2015-05-14 06:42:16 +08:00
|
|
|
// +build linux
|
|
|
|
|
|
2014-05-15 06:21:44 +08:00
|
|
|
package fs
|
|
|
|
|
|
|
|
|
|
import (
|
2015-03-21 03:29:14 +08:00
|
|
|
"fmt"
|
|
|
|
|
"io"
|
2014-05-15 06:21:44 +08:00
|
|
|
"os"
|
|
|
|
|
"path/filepath"
|
2015-02-07 01:54:52 +08:00
|
|
|
"sync"
|
2020-04-03 10:48:30 +08:00
|
|
|
"syscall"
|
2014-05-15 06:21:44 +08:00
|
|
|
|
2015-06-22 10:29:59 +08:00
|
|
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
|
|
|
|
"github.com/opencontainers/runc/libcontainer/configs"
|
2016-02-11 18:15:50 +08:00
|
|
|
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
|
2018-03-16 08:33:04 +08:00
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
"golang.org/x/sys/unix"
|
2014-05-15 06:21:44 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2019-09-02 16:25:04 +08:00
|
|
|
subsystemsLegacy = subsystemSet{
|
2015-10-16 06:24:53 +08:00
|
|
|
&CpusetGroup{},
|
|
|
|
|
&DevicesGroup{},
|
|
|
|
|
&MemoryGroup{},
|
|
|
|
|
&CpuGroup{},
|
|
|
|
|
&CpuacctGroup{},
|
2015-12-14 21:33:56 +08:00
|
|
|
&PidsGroup{},
|
2015-10-16 06:24:53 +08:00
|
|
|
&BlkioGroup{},
|
|
|
|
|
&HugetlbGroup{},
|
|
|
|
|
&NetClsGroup{},
|
|
|
|
|
&NetPrioGroup{},
|
|
|
|
|
&PerfEventGroup{},
|
|
|
|
|
&FreezerGroup{},
|
2016-02-20 03:23:30 +08:00
|
|
|
&NameGroup{GroupName: "name=systemd", Join: true},
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
2015-04-27 16:34:36 +08:00
|
|
|
HugePageSizes, _ = cgroups.GetHugePageSize()
|
2014-05-15 06:21:44 +08:00
|
|
|
)
|
|
|
|
|
|
2018-03-16 08:33:04 +08:00
|
|
|
var errSubsystemDoesNotExist = fmt.Errorf("cgroup: subsystem does not exist")
|
2015-10-17 02:32:19 +08:00
|
|
|
|
2015-10-16 06:24:53 +08:00
|
|
|
type subsystemSet []subsystem
|
|
|
|
|
|
2015-10-17 02:32:19 +08:00
|
|
|
func (s subsystemSet) Get(name string) (subsystem, error) {
|
2015-10-16 06:24:53 +08:00
|
|
|
for _, ss := range s {
|
|
|
|
|
if ss.Name() == name {
|
2015-10-17 02:32:19 +08:00
|
|
|
return ss, nil
|
2015-10-16 06:24:53 +08:00
|
|
|
}
|
|
|
|
|
}
|
2015-10-17 02:32:19 +08:00
|
|
|
return nil, errSubsystemDoesNotExist
|
2015-10-16 06:24:53 +08:00
|
|
|
}
|
|
|
|
|
|
2015-02-01 11:56:27 +08:00
|
|
|
type subsystem interface {
|
2015-10-16 06:19:23 +08:00
|
|
|
// Name returns the name of the subsystem.
|
|
|
|
|
Name() string
|
2015-02-01 11:56:27 +08:00
|
|
|
// Returns the stats, as 'stats', corresponding to the cgroup under 'path'.
|
|
|
|
|
GetStats(path string, stats *cgroups.Stats) error
|
2015-11-05 18:41:08 +08:00
|
|
|
// Removes the cgroup represented by 'cgroupData'.
|
|
|
|
|
Remove(*cgroupData) error
|
|
|
|
|
// Creates and joins the cgroup represented by 'cgroupData'.
|
|
|
|
|
Apply(*cgroupData) error
|
2015-02-25 17:20:01 +08:00
|
|
|
// Set the cgroup represented by cgroup.
|
|
|
|
|
Set(path string, cgroup *configs.Cgroup) error
|
2015-02-01 11:56:27 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-13 05:54:00 +08:00
|
|
|
type Manager struct {
|
2018-03-16 08:33:04 +08:00
|
|
|
mu sync.Mutex
|
|
|
|
|
Cgroups *configs.Cgroup
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
Rootless bool // ignore permission-related errors
|
2018-03-16 08:33:04 +08:00
|
|
|
Paths map[string]string
|
2015-01-13 05:54:00 +08:00
|
|
|
}
|
|
|
|
|
|
2014-09-11 08:44:13 +08:00
|
|
|
// The absolute path to the root of the cgroup hierarchies.
|
2015-02-07 01:54:52 +08:00
|
|
|
var cgroupRootLock sync.Mutex
|
2014-09-11 08:44:13 +08:00
|
|
|
var cgroupRoot string
|
|
|
|
|
|
2015-02-07 01:54:52 +08:00
|
|
|
// Gets the cgroupRoot.
