroupMask enable_mask,
|
|
|
|
|
bool needs_bpf) {
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2014-12-10 20:38:24 +01:00
|
|
|
CGroupContext *c;
|
2014-02-14 19:11:07 +01:00
|
|
|
int r;
|
2011-06-30 00:11:25 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(u);
|
2011-06-30 00:11:25 +02:00
|
|
|
|
2014-12-10 20:38:24 +01:00
|
|
|
c = unit_get_cgroup_context(u);
|
|
|
|
|
if (!c)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2017-11-24 22:02:22 +01:00
|
|
|
/* Figure out our cgroup path */
|
|
|
|
|
r = unit_pick_cgroup_path(u);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
2013-08-28 15:33:35 +02:00
|
|
|
|
2014-02-17 02:06:32 +01:00
|
|
|
/* First, create our own group */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
r = cg_create_everywhere(u->manager->cgroup_supported, target_mask, u->cgroup_path);
|
2014-11-28 18:23:20 +01:00
|
|
|
if (r < 0)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return log_unit_error_errno(u, r, "Failed to create cgroup %s: %m", u->cgroup_path);
|
|
|
|
|
|
|
|
|
|
/* Start watching it */
|
|
|
|
|
(void) unit_watch_cgroup(u);
|
|
|
|
|
|
|
|
|
|
/* Enable all controllers we need */
|
|
|
|
|
r = cg_enable_everywhere(u->manager->cgroup_supported, enable_mask, u->cgroup_path);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_unit_warning_errno(u, r, "Failed to enable controllers on cgroup %s, ignoring: %m", u->cgroup_path);
|
2014-02-17 02:06:32 +01:00
|
|
|
|
|
|
|
|
/* Keep track that this is now realized */
|
2013-06-27 04:14:27 +02:00
|
|
|
u->cgroup_realized = true;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
u->cgroup_realized_mask = target_mask;
|
2016-04-30 22:12:54 +02:00
|
|
|
u->cgroup_enabled_mask = enable_mask;
|
2017-09-05 19:27:53 +02:00
|
|
|
u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF;
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2018-02-06 11:57:35 +01:00
|
|
|
if (u->type != UNIT_SLICE && !unit_cgroup_delegate(u)) {
|
2014-12-10 20:38:24 +01:00
|
|
|
|
|
|
|
|
/* Then, possibly move things over, but not if
|
|
|
|
|
* subgroups may contain processes, which is the case
|
|
|
|
|
* for slice and delegation units. */
|
|
|
|
|
r = cg_migrate_everywhere(u->manager->cgroup_supported, u->cgroup_path, u->cgroup_path, migrate_callback, u);
|
|
|
|
|
if (r < 0)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
log_unit_warning_errno(u, r, "Failed to migrate cgroup from to %s, ignoring: %m", u->cgroup_path);
|
2014-12-10 20:38:24 +01:00
|
|
|
}
|
2014-02-17 02:06:32 +01:00
|
|
|
|
2011-06-30 00:11:25 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
static int unit_attach_pid_to_cgroup_via_bus(Unit *u, pid_t pid, const char *suffix_path) {
|
|
|
|
|
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
|
|
|
|
char *pp;
|
2014-12-10 22:06:44 +01:00
|
|
|
int r;
|
2018-02-07 22:52:52 +01:00
|
|
|
|
2014-12-10 22:06:44 +01:00
|
|
|
assert(u);
|
|
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
if (MANAGER_IS_SYSTEM(u->manager))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
if (!u->manager->system_bus)
|
|
|
|
|
return -EIO;
|
|
|
|
|
|
|
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
/* Determine this unit's cgroup path relative to our cgroup root */
|
|
|
|
|
pp = path_startswith(u->cgroup_path, u->manager->cgroup_root);
|
|
|
|
|
if (!pp)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
pp = strjoina("/", pp, suffix_path);
|
|
|
|
|
path_kill_slashes(pp);
|
|
|
|
|
|
|
|
|
|
r = sd_bus_call_method(u->manager->system_bus,
|
|
|
|
|
"org.freedesktop.systemd1",
|
|
|
|
|
"/org/freedesktop/systemd1",
|
|
|
|
|
"org.freedesktop.systemd1.Manager",
|
|
|
|
|
"AttachProcessesToUnit",
|
|
|
|
|
&error, NULL,
|
|
|
|
|
"ssau",
|
|
|
|
|
NULL /* empty unit name means client's unit, i.e. us */, pp, 1, (uint32_t) pid);
|
2014-12-10 22:06:44 +01:00
|
|
|
if (r < 0)
|
2018-02-07 22:52:52 +01:00
|
|
|
return log_unit_debug_errno(u, r, "Failed to attach unit process " PID_FMT " via the bus: %s", pid, bus_error_message(&error, r));
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) {
|
|
|
|
|
CGroupMask delegated_mask;
|
|
|
|
|
const char *p;
|
|
|
|
|
Iterator i;
|
|
|
|
|
void *pidp;
|
|
|
|
|
int r, q;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!UNIT_HAS_CGROUP_CONTEXT(u))
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
if (set_isempty(pids))
|
|
|
|
|
return 0;
|
2014-12-10 22:06:44 +01:00
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
r = unit_realize_cgroup(u);
|
2014-12-10 22:06:44 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
2018-02-07 22:52:52 +01:00
|
|
|
if (isempty(suffix_path))
|
|
|
|
|
p = u->cgroup_path;
|
|
|
|
|
else
|
|
|
|
|
p = strjoina(u->cgroup_path, "/", suffix_path);
|
|
|
|
|
|
|
|
|
|
delegated_mask = unit_get_delegate_mask(u);
|
|
|
|
|
|
|
|
|
|
r = 0;
|
|
|
|
|
SET_FOREACH(pidp, pids, i) {
|
|
|
|
|
pid_t pid = PTR_TO_PID(pidp);
|
|
|
|
|
CGroupController c;
|
|
|
|
|
|
|
|
|
|
/* First, attach the PID to the main cgroup hierarchy */
|
|
|
|
|
q = cg_attach(SYSTEMD_CGROUP_CONTROLLER, p, pid);
|
|
|
|
|
if (q < 0) {
|
|
|
|
|
log_unit_debug_errno(u, q, "Couldn't move process " PID_FMT " to requested cgroup '%s': %m", pid, p);
|
|
|
|
|
|
|
|
|
|
if (MANAGER_IS_USER(u->manager) && IN_SET(q, -EPERM, -EACCES)) {
|
|
|
|
|
int z;
|
|
|
|
|
|
|
|
|
|
/* If we are in a user instance, and we can't move the process ourselves due to
|
|
|
|
|
* permission problems, let's ask the system instance about it instead. Since it's more
|
|
|
|
|
* privileged it might be able to move the process across the leaves of a subtree who's
|
|
|
|
|
* top node is not owned by us. */
|
|
|
|
|
|
|
|
|
|
z = unit_attach_pid_to_cgroup_via_bus(u, pid, suffix_path);
|
|
|
|
|
if (z < 0)
|
|
|
|
|
log_unit_debug_errno(u, z, "Couldn't move process " PID_FMT " to requested cgroup '%s' via the system bus either: %m", pid, p);
|
|
|
|
|
else
|
|
|
|
|
continue; /* When the bus thing worked via the bus we are fully done for this PID. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (r >= 0)
|
|
|
|
|
r = q; /* Remember first error */
|
|
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
q = cg_all_unified();
|
|
|
|
|
if (q < 0)
|
|
|
|
|
return q;
|
|
|
|
|
if (q > 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* In the legacy hierarchy, attach the process to the request cgroup if possible, and if not to the
|
|
|
|
|
* innermost realized one */
|
|
|
|
|
|
|
|
|
|
for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++) {
|
|
|
|
|
CGroupMask bit = CGROUP_CONTROLLER_TO_MASK(c);
|
|
|
|
|
const char *realized;
|
|
|
|
|
|
|
|
|
|
if (!(u->manager->cgroup_supported & bit))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* If this controller is delegated and realized, honour the caller's request for the cgroup suffix. */
|
|
|
|
|
if (delegated_mask & u->cgroup_realized_mask & bit) {
|
|
|
|
|
q = cg_attach(cgroup_controller_to_string(c), p, pid);
|
|
|
|
|
if (q >= 0)
|
|
|
|
|
continue; /* Success! */
|
|
|
|
|
|
|
|
|
|
log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m",
|
|
|
|
|
pid, p, cgroup_controller_to_string(c));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* So this controller is either not delegate or realized, or something else weird happened. In
|
|
|
|
|
* that case let's attach the PID at least to the closest cgroup up the tree that is
|
|
|
|
|
* realized. */
|
|
|
|
|
realized = unit_get_realized_cgroup_path(u, bit);
|
|
|
|
|
if (!realized)
|
|
|
|
|
continue; /* Not even realized in the root slice? Then let's not bother */
