5da38d0768
Currently, systemd uses either the legacy hierarchies or the unified hierarchy.
When the legacy hierarchies are used, systemd uses a named legacy hierarchy
mounted on /sys/fs/cgroup/systemd without any kernel controllers for process
management. Due to the shortcomings in the legacy hierarchy, this involves a
lot of workarounds and complexities.
Because the unified hierarchy can be mounted and used in parallel to legacy
hierarchies, there's no reason for systemd to use a legacy hierarchy for
management even if the kernel resource controllers need to be mounted on legacy
hierarchies. It can simply mount the unified hierarchy under
/sys/fs/cgroup/systemd and use it without affecting other legacy hierarchies.
This disables a significant amount of fragile workaround logics and would allow
using features which depend on the unified hierarchy membership such bpf cgroup
v2 membership test. In time, this would also allow deleting the said
complexities.
This patch updates systemd so that it prefers the unified hierarchy for the
systemd cgroup controller hierarchy when legacy hierarchies are used for kernel
resource controllers.
* cg_unified(@controller) is introduced which tests whether the specific
controller in on unified hierarchy and used to choose the unified hierarchy
code path for process and service management when available. Kernel
controller specific operations remain gated by cg_all_unified().
* "systemd.legacy_systemd_cgroup_controller" kernel argument can be used to
force the use of legacy hierarchy for systemd cgroup controller.
* nspawn: By default nspawn uses the same hierarchies as the host. If
UNIFIED_CGROUP_HIERARCHY is set to 1, unified hierarchy is used for all. If
0, legacy for all.
* nspawn: arg_unified_cgroup_hierarchy is made an enum and now encodes one of
three options - legacy, only systemd controller on unified, and unified. The
value is passed into mount setup functions and controls cgroup configuration.
* nspawn: Interpretation of SYSTEMD_CGROUP_CONTROLLER to the actual mount
option is moved to mount_legacy_cgroup_hierarchy() so that it can take an
appropriate action depending on the configuration of the host.
v2: - CGroupUnified enum replaces open coded integer values to indicate the
cgroup operation mode.
- Various style updates.
v3: Fixed a bug in detect_unified_cgroup_hierarchy() introduced during v2.
v4: Restored legacy container on unified host support and fixed another bug in
detect_unified_cgroup_hierarchy().
162 lines
5.9 KiB
C
162 lines
5.9 KiB
C
/***
|
|
This file is part of systemd.
|
|
|
|
Copyright 2015 Lennart Poettering
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
(at your option) any later version.
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
***/
|
|
|
|
#include <sys/mount.h>
|
|
|
|
#include "alloc-util.h"
|
|
#include "fd-util.h"
|
|
#include "fileio.h"
|
|
#include "mkdir.h"
|
|
#include "nspawn-cgroup.h"
|
|
#include "string-util.h"
|
|
#include "strv.h"
|
|
#include "util.h"
|
|
|
|
int chown_cgroup(pid_t pid, uid_t uid_shift) {
|
|
_cleanup_free_ char *path = NULL, *fs = NULL;
|
|
_cleanup_close_ int fd = -1;
|
|
const char *fn;
|
|
int r;
|
|
|
|
r = cg_pid_get_path(NULL, pid, &path);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to get container cgroup path: %m");
|
|
|
|
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to get file system path for container cgroup: %m");
|
|
|
|
fd = open(fs, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
|
|
if (fd < 0)
|
|
return log_error_errno(errno, "Failed to open %s: %m", fs);
|
|
|
|
FOREACH_STRING(fn,
|
|
".",
|
|
"tasks",
|
|
"notify_on_release",
|
|
"cgroup.procs",
|
|
"cgroup.events",
|
|
"cgroup.clone_children",