|
|
|
|
|
func getCgroupRoot() (string, error) {
|
|
|
|
|
cgroupRootLock.Lock()
|
|
|
|
|
defer cgroupRootLock.Unlock()
|
|
|
|
|
|
|
|
|
|
if cgroupRoot != "" {
|
|
|
|
|
return cgroupRoot, nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-05 10:21:52 +08:00
|
|
|
root, err := cgroups.FindCgroupMountpointDir()
|
2014-09-11 08:44:13 +08:00
|
|
|
if err != nil {
|
2015-02-07 01:54:52 +08:00
|
|
|
return "", err
|
2014-09-11 08:44:13 +08:00
|
|
|
}
|
|
|
|
|
|
2015-02-07 01:54:52 +08:00
|
|
|
if _, err := os.Stat(root); err != nil {
|
|
|
|
|
return "", err
|
2014-09-11 08:44:13 +08:00
|
|
|
}
|
2015-02-07 01:54:52 +08:00
|
|
|
|
|
|
|
|
cgroupRoot = root
|
|
|
|
|
return cgroupRoot, nil
|
2014-09-11 08:44:13 +08:00
|
|
|
}
|
|
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
type cgroupData struct {
|
2016-01-21 10:04:59 +08:00
|
|
|
root string
|
|
|
|
|
innerPath string
|
|
|
|
|
config *configs.Cgroup
|
|
|
|
|
pid int
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
|
|
2018-03-16 08:33:04 +08:00
|
|
|
// isIgnorableError returns whether err is a permission error (in the loose
|
|
|
|
|
// sense of the word). This includes EROFS (which for an unprivileged user is
|
|
|
|
|
// basically a permission error) and EACCES (for similar reasons) as well as
|
|
|
|
|
// the normal EPERM.
|
2018-05-25 09:31:41 +08:00
|
|
|
func isIgnorableError(rootless bool, err error) bool {
|
|
|
|
|
// We do not ignore errors if we are root.
|
|
|
|
|
if !rootless {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2020-04-03 10:48:30 +08:00
|
|
|
// TODO: rm errors.Cause once we switch to %w everywhere
|
|
|
|
|
err = errors.Cause(err)
|
2018-05-25 09:31:41 +08:00
|
|
|
// Is it an ordinary EPERM?
|
2020-04-03 10:48:30 +08:00
|
|
|
if errors.Is(err, os.ErrPermission) {
|
2018-03-16 08:33:04 +08:00
|
|
|
return true
|
|
|
|
|
}
|
2020-04-03 10:48:30 +08:00
|
|
|
// Handle some specific syscall errors.
|
|
|
|
|
var errno syscall.Errno
|
|
|
|
|
if errors.As(err, &errno) {
|
|
|
|
|
return errno == unix.EROFS || errno == unix.EPERM || errno == unix.EACCES
|
2020-04-03 10:38:25 +08:00
|
|
|
}
|
2020-04-03 10:48:30 +08:00
|
|
|
return false
|
2018-03-16 08:33:04 +08:00
|
|
|
}
|
|
|
|
|
|
2019-09-02 16:25:04 +08:00
|
|
|
func (m *Manager) getSubsystems() subsystemSet {
|
|
|
|
|
return subsystemsLegacy
|
|
|
|
|
}
|
|
|
|
|
|
2015-08-16 12:19:44 +08:00
|
|
|
func (m *Manager) Apply(pid int) (err error) {
|
2015-01-13 05:54:00 +08:00
|
|
|
if m.Cgroups == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2016-08-02 15:43:04 +08:00
|
|
|
m.mu.Lock()
|
|
|
|
|
defer m.mu.Unlock()
|
2015-01-13 05:54:00 +08:00
|
|
|
|
2016-01-12 05:12:51 +08:00
|
|
|
var c = m.Cgroups
|
|
|
|
|
|
2015-01-13 05:54:00 +08:00
|
|
|
d, err := getCgroupData(m.Cgroups, pid)
|
2014-05-15 06:21:44 +08:00
|
|
|
if err != nil {
|
2015-01-13 05:54:00 +08:00
|
|
|
return err
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
|
|
2016-11-22 08:02:43 +08:00
|
|
|
m.Paths = make(map[string]string)
|
2016-01-12 05:12:51 +08:00
|
|
|
if c.Paths != nil {
|
|
|
|
|
for name, path := range c.Paths {
|
|
|
|
|
_, err := d.path(name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if cgroups.IsNotFound(err) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
return err
|
|
|
|
|
}
|
2016-11-22 08:02:43 +08:00
|
|
|
m.Paths[name] = path
|
2016-01-12 05:12:51 +08:00
|
|
|
}
|
|
|
|
|
return cgroups.EnterPid(m.Paths, pid)
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-02 16:25:04 +08:00
|
|
|
for _, sys := range m.getSubsystems() {
|
2015-02-04 09:44:58 +08:00
|
|
|
// TODO: Apply should, ideally, be reentrant or be broken up into a separate
|
2014-11-18 03:55:40 +08:00
|
|
|
// create and join phase so that the cgroup hierarchy for a container can be
|
|
|
|
|
// created then join consists of writing the process pids to cgroup.procs
|
2015-10-16 06:24:53 +08:00
|
|
|
p, err := d.path(sys.Name())
|
2014-11-15 09:22:10 +08:00
|
|
|
if err != nil {
|
2016-06-08 21:56:20 +08:00
|
|
|
// The non-presence of the devices subsystem is
|
|
|
|
|
// considered fatal for security reasons.