|
|
|
|
|
|
|
|
|
|
q = cg_attach(cgroup_controller_to_string(c), realized, pid);
|
|
|
|
|
if (q < 0)
|
|
|
|
|
log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to realized cgroup %s in controller %s, ignoring: %m",
|
|
|
|
|
pid, realized, cgroup_controller_to_string(c));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return r;
|
2014-12-10 22:06:44 +01:00
|
|
|
}
|
|
|
|
|
|
2016-08-30 23:18:46 +02:00
|
|
|
static void cgroup_xattr_apply(Unit *u) {
|
|
|
|
|
char ids[SD_ID128_STRING_MAX];
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!MANAGER_IS_SYSTEM(u->manager))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (sd_id128_is_null(u->invocation_id))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
r = cg_set_xattr(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path,
|
|
|
|
|
"trusted.invocation_id",
|
|
|
|
|
sd_id128_to_string(u->invocation_id, ids), 32,
|
|
|
|
|
0);
|
|
|
|
|
if (r < 0)
|
2017-11-23 11:07:20 +01:00
|
|
|
log_unit_debug_errno(u, r, "Failed to set invocation ID on control group %s, ignoring: %m", u->cgroup_path);
|
2016-08-30 23:18:46 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
static bool unit_has_mask_realized(
|
|
|
|
|
Unit *u,
|
|
|
|
|
CGroupMask target_mask,
|
|
|
|
|
CGroupMask enable_mask,
|
|
|
|
|
bool needs_bpf) {
|
|
|
|
|
|
2014-02-14 19:11:07 +01:00
|
|
|
assert(u);
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
return u->cgroup_realized &&
|
|
|
|
|
u->cgroup_realized_mask == target_mask &&
|
|
|
|
|
u->cgroup_enabled_mask == enable_mask &&
|
|
|
|
|
((needs_bpf && u->cgroup_bpf_state == UNIT_CGROUP_BPF_ON) ||
|
|
|
|
|
(!needs_bpf && u->cgroup_bpf_state == UNIT_CGROUP_BPF_OFF));
|
2013-11-11 10:03:31 +01:00
|
|
|
}
|
|
|
|
|
|
2017-11-24 19:48:38 +01:00
|
|
|
static void unit_add_to_cgroup_realize_queue(Unit *u) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (u->in_cgroup_realize_queue)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
LIST_PREPEND(cgroup_realize_queue, u->manager->cgroup_realize_queue, u);
|
|
|
|
|
u->in_cgroup_realize_queue = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void unit_remove_from_cgroup_realize_queue(Unit *u) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!u->in_cgroup_realize_queue)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
LIST_REMOVE(cgroup_realize_queue, u->manager->cgroup_realize_queue, u);
|
|
|
|
|
u->in_cgroup_realize_queue = false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2013-11-11 10:03:31 +01:00
|
|
|
/* Check if necessary controllers and attributes for a unit are in place.
|
|
|
|
|
*
|
|
|
|
|
* If so, do nothing.
|
|
|
|
|
* If not, create paths, move processes over, and set attributes.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 on success and < 0 on failure. */
|
2014-05-22 00:06:16 +02:00
|
|
|
static int unit_realize_cgroup_now(Unit *u, ManagerState state) {
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupMask target_mask, enable_mask;
|
2017-09-05 19:27:53 +02:00
|
|
|
bool needs_bpf, apply_bpf;
|
2013-11-11 10:03:31 +01:00
|
|
|
int r;
|
2011-06-30 00:11:25 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(u);
|
2011-06-30 00:11:25 +02:00
|
|
|
|
2017-11-24 19:48:38 +01:00
|
|
|
unit_remove_from_cgroup_realize_queue(u);
|
2011-06-30 00:11:25 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
target_mask = unit_get_target_mask(u);
|
2016-04-30 22:12:54 +02:00
|
|
|
enable_mask = unit_get_enable_mask(u);
|
2017-09-05 19:27:53 +02:00
|
|
|
needs_bpf = unit_get_needs_bpf(u);
|
2016-04-30 22:12:54 +02:00
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf))
|
2013-06-30 23:55:36 +02:00
|
|
|
return 0;
|
2011-06-30 00:11:25 +02:00
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
/* Make sure we apply the BPF filters either when one is configured, or if none is configured but previously
|
|
|
|
|
* the state was anything but off. This way, if a unit with a BPF filter applied is reconfigured to lose it
|
|
|
|
|
* this will trickle down properly to cgroupfs. */
|
|
|
|
|
apply_bpf = needs_bpf || u->cgroup_bpf_state != UNIT_CGROUP_BPF_OFF;
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
/* First, realize parents */
|
2013-11-11 10:03:31 +01:00
|
|
|
if (UNIT_ISSET(u->slice)) {
|
2014-05-22 00:06:16 +02:00
|
|
|
r = unit_realize_cgroup_now(UNIT_DEREF(u->slice), state);
|
2013-11-11 10:03:31 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
}
|
2013-06-27 04:14:27 +02:00
|
|
|
|
|
|
|
|
/* And then do the real work */
|
2017-09-05 19:27:53 +02:00
|
|
|
r = unit_create_cgroup(u, target_mask, enable_mask, needs_bpf);
|
2013-11-11 10:03:31 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
/* Finally, apply the necessary attributes. */
|
2017-09-05 19:27:53 +02:00
|
|
|
cgroup_context_apply(u, target_mask, apply_bpf, state);
|
2016-08-30 23:18:46 +02:00
|
|
|
cgroup_xattr_apply(u);
|
2013-11-11 10:03:31 +01:00
|
|
|
|
|
|
|
|
return 0;
|
2011-06-30 00:11:25 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-26 22:15:02 +02:00
|
|
|
unsigned manager_dispatch_cgroup_realize_queue(Manager *m) {
|
2014-05-22 00:06:16 +02:00
|
|
|
ManagerState state;
|
2013-06-27 04:14:27 +02:00
|
|
|
unsigned n = 0;
|
2014-05-22 00:06:16 +02:00
|
|
|
Unit *i;
|
2013-11-11 10:03:31 +01:00
|
|
|
int r;
|
2012-04-13 23:24:47 +02:00
|
|
|
|
2017-09-26 22:15:02 +02:00
|
|
|
assert(m);
|
|
|
|
|
|
2014-05-22 00:06:16 +02:00
|
|
|
state = manager_state(m);
|
|
|
|
|
|
2017-09-26 22:15:02 +02:00
|
|
|
while ((i = m->cgroup_realize_queue)) {
|
|
|
|
|
assert(i->in_cgroup_realize_queue);
|
2012-04-13 23:24:47 +02:00
|
|
|
|
2017-11-24 19:48:38 +01:00
|
|
|
if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(i))) {
|
|
|
|
|
/* Maybe things changed, and the unit is not actually active anymore? */
|
|
|
|
|
unit_remove_from_cgroup_realize_queue(i);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2014-05-22 00:06:16 +02:00
|
|
|
r = unit_realize_cgroup_now(i, state);
|
2013-11-11 10:03:31 +01:00
|
|
|
if (r < 0)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
log_warning_errno(r, "Failed to realize cgroups for queued unit %s, ignoring: %m", i->id);
|
2013-06-30 23:55:36 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
n++;
|
|
|
|
|
}
|
2012-04-13 23:24:47 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
return n;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-26 22:15:02 +02:00
|
|
|
static void unit_add_siblings_to_cgroup_realize_queue(Unit *u) {
|
2013-06-27 04:14:27 +02:00
|
|
|
Unit *slice;
|
2010-08-31 23:24:47 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
/* This adds the siblings of the specified unit and the
|
|
|
|
|
* siblings of all parent units to the cgroup queue. (But
|
|
|
|
|
* neither the specified unit itself nor the parents.) */
|
|
|
|
|
|
|
|
|
|
while ((slice = UNIT_DEREF(u->slice))) {
|
|
|
|
|
Iterator i;
|
|
|
|
|
Unit *m;
|
core: track why unit dependencies came to be
This replaces the dependencies Set* objects by Hashmap* objects, where
the key is the depending Unit, and the value is a bitmask encoding why
the specific dependency was created.
The bitmask contains a number of different, defined bits, that indicate
why dependencies exist, for example whether they are created due to
explicitly configured deps in files, by udev rules or implicitly.
Note that memory usage is not increased by this change, even though we
store more information, as we manage to encode the bit mask inside the
value pointer each Hashmap entry contains.