|
|
"cgroup.controllers",
|
|
"cgroup.subtree_control")
|
|
if (fchownat(fd, fn, uid_shift, uid_shift, 0) < 0)
|
|
log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
|
|
"Failed to chown() cgroup file %s, ignoring: %m", fn);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int sync_cgroup(pid_t pid, CGroupUnified unified_requested) {
|
|
_cleanup_free_ char *cgroup = NULL;
|
|
char tree[] = "/tmp/unifiedXXXXXX", pid_string[DECIMAL_STR_MAX(pid) + 1];
|
|
bool undo_mount = false;
|
|
const char *fn;
|
|
int unified, r;
|
|
|
|
unified = cg_unified(SYSTEMD_CGROUP_CONTROLLER);
|
|
if (unified < 0)
|
|
return log_error_errno(unified, "Failed to determine whether the unified hierarchy is used: %m");
|
|
|
|
if ((unified > 0) == (unified_requested >= CGROUP_UNIFIED_SYSTEMD))
|
|
return 0;
|
|
|
|
/* When the host uses the legacy cgroup setup, but the
|
|
* container shall use the unified hierarchy, let's make sure
|
|
* we copy the path from the name=systemd hierarchy into the
|
|
* unified hierarchy. Similar for the reverse situation. */
|
|
|
|
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to get control group of " PID_FMT ": %m", pid);
|
|
|
|
/* In order to access the unified hierarchy we need to mount it */
|
|
if (!mkdtemp(tree))
|
|
return log_error_errno(errno, "Failed to generate temporary mount point for unified hierarchy: %m");
|
|
|
|
if (unified)
|
|
r = mount("cgroup", tree, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, "none,name=systemd,xattr");
|
|
else
|
|
r = mount("cgroup", tree, "cgroup2", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
|
|
if (r < 0) {
|
|
r = log_error_errno(errno, "Failed to mount unified hierarchy: %m");
|
|
goto finish;
|
|
}
|
|
|
|
undo_mount = true;
|
|
|
|
fn = strjoina(tree, cgroup, "/cgroup.procs");
|
|
(void) mkdir_parents(fn, 0755);
|
|
|
|
sprintf(pid_string, PID_FMT, pid);
|
|
r = write_string_file(fn, pid_string, 0);
|
|
if (r < 0)
|
|
log_error_errno(r, "Failed to move process: %m");
|
|
|
|
finish:
|
|
if (undo_mount)
|
|
(void) umount(tree);
|
|
|
|
(void) rmdir(tree);
|
|
return r;
|
|
}
|
|
|
|
int create_subcgroup(pid_t pid, CGroupUnified unified_requested) {
|
|
_cleanup_free_ char *cgroup = NULL;
|
|
const char *child;
|
|
int unified, r;
|
|
CGroupMask supported;
|
|
|
|
/* In the unified hierarchy inner nodes may only contain
|
|
* subgroups, but not processes. Hence, if we running in the
|
|
* unified hierarchy and the container does the same, and we
|
|
* did not create a scope unit for the container move us and
|
|
* the container into two separate subcgroups. */
|
|
|
|
if (unified_requested == CGROUP_UNIFIED_NONE)
|
|
return 0;
|
|
|
|
unified = cg_unified(SYSTEMD_CGROUP_CONTROLLER);
|
|
if (unified < 0)
|
|
return log_error_errno(unified, "Failed to determine whether the unified hierarchy is used: %m");
|
|
if (unified == 0)
|
|
return 0;
|
|
|
|
r = cg_mask_supported(&supported);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to determine supported controllers: %m");
|
|
|
|
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to get our control group: %m");
|
|
|
|
child = strjoina(cgroup, "/payload");
|
|
r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, child, pid);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to create %s subcgroup: %m", child);
|
|
|
|
child = strjoina(cgroup, "/supervisor");
|
|
r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, child, 0);
|
|
if (r < 0)
|
|
return log_error_errno(r, "Failed to create %s subcgroup: %m", child);
|
|
|
|
/* Try to enable as many controllers as possible for the new payload. */
|
|
(void) cg_enable_everywhere(supported, supported, cgroup);
|
|
return 0;
|
|
}
|