Why this all? When we know how a dependency came to be, we can update
dependencies correctly when a configuration source changes but others
are left unaltered. Specifically:
1. We can fix UDEV_WANTS dependency generation: so far we kept adding
dependencies configured that way, but if a device lost such a
dependency we couldn't them again as there was no scheme for removing
of dependencies in place.
2. We can implement "pin-pointed" reload of unit files. If we know what
dependencies were created as result of configuration in a unit file,
then we know what to flush out when we want to reload it.
3. It's useful for debugging: "systemd-analyze dump" now shows
this information, helping substantially with understanding how
systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
|
|
|
void *v;
|
2012-01-11 01:51:32 +01:00
|
|
|
|
core: track why unit dependencies came to be
This replaces the dependencies Set* objects by Hashmap* objects, where
the key is the depending Unit, and the value is a bitmask encoding why
the specific dependency was created.
The bitmask contains a number of different, defined bits, that indicate
why dependencies exist, for example whether they are created due to
explicitly configured deps in files, by udev rules or implicitly.
Note that memory usage is not increased by this change, even though we
store more information, as we manage to encode the bit mask inside the
value pointer each Hashmap entry contains.
Why this all? When we know how a dependency came to be, we can update
dependencies correctly when a configuration source changes but others
are left unaltered. Specifically:
1. We can fix UDEV_WANTS dependency generation: so far we kept adding
dependencies configured that way, but if a device lost such a
dependency we couldn't them again as there was no scheme for removing
of dependencies in place.
2. We can implement "pin-pointed" reload of unit files. If we know what
dependencies were created as result of configuration in a unit file,
then we know what to flush out when we want to reload it.
3. It's useful for debugging: "systemd-analyze dump" now shows
this information, helping substantially with understanding how
systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
|
|
|
HASHMAP_FOREACH_KEY(v, m, u->dependencies[UNIT_BEFORE], i) {
|
2013-06-27 04:14:27 +02:00
|
|
|
if (m == u)
|
|
|
|
|
continue;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-11-11 10:03:31 +01:00
|
|
|
/* Skip units that have a dependency on the slice
|
|
|
|
|
* but aren't actually in it. */
|
2013-06-27 04:14:27 +02:00
|
|
|
if (UNIT_DEREF(m->slice) != slice)
|
2010-04-08 00:52:14 +02:00
|
|
|
continue;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-11-11 10:03:31 +01:00
|
|
|
/* No point in doing cgroup application for units
|
|
|
|
|
* without active processes. */
|
|
|
|
|
if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(m)))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* If the unit doesn't need any new controllers
|
|
|
|
|
* and has current ones realized, it doesn't need
|
|
|
|
|
* any changes. */
|
2017-09-05 19:27:53 +02:00
|
|
|
if (unit_has_mask_realized(m,
|
|
|
|
|
unit_get_target_mask(m),
|
|
|
|
|
unit_get_enable_mask(m),
|
|
|
|
|
unit_get_needs_bpf(m)))
|
2013-11-11 10:03:31 +01:00
|
|
|
continue;
|
|
|
|
|
|
2017-09-26 22:15:02 +02:00
|
|
|
unit_add_to_cgroup_realize_queue(m);
|
2010-04-08 00:52:14 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
u = slice;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
2013-06-27 04:14:27 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-30 23:55:36 +02:00
|
|
|
int unit_realize_cgroup(Unit *u) {
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(u);
|
|
|
|
|
|
2015-08-28 17:14:59 +02:00
|
|
|
if (!UNIT_HAS_CGROUP_CONTEXT(u))
|
2013-06-30 23:55:36 +02:00
|
|
|
return 0;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
/* So, here's the deal: when realizing the cgroups for this
|
|
|
|
|
* unit, we need to first create all parents, but there's more
|
|
|
|
|
* actually: for the weight-based controllers we also need to
|
|
|
|
|
* make sure that all our siblings (i.e. units that are in the
|
2014-02-17 03:37:13 +01:00
|
|
|
* same slice as we are) have cgroups, too. Otherwise, things
|
2013-06-27 04:14:27 +02:00
|
|
|
* would become very uneven as each of their processes would
|
|
|
|
|
* get as much resources as all our group together. This call
|
|
|
|
|
* will synchronously create the parent cgroups, but will
|
|
|
|
|
* defer work on the siblings to the next event loop
|
|
|
|
|
* iteration. */
|
2010-08-31 23:24:47 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
/* Add all sibling slices to the cgroup queue. */
|
2017-09-26 22:15:02 +02:00
|
|
|
unit_add_siblings_to_cgroup_realize_queue(u);
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2013-11-11 10:03:31 +01:00
|
|
|
/* And realize this one now (and apply the values) */
|
2014-05-22 00:06:16 +02:00
|
|
|
return unit_realize_cgroup_now(u, manager_state(u->manager));
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
void unit_release_cgroup(Unit *u) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
/* Forgets all cgroup details for this cgroup */
|
|
|
|
|
|
|
|
|
|
if (u->cgroup_path) {
|
|
|
|
|
(void) hashmap_remove(u->manager->cgroup_unit, u->cgroup_path);
|
|
|
|
|
u->cgroup_path = mfree(u->cgroup_path);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (u->cgroup_inotify_wd >= 0) {
|
|
|
|
|
if (inotify_rm_watch(u->manager->cgroup_inotify_fd, u->cgroup_inotify_wd) < 0)
|
|
|
|
|
log_unit_debug_errno(u, errno, "Failed to remove cgroup inotify watch %i for %s, ignoring", u->cgroup_inotify_wd, u->id);
|
|
|
|
|
|
|
|
|
|
(void) hashmap_remove(u->manager->cgroup_inotify_wd_unit, INT_TO_PTR(u->cgroup_inotify_wd));
|
|
|
|
|
u->cgroup_inotify_wd = -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void unit_prune_cgroup(Unit *u) {
|
2010-03-31 16:29:55 +02:00
|
|
|
int r;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
bool is_root_slice;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(u);
|
2010-03-31 16:29:55 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
/* Removes the cgroup, if empty and possible, and stops watching it. */
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2016-08-18 20:58:10 +02:00
|
|
|
(void) unit_get_cpu_usage(u, NULL); /* Cache the last CPU usage value before we destroy the cgroup */
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE);
|
|
|
|
|
|
|
|
|
|
r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice);
|
2014-11-29 16:27:14 +01:00
|
|
|
if (r < 0) {
|
2016-06-02 19:02:49 +02:00
|
|
|
log_unit_debug_errno(u, r, "Failed to destroy cgroup %s, ignoring: %m", u->cgroup_path);
|
2014-11-29 16:27:14 +01:00
|
|
|
return;
|
|
|
|
|
}
|
2010-03-31 16:29:55 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if (is_root_slice)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
unit_release_cgroup(u);
|
2013-06-30 23:55:36 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
u->cgroup_realized = false;
|
2014-02-14 19:11:07 +01:00
|
|
|
u->cgroup_realized_mask = 0;
|
2016-04-30 22:12:54 +02:00
|
|
|
u->cgroup_enabled_mask = 0;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
int unit_search_main_pid(Unit *u, pid_t *ret) {
|
2013-06-27 04:14:27 +02:00
|
|
|
_cleanup_fclose_ FILE *f = NULL;
|
|
|
|
|
pid_t pid = 0, npid, mypid;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
int r;
|
2013-06-27 04:14:27 +02:00
|
|
|
|
|
|
|
|
assert(u);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
assert(ret);
|
2013-06-27 04:14:27 +02:00
|
|
|
|
|
|
|
|
if (!u->cgroup_path)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return -ENXIO;
|
2013-06-27 04:14:27 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
r = cg_enumerate_processes(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, &f);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
2013-06-27 04:14:27 +02:00
|
|
|
|
2017-07-20 16:19:18 +02:00
|
|
|
mypid = getpid_cached();
|
2013-06-27 04:14:27 +02:00
|
|
|
while (cg_read_pid(f, &npid) > 0) {
|
|
|
|
|
pid_t ppid;
|
|
|
|
|
|
|
|
|
|
if (npid == pid)
|
|
|
|
|
continue;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
/* Ignore processes that aren't our kids */
|
2015-10-27 14:01:48 +01:00
|
|
|
if (get_process_ppid(npid, &ppid) >= 0 && ppid != mypid)
|
2013-06-27 04:14:27 +02:00
|
|
|
continue;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if (pid != 0)
|
2013-06-27 04:14:27 +02:00
|
|
|
/* Dang, there's more than one daemonized PID
|
|
|
|
|
in this group, so we don't know what process
|
|
|
|
|
is the main process. */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
|
|
|
|
return -ENODATA;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
pid = npid;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
*ret = pid;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int unit_watch_pids_in_path(Unit *u, const char *path) {
|
2015-09-02 20:46:22 +02:00
|
|
|
_cleanup_closedir_ DIR *d = NULL;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
_cleanup_fclose_ FILE *f = NULL;
|
|
|
|
|
int ret = 0, r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
assert(path);
|
|
|
|
|
|
|
|
|
|
r = cg_enumerate_processes(SYSTEMD_CGROUP_CONTROLLER, path, &f);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
ret = r;
|
|
|
|
|
else {
|
|
|
|
|
pid_t pid;
|
|
|
|
|
|
|
|
|
|
while ((r = cg_read_pid(f, &pid)) > 0) {
|
|
|
|
|
r = unit_watch_pid(u, pid);
|
|
|
|
|
if (r < 0 && ret >= 0)
|
|
|
|
|
ret = r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (r < 0 && ret >= 0)
|
|
|
|
|
ret = r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, path, &d);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
if (ret >= 0)
|
|
|
|
|
ret = r;
|
|
|
|
|
} else {
|
|
|
|
|
char *fn;
|
|
|
|
|
|
|
|
|
|
while ((r = cg_read_subgroup(d, &fn)) > 0) {
|
|
|
|
|
_cleanup_free_ char *p = NULL;
|
|
|
|
|
|
2016-10-23 17:43:27 +02:00
|
|
|
p = strjoin(path, "/", fn);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
free(fn);
|
|
|
|
|
|
|
|
|
|
if (!p)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
r = unit_watch_pids_in_path(u, p);
|
|
|
|
|
if (r < 0 && ret >= 0)
|
|
|
|
|
ret = r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (r < 0 && ret >= 0)
|
|
|
|
|
ret = r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-12 13:06:48 +01:00
|
|
|
int unit_synthesize_cgroup_empty_event(Unit *u) {
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
/* Enqueue a synthetic cgroup empty event if this unit doesn't watch any PIDs anymore. This is compatibility
|
|
|
|
|
* support for non-unified systems where notifications aren't reliable, and hence need to take whatever we can
|
|
|
|
|
* get as notification source as soon as we stopped having any useful PIDs to watch for. */
|
|
|
|
|
|
|
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
|
|
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
if (r > 0) /* On unified we have reliable notifications, and don't need this */
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (!set_isempty(u->pids))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
unit_add_to_cgroup_empty_queue(u);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
int unit_watch_all_pids(Unit *u) {
|
2017-02-24 17:52:58 +01:00
|
|
|
int r;
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
/* Adds all PIDs from our cgroup to the set of PIDs we
|
|
|
|
|
* watch. This is a fallback logic for cases where we do not
|
|
|
|
|
* get reliable cgroup empty notifications: we try to use
|
|
|
|
|
* SIGCHLD as replacement. */
|
|
|
|
|
|
|
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
2017-02-24 18:00:04 +01:00
|
|
|
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
|
2017-02-24 17:52:58 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
if (r > 0) /* On unified we can use proper notifications */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return unit_watch_pids_in_path(u, u->cgroup_path);
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
static int on_cgroup_empty_event(sd_event_source *s, void *userdata) {
|
|
|
|
|
Manager *m = userdata;
|
|
|
|
|
Unit *u;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
int r;
|
|
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
assert(s);
|
|
|
|
|
assert(m);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
u = m->cgroup_empty_queue;
|
|
|
|
|
if (!u)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return 0;
|
|
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
assert(u->in_cgroup_empty_queue);
|
|
|
|
|
u->in_cgroup_empty_queue = false;
|
|
|
|
|
LIST_REMOVE(cgroup_empty_queue, m->cgroup_empty_queue, u);
|
|
|
|
|
|
|
|
|
|
if (m->cgroup_empty_queue) {
|
|
|
|
|
/* More stuff queued, let's make sure we remain enabled */
|
|
|
|
|
r = sd_event_source_set_enabled(s, SD_EVENT_ONESHOT);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_debug_errno(r, "Failed to reenable cgroup empty event source: %m");
|
|
|
|
|
}
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
|
|
|
|
unit_add_to_gc_queue(u);
|
|
|
|
|
|
|
|
|
|
if (UNIT_VTABLE(u)->notify_cgroup_empty)
|
|
|
|
|
UNIT_VTABLE(u)->notify_cgroup_empty(u);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
void unit_add_to_cgroup_empty_queue(Unit *u) {
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
/* Note that there are four different ways how cgroup empty events reach us:
|
|
|
|
|
*
|
|
|
|
|
* 1. On the unified hierarchy we get an inotify event on the cgroup
|
|
|
|
|
*
|
|
|
|
|
* 2. On the legacy hierarchy, when running in system mode, we get a datagram on the cgroup agent socket
|
|
|
|
|
*
|
|
|
|
|
* 3. On the legacy hierarchy, when running in user mode, we get a D-Bus signal on the system bus
|
|
|
|
|
*
|
|
|
|
|
* 4. On the legacy hierarchy, in service units we start watching all processes of the cgroup for SIGCHLD as
|
|
|
|
|
* soon as we get one SIGCHLD, to deal with unreliable cgroup notifications.
|
|
|
|
|
*
|
|
|
|
|
* Regardless which way we got the notification, we'll verify it here, and then add it to a separate
|
|
|
|
|
* queue. This queue will be dispatched at a lower priority than the SIGCHLD handler, so that we always use
|
|
|
|
|
* SIGCHLD if we can get it first, and only use the cgroup empty notifications if there's no SIGCHLD pending
|
|
|
|
|
* (which might happen if the cgroup doesn't contain processes that are our own child, which is typically the
|
|
|
|
|
* case for scope units). */
|
|
|
|
|
|
|
|
|
|
if (u->in_cgroup_empty_queue)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Let's verify that the cgroup is really empty */
|
|
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return;
|
|
|
|
|
r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path);
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
log_unit_debug_errno(u, r, "Failed to determine whether cgroup %s is empty: %m", u->cgroup_path);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (r == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
LIST_PREPEND(cgroup_empty_queue, u->manager->cgroup_empty_queue, u);
|
|
|
|
|
u->in_cgroup_empty_queue = true;
|
|
|
|
|
|
|
|
|
|
/* Trigger the defer event */
|
|
|
|
|
r = sd_event_source_set_enabled(u->manager->cgroup_empty_event_source, SD_EVENT_ONESHOT);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_debug_errno(r, "Failed to enable cgroup empty event source: %m");
|
|
|
|
|
}
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
static int on_cgroup_inotify_event(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
|
|
|
|
|
Manager *m = userdata;
|
|
|
|
|
|
|
|
|
|
assert(s);
|
|
|
|
|
assert(fd >= 0);
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
union inotify_event_buffer buffer;
|
|
|
|
|
struct inotify_event *e;
|
|
|
|
|
ssize_t l;
|
|
|
|
|
|
|
|
|
|
l = read(fd, &buffer, sizeof(buffer));
|
|
|
|
|
if (l < 0) {
|
2017-09-26 22:49:09 +02:00
|
|
|
if (IN_SET(errno, EINTR, EAGAIN))
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return log_error_errno(errno, "Failed to read control group inotify events: %m");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FOREACH_INOTIFY_EVENT(e, buffer, l) {
|
|
|
|
|
Unit *u;
|
|
|
|
|
|
|
|
|
|
if (e->wd < 0)
|
|
|
|
|
/* Queue overflow has no watch descriptor */
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (e->mask & IN_IGNORED)
|
|
|
|
|
/* The watch was just removed */
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
u = hashmap_get(m->cgroup_inotify_wd_unit, INT_TO_PTR(e->wd));
|
|
|
|
|
if (!u) /* Not that inotify might deliver
|
|
|
|
|
* events for a watch even after it
|
|
|
|
|
* was removed, because it was queued
|
|
|
|
|
* before the removal. Let's ignore
|
|
|
|
|
* this here safely. */
|
|
|
|
|
continue;
|
|
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
unit_add_to_cgroup_empty_queue(u);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
}
|
|
|
|
|
}
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int manager_setup_cgroup(Manager *m) {
|
2013-06-20 03:45:08 +02:00
|
|
|
_cleanup_free_ char *path = NULL;
|
2017-09-05 11:40:47 +02:00
|
|
|
const char *scope_path;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
CGroupController c;
|
2017-02-24 17:52:58 +01:00
|
|
|
int r, all_unified;
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
char *e;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
2010-07-12 18:16:44 +02:00
|
|
|
/* 1. Determine hierarchy */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
m->cgroup_root = mfree(m->cgroup_root);
|
2013-06-20 03:45:08 +02:00
|
|
|
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &m->cgroup_root);
|
2014-11-28 18:23:20 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Cannot determine cgroup we are running in: %m");
|
2010-03-31 16:29:55 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
/* Chop off the init scope, if we are already located in it */
|
|
|
|
|
e = endswith(m->cgroup_root, "/" SPECIAL_INIT_SCOPE);
|
2014-01-07 14:41:24 +01:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
/* LEGACY: Also chop off the system slice if we are in
|
|
|
|
|
* it. This is to support live upgrades from older systemd
|
|
|
|
|
* versions where PID 1 was moved there. Also see
|
|
|
|
|
* cg_get_root_path(). */
|
2016-02-24 21:24:23 +01:00
|
|
|
if (!e && MANAGER_IS_SYSTEM(m)) {
|
2013-06-20 03:45:08 +02:00
|
|
|
e = endswith(m->cgroup_root, "/" SPECIAL_SYSTEM_SLICE);
|
2013-11-05 22:14:52 +01:00
|
|
|
if (!e)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
e = endswith(m->cgroup_root, "/system"); /* even more legacy */
|
2010-11-15 23:55:53 +01:00
|
|
|
}
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if (e)
|
|
|
|
|
*e = 0;
|
2010-04-21 03:18:05 +02:00
|
|
|
|
2017-11-09 11:12:47 +01:00
|
|
|
/* And make sure to store away the root value without trailing slash, even for the root dir, so that we can
|
|
|
|
|
* easily prepend it everywhere. */
|
|
|
|
|
delete_trailing_chars(m->cgroup_root, "/");
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2010-07-12 18:16:44 +02:00
|
|
|
/* 2. Show data */
|
2013-06-20 03:45:08 +02:00
|
|
|
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root, NULL, &path);
|
2014-11-28 18:23:20 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Cannot find cgroup mount point: %m");
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2016-11-21 20:45:53 +01:00
|
|
|
r = cg_unified_flush();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Couldn't determine if we are running in the unified hierarchy: %m");
|
2016-08-16 00:13:36 +02:00
|
|
|
|
2017-02-24 17:52:58 +01:00
|
|
|
all_unified = cg_all_unified();
|
2017-11-15 10:19:45 +01:00
|
|
|
if (all_unified < 0)
|
|
|
|
|
return log_error_errno(all_unified, "Couldn't determine whether we are in all unified mode: %m");
|
|
|
|
|
if (all_unified > 0)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
log_debug("Unified cgroup hierarchy is located at %s.", path);
|
2017-02-24 17:52:58 +01:00
|
|
|
else {
|
2017-02-24 18:00:04 +01:00
|
|
|
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
|
2017-02-24 17:52:58 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to determine whether systemd's own controller is in unified mode: %m");
|
|
|
|
|
if (r > 0)
|
|
|
|
|
log_debug("Unified cgroup hierarchy is located at %s. Controllers are on legacy hierarchies.", path);
|
|
|
|
|
else
|
|
|
|
|
log_debug("Using cgroup controller " SYSTEMD_CGROUP_CONTROLLER_LEGACY ". File system hierarchy is at %s.", path);
|
|
|
|
|
}
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
/* 3. Allocate cgroup empty defer event source */
|
|
|
|
|
m->cgroup_empty_event_source = sd_event_source_unref(m->cgroup_empty_event_source);
|
|
|
|
|
r = sd_event_add_defer(m->event, &m->cgroup_empty_event_source, on_cgroup_empty_event, m);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to create cgroup empty event source: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_event_source_set_priority(m->cgroup_empty_event_source, SD_EVENT_PRIORITY_NORMAL-5);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set priority of cgroup empty event source: %m");
|
|
|
|
|
|
|
|
|
|
r = sd_event_source_set_enabled(m->cgroup_empty_event_source, SD_EVENT_OFF);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to disable cgroup empty event source: %m");
|
|
|
|
|
|
|
|
|
|
(void) sd_event_source_set_description(m->cgroup_empty_event_source, "cgroup-empty");
|
|
|
|
|
|
|
|
|
|
/* 4. Install notifier inotify object, or agent */
|
2017-09-05 11:40:47 +02:00
|
|
|
if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER) > 0) {
|
2010-07-11 00:50:49 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
/* In the unified hierarchy we can get cgroup empty notifications via inotify. */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
m->cgroup_inotify_event_source = sd_event_source_unref(m->cgroup_inotify_event_source);
|
|
|
|
|
safe_close(m->cgroup_inotify_fd);
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
m->cgroup_inotify_fd = inotify_init1(IN_NONBLOCK|IN_CLOEXEC);
|
|
|
|
|
if (m->cgroup_inotify_fd < 0)
|
|
|
|
|
return log_error_errno(errno, "Failed to create control group inotify object: %m");
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
r = sd_event_add_io(m->event, &m->cgroup_inotify_event_source, m->cgroup_inotify_fd, EPOLLIN, on_cgroup_inotify_event, m);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to watch control group inotify object: %m");
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
/* Process cgroup empty notifications early, but after service notifications and SIGCHLD. Also
|
|
|
|
|
* see handling of cgroup agent notifications, for the classic cgroup hierarchy support. */
|
2017-09-26 22:43:08 +02:00
|
|
|
r = sd_event_source_set_priority(m->cgroup_inotify_event_source, SD_EVENT_PRIORITY_NORMAL-4);
|
2017-09-05 11:40:47 +02:00
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to set priority of inotify event source: %m");
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
(void) sd_event_source_set_description(m->cgroup_inotify_event_source, "cgroup-inotify");
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
} else if (MANAGER_IS_SYSTEM(m) && m->test_run_flags == 0) {
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
/* On the legacy hierarchy we only get notifications via cgroup agents. (Which isn't really reliable,
|
|
|
|
|
* since it does not generate events when control groups with children run empty. */
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2017-09-05 11:40:47 +02:00
|
|
|
r = cg_install_release_agent(SYSTEMD_CGROUP_CONTROLLER, SYSTEMD_CGROUP_AGENT_PATH);
|
2014-11-28 18:23:20 +01:00
|
|
|
if (r < 0)
|
2017-09-05 11:40:47 +02:00
|
|
|
log_warning_errno(r, "Failed to install release agent, ignoring: %m");
|
|
|
|
|
else if (r > 0)
|
|
|
|
|
log_debug("Installed release agent.");
|
|
|
|
|
else if (r == 0)
|
|
|
|
|
log_debug("Release agent already installed.");
|
|
|
|
|
}
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
/* 5. Make sure we are in the special "init.scope" unit in the root slice. */
|
2017-09-05 11:40:47 +02:00
|
|
|
scope_path = strjoina(m->cgroup_root, "/" SPECIAL_INIT_SCOPE);
|
|
|
|
|
r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, scope_path, 0);
|
2018-03-09 23:30:32 +01:00
|
|
|
if (r >= 0) {
|
|
|
|
|
/* Also, move all other userspace processes remaining in the root cgroup into that scope. */
|
|
|
|
|
r = cg_migrate(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root, SYSTEMD_CGROUP_CONTROLLER, scope_path, 0);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
log_warning_errno(r, "Couldn't move remaining userspace processes, ignoring: %m");
|
2010-07-11 00:50:49 +02:00
|
|
|
|
2018-03-09 23:30:32 +01:00
|
|
|
/* 6. And pin it, so that it cannot be unmounted */
|
|
|
|
|
safe_close(m->pin_cgroupfs_fd);
|
|
|
|
|
m->pin_cgroupfs_fd = open(path, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY|O_NONBLOCK);
|
|
|
|
|
if (m->pin_cgroupfs_fd < 0)
|
|
|
|
|
return log_error_errno(errno, "Failed to open pin file: %m");
|
2014-01-07 14:41:24 +01:00
|
|
|
|
2018-03-09 23:30:32 +01:00
|
|
|
} else if (r < 0 && !m->test_run_flags)
|
|
|
|
|
return log_error_errno(r, "Failed to create %s control group: %m", scope_path);
|
2017-09-05 11:40:47 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
/* 7. Always enable hierarchical support if it exists... */
|
2017-09-05 11:40:47 +02:00
|
|
|
if (!all_unified && m->test_run_flags == 0)
|
|
|
|
|
(void) cg_set_attribute("memory", "/", "memory.use_hierarchy", "1");
|
2010-07-11 00:50:49 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
/* 8. Figure out which controllers are supported, and log about it */
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
r = cg_mask_supported(&m->cgroup_supported);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return log_error_errno(r, "Failed to determine supported controllers: %m");
|
|
|
|
|
for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++)
|
2016-06-20 20:40:46 +02:00
|
|
|
log_debug("Controller '%s' supported: %s", cgroup_controller_to_string(c), yes_no(m->cgroup_supported & CGROUP_CONTROLLER_TO_MASK(c)));
|
2012-04-14 02:34:10 +02:00
|
|
|
|
2013-04-15 21:52:56 +02:00
|
|
|
return 0;
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
2010-07-11 00:50:49 +02:00
|
|
|
void manager_shutdown_cgroup(Manager *m, bool delete) {
|
2010-03-31 16:29:55 +02:00
|
|
|
assert(m);
|
|
|
|
|
|
2013-06-20 03:45:08 +02:00
|
|
|
/* We can't really delete the group, since we are in it. But
|
|
|
|
|
* let's trim it. */
|
|
|
|
|
if (delete && m->cgroup_root)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
(void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root, false);
|
|
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
m->cgroup_empty_event_source = sd_event_source_unref(m->cgroup_empty_event_source);
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
m->cgroup_inotify_wd_unit = hashmap_free(m->cgroup_inotify_wd_unit);
|
|
|
|
|
|
|
|
|
|
m->cgroup_inotify_event_source = sd_event_source_unref(m->cgroup_inotify_event_source);
|
|
|
|
|
m->cgroup_inotify_fd = safe_close(m->cgroup_inotify_fd);
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2014-03-18 19:22:43 +01:00
|
|
|
m->pin_cgroupfs_fd = safe_close(m->pin_cgroupfs_fd);
|
2010-07-11 00:50:49 +02:00
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
m->cgroup_root = mfree(m->cgroup_root);
|
2010-03-31 16:29:55 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
Unit* manager_get_unit_by_cgroup(Manager *m, const char *cgroup) {
|
2012-02-03 05:25:31 +01:00
|
|
|
char *p;
|
2013-06-27 04:14:27 +02:00
|
|
|
Unit *u;
|
2012-02-03 05:25:31 +01:00
|
|
|
|
|
|
|
|
assert(m);
|
|
|
|
|
assert(cgroup);
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
u = hashmap_get(m->cgroup_unit, cgroup);
|
|
|
|
|
if (u)
|
|
|
|
|
return u;
|
2012-02-03 05:25:31 +01:00
|
|
|
|
2013-03-22 06:01:04 +01:00
|
|
|
p = strdupa(cgroup);
|
2012-02-03 05:25:31 +01:00
|
|
|
for (;;) {
|
|
|
|
|
char *e;
|
|
|
|
|
|
|
|
|
|
e = strrchr(p, '/');
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if (!e || e == p)
|
|
|
|
|
return hashmap_get(m->cgroup_unit, SPECIAL_ROOT_SLICE);
|
2012-02-03 05:25:31 +01:00
|
|
|
|
|
|
|
|
*e = 0;
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
u = hashmap_get(m->cgroup_unit, p);
|
|
|
|
|
if (u)
|
|
|
|
|
return u;
|
2012-02-03 05:25:31 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-03 14:57:44 +02:00
|
|
|
Unit *manager_get_unit_by_pid_cgroup(Manager *m, pid_t pid) {
|
2013-06-27 04:14:27 +02:00
|
|
|
_cleanup_free_ char *cgroup = NULL;
|
2010-03-31 16:29:55 +02:00
|
|
|
|
2010-06-16 05:10:31 +02:00
|
|
|
assert(m);
|
|
|
|
|
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
if (!pid_is_valid(pid))
|
2015-09-03 14:57:44 +02:00
|
|
|
return NULL;
|
|
|
|
|
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
if (cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup) < 0)
|
2015-09-03 14:57:44 +02:00
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return manager_get_unit_by_cgroup(m, cgroup);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Unit *manager_get_unit_by_pid(Manager *m, pid_t pid) {
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
Unit *u, **array;
|
2015-09-03 14:57:44 +02:00
|
|
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
/* Note that a process might be owned by multiple units, we return only one here, which is good enough for most
|
|
|
|
|
* cases, though not strictly correct. We prefer the one reported by cgroup membership, as that's the most
|
|
|
|
|
* relevant one as children of the process will be assigned to that one, too, before all else. */
|
|
|
|
|
|
|
|
|
|
if (!pid_is_valid(pid))
|
2010-06-16 05:10:31 +02:00
|
|
|
return NULL;
|
|
|
|
|
|
2018-01-11 23:38:46 +01:00
|
|
|
if (pid == getpid_cached())
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
return hashmap_get(m->units, SPECIAL_INIT_SCOPE);
|
|
|
|
|
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
u = manager_get_unit_by_pid_cgroup(m, pid);
|
2015-09-01 18:47:46 +02:00
|
|
|
if (u)
|
|
|
|
|
return u;
|
|
|
|
|
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
u = hashmap_get(m->watch_pids, PID_TO_PTR(pid));
|
2015-09-01 18:47:46 +02:00
|
|
|
if (u)
|
|
|
|
|
return u;
|
|
|
|
|
|
core: rework how we track which PIDs to watch for a unit
Previously, we'd maintain two hashmaps keyed by PIDs, pointing to Unit
interested in SIGCHLD events for them. This scheme allowed a specific
PID to be watched by exactly 0, 1 or 2 units.
With this rework this is replaced by a single hashmap which is primarily
keyed by the PID and points to a Unit interested in it. However, it
optionally also keyed by the negated PID, in which case it points to a
NULL terminated array of additional Unit objects also interested. This
scheme means arbitrary numbers of Units may now watch the same PID.
Runtime and memory behaviour should not be impact by this change, as for
the common case (i.e. each PID only watched by a single unit) behaviour
stays the same, but for the uncommon case (a PID watched by more than
one unit) we only pay with a single additional memory allocation for the
array.
Why this all? Primarily, because allowing exactly two units to watch a
specific PID is not sufficient for some niche cases, as processes can
belong to more than one unit these days:
1. sd_notify() with MAINPID= can be used to attach a process from a
different cgroup to multiple units.
2. Similar, the PIDFile= setting in unit files can be used for similar
setups,
3. By creating a scope unit a main process of a service may join a
different unit, too.
4. On cgroupsv1 we frequently end up watching all processes remaining in
a scope, and if a process opens lots of scopes one after the other it
might thus end up being watch by many of them.
This patch hence removes the 2-unit-per-PID limit. It also makes a
couple of other changes, some of them quite relevant:
- manager_get_unit_by_pid() (and the bus call wrapping it) when there's
ambiguity will prefer returning the Unit the process belongs to based on
cgroup membership, and only check the watch-pids hashmap if that
fails. This change in logic is probably more in line with what people
expect and makes things more stable as each process can belong to
exactly one cgroup only.
- Every SIGCHLD event is now dispatched to all units interested in its
PID. Previously, there was some magic conditionalization: the SIGCHLD
would only be dispatched to the unit if it was only interested in a
single PID only, or the PID belonged to the control or main PID or we
didn't dispatch a signle SIGCHLD to the unit in the current event loop
iteration yet. These rules were quite arbitrary and also redundant as
the the per-unit handlers would filter the PIDs anyway a second time.
With this change we'll hence relax the rules: all we do now is
dispatch every SIGCHLD event exactly once to each unit interested in
it, and it's up to the unit to then use or ignore this. We use a
generation counter in the unit to ensure that we only invoke the unit
handler once for each event, protecting us from confusion if a unit is
both associated with a specific PID through cgroup membership and
through the "watch_pids" logic. It also protects us from being
confused if the "watch_pids" hashmap is altered while we are
dispatching to it (which is a very likely case).
- sd_notify() message dispatching has been reworked to be very similar
to SIGCHLD handling now. A generation counter is used for dispatching
as well.
This also adds a new test that validates that "watch_pid" registration
and unregstration works correctly.
2018-01-12 13:41:05 +01:00
|
|
|
array = hashmap_get(m->watch_pids, PID_TO_PTR(-pid));
|
|
|
|
|
if (array)
|
|
|
|
|
return array[0];
|
|
|
|
|
|
|
|
|
|
return NULL;
|
2010-04-18 03:04:54 +02:00
|
|
|
}
|
2010-10-27 03:16:49 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
int manager_notify_cgroup_empty(Manager *m, const char *cgroup) {
|
|
|
|
|
Unit *u;
|
2010-10-27 03:16:49 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
assert(m);
|
|
|
|
|
assert(cgroup);
|
2010-10-27 03:16:49 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
/* Called on the legacy hierarchy whenever we get an explicit cgroup notification from the cgroup agent process
|
|
|
|
|
* or from the --system instance */
|
|
|
|
|
|
2016-05-04 20:43:23 +02:00
|
|
|
log_debug("Got cgroup empty notification for: %s", cgroup);
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
u = manager_get_unit_by_cgroup(m, cgroup);
|
2015-03-01 16:24:19 +01:00
|
|
|
if (!u)
|
|
|
|
|
return 0;
|
2013-06-30 23:56:11 +02:00
|
|
|
|
2017-09-26 22:43:08 +02:00
|
|
|
unit_add_to_cgroup_empty_queue(u);
|
|
|
|
|
return 1;
|
2015-03-01 16:24:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int unit_get_memory_current(Unit *u, uint64_t *ret) {
|
|
|
|
|
_cleanup_free_ char *v = NULL;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
assert(ret);
|
|
|
|
|
|
2017-09-27 17:54:06 +02:00
|
|
|
if (!UNIT_CGROUP_BOOL(u, memory_accounting))
|
2017-09-07 16:31:01 +02:00
|
|
|
return -ENODATA;
|
|
|
|
|
|
2015-03-01 16:24:19 +01:00
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
2018-02-09 19:05:59 +01:00
|
|
|
/* The root cgroup doesn't expose this information, let's get it from /proc instead */
|
|
|
|
|
if (unit_has_root_cgroup(u))
|
|
|
|
|
return procfs_memory_get_current(ret);
|
|
|
|
|
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
if ((u->cgroup_realized_mask & CGROUP_MASK_MEMORY) == 0)
|
2015-03-01 16:24:19 +01:00
|
|
|
return -ENODATA;
|
|
|
|
|
|
2017-02-24 17:52:58 +01:00
|
|
|
r = cg_all_unified();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
if (r > 0)
|
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
|
|
|
r = cg_get_attribute("memory", u->cgroup_path, "memory.current", &v);
|
2017-02-24 17:52:58 +01:00
|
|
|
else
|
|
|
|
|
r = cg_get_attribute("memory", u->cgroup_path, "memory.usage_in_bytes", &v);
|
2015-03-01 16:24:19 +01:00
|
|
|
if (r == -ENOENT)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
return safe_atou64(v, ret);
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-10 12:32:16 +02:00
|
|
|
int unit_get_tasks_current(Unit *u, uint64_t *ret) {
|
|
|
|
|
_cleanup_free_ char *v = NULL;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
assert(ret);
|
|
|
|
|
|
2017-09-27 17:54:06 +02:00
|
|
|
if (!UNIT_CGROUP_BOOL(u, tasks_accounting))
|
2017-09-07 16:31:01 +02:00
|
|
|
return -ENODATA;
|
|
|
|
|
|
2015-09-10 12:32:16 +02:00
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
2018-01-17 15:39:39 +01:00
|
|
|
/* The root cgroup doesn't expose this information, let's get it from /proc instead */
|
|
|
|
|
if (unit_has_root_cgroup(u))
|
|
|
|
|
return procfs_tasks_get_current(ret);
|
|
|
|
|
|
2018-02-09 19:05:59 +01:00
|
|
|
if ((u->cgroup_realized_mask & CGROUP_MASK_PIDS) == 0)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
2015-09-10 12:32:16 +02:00
|
|
|
r = cg_get_attribute("pids", u->cgroup_path, "pids.current", &v);
|
|
|
|
|
if (r == -ENOENT)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
return safe_atou64(v, ret);
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-01 16:24:19 +01:00
|
|
|
static int unit_get_cpu_usage_raw(Unit *u, nsec_t *ret) {
|
|
|
|
|
_cleanup_free_ char *v = NULL;
|
|
|
|
|
uint64_t ns;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
assert(ret);
|
|
|
|
|
|
|
|
|
|
if (!u->cgroup_path)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
2018-02-09 19:05:59 +01:00
|
|
|
/* The root cgroup doesn't expose this information, let's get it from /proc instead */
|
|
|
|
|
if (unit_has_root_cgroup(u))
|
|
|
|
|
return procfs_cpu_get_usage(ret);
|
|
|
|
|
|
2017-02-24 17:52:58 +01:00
|
|
|
r = cg_all_unified();
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
if (r > 0) {
|
2016-08-07 15:45:39 +02:00
|
|
|
_cleanup_free_ char *val = NULL;
|
|
|
|
|
uint64_t us;
|
2015-03-01 16:24:19 +01:00
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
if ((u->cgroup_realized_mask & CGROUP_MASK_CPU) == 0)
|
|
|
|
|
return -ENODATA;
|
2015-03-01 16:24:19 +01:00
|
|
|
|
2018-02-09 18:35:52 +01:00
|
|
|
r = cg_get_keyed_attribute("cpu", u->cgroup_path, "cpu.stat", STRV_MAKE("usage_usec"), &val);
|
2016-08-07 15:45:39 +02:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
2018-02-09 18:35:52 +01:00
|
|
|
if (IN_SET(r, -ENOENT, -ENXIO))
|
|
|
|
|
return -ENODATA;
|
2016-08-07 15:45:39 +02:00
|
|
|
|
|
|
|
|
r = safe_atou64(val, &us);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
ns = us * NSEC_PER_USEC;
|
|
|
|
|
} else {
|
|
|
|
|
if ((u->cgroup_realized_mask & CGROUP_MASK_CPUACCT) == 0)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
|
|
|
|
r = cg_get_attribute("cpuacct", u->cgroup_path, "cpuacct.usage", &v);
|
|
|
|
|
if (r == -ENOENT)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
r = safe_atou64(v, &ns);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
}
|
2015-03-01 16:24:19 +01:00
|
|
|
|
|
|
|
|
*ret = ns;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int unit_get_cpu_usage(Unit *u, nsec_t *ret) {
|
|
|
|
|
nsec_t ns;
|
|
|
|
|
int r;
|
|
|
|
|
|
2016-08-18 20:58:10 +02:00
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
/* Retrieve the current CPU usage counter. This will subtract the CPU counter taken when the unit was
|
|
|
|
|
* started. If the cgroup has been removed already, returns the last cached value. To cache the value, simply
|
|
|
|
|
* call this function with a NULL return value. */
|
|
|
|
|
|
2017-09-27 17:54:06 +02:00
|
|
|
if (!UNIT_CGROUP_BOOL(u, cpu_accounting))
|
2017-09-07 16:31:01 +02:00
|
|
|
return -ENODATA;
|
|
|
|
|
|
2015-03-01 16:24:19 +01:00
|
|
|
r = unit_get_cpu_usage_raw(u, &ns);
|
2016-08-18 20:58:10 +02:00
|
|
|
if (r == -ENODATA && u->cpu_usage_last != NSEC_INFINITY) {
|
|
|
|
|
/* If we can't get the CPU usage anymore (because the cgroup was already removed, for example), use our
|
|
|
|
|
* cached value. */
|
|
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
*ret = u->cpu_usage_last;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-03-01 16:24:19 +01:00
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
if (ns > u->cpu_usage_base)
|
|
|
|
|
ns -= u->cpu_usage_base;
|
2015-03-01 16:24:19 +01:00
|
|
|
else
|
|
|
|
|
ns = 0;
|
|
|
|
|
|
2016-08-18 20:58:10 +02:00
|
|
|
u->cpu_usage_last = ns;
|
|
|
|
|
if (ret)
|
|
|
|
|
*ret = ns;
|
|
|
|
|
|
2015-03-01 16:24:19 +01:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
int unit_get_ip_accounting(
|
|
|
|
|
Unit *u,
|
|
|
|
|
CGroupIPAccountingMetric metric,
|
|
|
|
|
uint64_t *ret) {
|
|
|
|
|
|
2017-09-07 14:07:13 +02:00
|
|
|
uint64_t value;
|
2017-09-05 19:27:53 +02:00
|
|
|
int fd, r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
assert(metric >= 0);
|
|
|
|
|
assert(metric < _CGROUP_IP_ACCOUNTING_METRIC_MAX);
|
|
|
|
|
assert(ret);
|
|
|
|
|
|
2017-09-27 17:54:06 +02:00
|
|
|
if (!UNIT_CGROUP_BOOL(u, ip_accounting))
|
2017-09-07 16:31:01 +02:00
|
|
|
return -ENODATA;
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
fd = IN_SET(metric, CGROUP_IP_INGRESS_BYTES, CGROUP_IP_INGRESS_PACKETS) ?
|
|
|
|
|
u->ip_accounting_ingress_map_fd :
|
|
|
|
|
u->ip_accounting_egress_map_fd;
|
|
|
|
|
if (fd < 0)
|
|
|
|
|
return -ENODATA;
|
|
|
|
|
|
|
|
|
|
if (IN_SET(metric, CGROUP_IP_INGRESS_BYTES, CGROUP_IP_EGRESS_BYTES))
|
2017-09-07 14:07:13 +02:00
|
|
|
r = bpf_firewall_read_accounting(fd, &value, NULL);
|
2017-09-05 19:27:53 +02:00
|
|
|
else
|
2017-09-07 14:07:13 +02:00
|
|
|
r = bpf_firewall_read_accounting(fd, NULL, &value);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
return r;
|
|
|
|
|
|
|
|
|
|
/* Add in additional metrics from a previous runtime. Note that when reexecing/reloading the daemon we compile
|
|
|
|
|
* all BPF programs and maps anew, but serialize the old counters. When deserializing we store them in the
|
|
|
|
|
* ip_accounting_extra[] field, and add them in here transparently. */
|
|
|
|
|
|
|
|
|
|
*ret = value + u->ip_accounting_extra[metric];
|
2017-09-05 19:27:53 +02:00
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int unit_reset_cpu_accounting(Unit *u) {
|
2015-03-01 16:24:19 +01:00
|
|
|
nsec_t ns;
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
2016-08-18 20:58:10 +02:00
|
|
|
u->cpu_usage_last = NSEC_INFINITY;
|
|
|
|
|
|
2015-03-01 16:24:19 +01:00
|
|
|
r = unit_get_cpu_usage_raw(u, &ns);
|
|
|
|
|
if (r < 0) {
|
2016-08-07 15:45:39 +02:00
|
|
|
u->cpu_usage_base = 0;
|
2015-03-01 16:24:19 +01:00
|
|
|
return r;
|
2013-06-30 23:56:11 +02:00
|
|
|
}
|
2011-02-13 18:52:02 +01:00
|
|
|
|
2016-08-07 15:45:39 +02:00
|
|
|
u->cpu_usage_base = ns;
|
2013-06-27 04:14:27 +02:00
|
|
|
return 0;
|
2010-10-27 03:16:49 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
int unit_reset_ip_accounting(Unit *u) {
|
|
|
|
|
int r = 0, q = 0;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (u->ip_accounting_ingress_map_fd >= 0)
|
|
|
|
|
r = bpf_firewall_reset_accounting(u->ip_accounting_ingress_map_fd);
|
|
|
|
|
|
|
|
|
|
if (u->ip_accounting_egress_map_fd >= 0)
|
|
|
|
|
q = bpf_firewall_reset_accounting(u->ip_accounting_egress_map_fd);
|
|
|
|
|
|
2017-09-07 14:07:13 +02:00
|
|
|
zero(u->ip_accounting_extra);
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
return r < 0 ? r : q;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-11 18:21:53 +02:00
|
|
|
void unit_invalidate_cgroup(Unit *u, CGroupMask m) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!UNIT_HAS_CGROUP_CONTEXT(u))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (m == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
2016-05-19 02:35:12 +02:00
|
|
|
/* always invalidate compat pairs together */
|
|
|
|
|
if (m & (CGROUP_MASK_IO | CGROUP_MASK_BLKIO))
|
|
|
|
|
m |= CGROUP_MASK_IO | CGROUP_MASK_BLKIO;
|
|
|
|
|
|
2017-09-05 11:17:01 +02:00
|
|
|
if (m & (CGROUP_MASK_CPU | CGROUP_MASK_CPUACCT))
|
|
|
|
|
m |= CGROUP_MASK_CPU | CGROUP_MASK_CPUACCT;
|
|
|
|
|
|
2017-11-24 19:51:36 +01:00
|
|
|
if ((u->cgroup_realized_mask & m) == 0) /* NOP? */
|
2015-09-11 18:21:53 +02:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
u->cgroup_realized_mask &= ~m;
|
2017-09-26 22:15:02 +02:00
|
|
|
unit_add_to_cgroup_realize_queue(u);
|
2015-09-11 18:21:53 +02:00
|
|
|
}
|
|
|
|
|
|
2017-09-05 19:27:53 +02:00
|
|
|
void unit_invalidate_cgroup_bpf(Unit *u) {
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!UNIT_HAS_CGROUP_CONTEXT(u))
|
|
|
|
|
return;
|
|
|
|
|
|
2017-11-24 19:51:36 +01:00
|
|
|
if (u->cgroup_bpf_state == UNIT_CGROUP_BPF_INVALIDATED) /* NOP? */
|
2017-09-05 19:27:53 +02:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
u->cgroup_bpf_state = UNIT_CGROUP_BPF_INVALIDATED;
|
2017-09-26 22:15:02 +02:00
|
|
|
unit_add_to_cgroup_realize_queue(u);
|
2017-09-05 19:27:53 +02:00
|
|
|
|
|
|
|
|
/* If we are a slice unit, we also need to put compile a new BPF program for all our children, as the IP access
|
|
|
|
|
* list of our children includes our own. */
|
|
|
|
|
if (u->type == UNIT_SLICE) {
|
|
|
|
|
Unit *member;
|
|
|
|
|
Iterator i;
|
core: track why unit dependencies came to be
This replaces the dependencies Set* objects by Hashmap* objects, where
the key is the depending Unit, and the value is a bitmask encoding why
the specific dependency was created.
The bitmask contains a number of different, defined bits, that indicate
why dependencies exist, for example whether they are created due to
explicitly configured deps in files, by udev rules or implicitly.
Note that memory usage is not increased by this change, even though we
store more information, as we manage to encode the bit mask inside the
value pointer each Hashmap entry contains.
Why this all? When we know how a dependency came to be, we can update
dependencies correctly when a configuration source changes but others
are left unaltered. Specifically:
1. We can fix UDEV_WANTS dependency generation: so far we kept adding
dependencies configured that way, but if a device lost such a
dependency we couldn't them again as there was no scheme for removing
of dependencies in place.
2. We can implement "pin-pointed" reload of unit files. If we know what
dependencies were created as result of configuration in a unit file,
then we know what to flush out when we want to reload it.
3. It's useful for debugging: "systemd-analyze dump" now shows
this information, helping substantially with understanding how
systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
|
|
|
void *v;
|
2017-09-05 19:27:53 +02:00
|
|
|
|
core: track why unit dependencies came to be
This replaces the dependencies Set* objects by Hashmap* objects, where
the key is the depending Unit, and the value is a bitmask encoding why
the specific dependency was created.
The bitmask contains a number of different, defined bits, that indicate
why dependencies exist, for example whether they are created due to
explicitly configured deps in files, by udev rules or implicitly.
Note that memory usage is not increased by this change, even though we
store more information, as we manage to encode the bit mask inside the
value pointer each Hashmap entry contains.
Why this all? When we know how a dependency came to be, we can update
dependencies correctly when a configuration source changes but others
are left unaltered. Specifically:
1. We can fix UDEV_WANTS dependency generation: so far we kept adding
dependencies configured that way, but if a device lost such a
dependency we couldn't them again as there was no scheme for removing
of dependencies in place.
2. We can implement "pin-pointed" reload of unit files. If we know what
dependencies were created as result of configuration in a unit file,
then we know what to flush out when we want to reload it.
3. It's useful for debugging: "systemd-analyze dump" now shows
this information, helping substantially with understanding how
systemd's dependency tree came to be the way it came to be.
2017-10-25 20:46:01 +02:00
|
|
|
HASHMAP_FOREACH_KEY(v, member, u->dependencies[UNIT_BEFORE], i) {
|
2017-09-05 19:27:53 +02:00
|
|
|
if (member == u)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (UNIT_DEREF(member->slice) != u)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
unit_invalidate_cgroup_bpf(member);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-06 11:57:35 +01:00
|
|
|
bool unit_cgroup_delegate(Unit *u) {
|
|
|
|
|
CGroupContext *c;
|
|
|
|
|
|
|
|
|
|
assert(u);
|
|
|
|
|
|
|
|
|
|
if (!UNIT_VTABLE(u)->can_delegate)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
c = unit_get_cgroup_context(u);
|
|
|
|
|
if (!c)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return c->delegate;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-11 18:21:53 +02:00
|
|
|
void manager_invalidate_startup_units(Manager *m) {
|
|
|
|
|
Iterator i;
|
|
|
|
|
Unit *u;
|
|
|
|
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
SET_FOREACH(u, m->startup_units, i)
|
2016-05-05 22:42:55 +02:00
|
|
|
unit_invalidate_cgroup(u, CGROUP_MASK_CPU|CGROUP_MASK_IO|CGROUP_MASK_BLKIO);
|
2015-09-11 18:21:53 +02:00
|
|
|
}
|
|
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = {
|
|
|
|
|
[CGROUP_AUTO] = "auto",
|
|
|
|
|
[CGROUP_CLOSED] = "closed",
|
|
|
|
|
[CGROUP_STRICT] = "strict",
|
|
|
|
|
};
|
2010-10-27 03:16:49 +02:00
|
|
|
|
2013-06-27 04:14:27 +02:00
|
|
|
DEFINE_STRING_TABLE_LOOKUP(cgroup_device_policy, CGroupDevicePolicy);
|