|
|
|
|
|
if cgroups.IsNotFound(err) && sys.Name() != "devices" {
|
2015-03-24 02:32:09 +08:00
|
|
|
continue
|
|
|
|
|
}
|
2015-01-13 05:54:00 +08:00
|
|
|
return err
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
2016-11-22 08:02:43 +08:00
|
|
|
m.Paths[sys.Name()] = p
|
|
|
|
|
|
|
|
|
|
if err := sys.Apply(d); err != nil {
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
// In the case of rootless (including euid=0 in userns), where an explicit cgroup path hasn't
|
2018-03-16 08:33:04 +08:00
|
|
|
// been set, we don't bail on error in case of permission problems.
|
|
|
|
|
// Cases where limits have been set (and we couldn't create our own
|
|
|
|
|
// cgroup) are handled by Set.
|
2018-05-25 09:31:41 +08:00
|
|
|
if isIgnorableError(m.Rootless, err) && m.Cgroups.Path == "" {
|
2017-09-15 17:39:35 +08:00
|
|
|
delete(m.Paths, sys.Name())
|
|
|
|
|
continue
|
|
|
|
|
}
|
2016-11-22 08:02:43 +08:00
|
|
|
return err
|
|
|
|
|
}
|
2017-09-15 17:39:35 +08:00
|
|
|
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
2015-01-13 05:54:00 +08:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-14 23:23:42 +08:00
|
|
|
func (m *Manager) Destroy() error {
|
2018-03-07 06:31:31 +08:00
|
|
|
if m.Cgroups == nil || m.Cgroups.Paths != nil {
|
2016-01-12 05:12:51 +08:00
|
|
|
return nil
|
|
|
|
|
}
|
2015-05-26 02:29:09 +08:00
|
|
|
m.mu.Lock()
|
|
|
|
|
defer m.mu.Unlock()
|
|
|
|
|
if err := cgroups.RemovePaths(m.Paths); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
m.Paths = make(map[string]string)
|
|
|
|
|
return nil
|
2015-01-13 05:54:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *Manager) GetPaths() map[string]string {
|
2015-05-26 02:29:09 +08:00
|
|
|
m.mu.Lock()
|
|
|
|
|
paths := m.Paths
|
|
|
|
|
m.mu.Unlock()
|
|
|
|
|
return paths
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
|
|
2019-10-19 00:40:46 +08:00
|
|
|
func (m *Manager) GetUnifiedPath() (string, error) {
|
2019-11-07 16:25:49 +08:00
|
|
|
return "", errors.New("unified path is only supported when running in unified mode")
|
2019-10-19 00:40:46 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-13 05:54:00 +08:00
|
|
|
func (m *Manager) GetStats() (*cgroups.Stats, error) {
|
2015-05-26 02:29:09 +08:00
|
|
|
m.mu.Lock()
|
|
|
|
|
defer m.mu.Unlock()
|
2014-05-28 08:01:08 +08:00
|
|
|
stats := cgroups.NewStats()
|
2015-01-14 23:47:26 +08:00
|
|
|
for name, path := range m.Paths {
|
2019-09-02 16:25:04 +08:00
|
|
|
sys, err := m.getSubsystems().Get(name)
|
2015-10-17 02:32:19 +08:00
|
|
|
if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
|
2014-11-15 07:51:29 +08:00
|
|
|
continue
|
2014-06-20 21:13:56 +08:00
|
|
|
}
|
|
|
|
|
if err := sys.GetStats(path, stats); err != nil {
|
|
|
|
|
return nil, err
|
2014-05-28 08:01:08 +08:00
|
|
|
}
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
2014-05-28 08:01:08 +08:00
|
|
|
return stats, nil
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
|
|
2015-02-25 17:20:01 +08:00
|
|
|
func (m *Manager) Set(container *configs.Config) error {
|
2019-08-11 15:27:34 +08:00
|
|
|
if container.Cgroups == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-03 03:35:52 +08:00
|
|
|
// If Paths are set, then we are just joining cgroups paths
|
|
|
|
|
// and there is no need to set any values.
|
2019-08-11 15:27:34 +08:00
|
|
|
if m.Cgroups != nil && m.Cgroups.Paths != nil {
|
2016-03-03 03:35:52 +08:00
|
|
|
return nil
|
|
|
|
|
}
|
2016-09-13 20:19:48 +08:00
|
|
|
|
|
|
|
|
paths := m.GetPaths()
|
2019-09-02 16:25:04 +08:00
|
|
|
for _, sys := range m.getSubsystems() {
|
2016-09-12 16:02:56 +08:00
|
|
|
path := paths[sys.Name()]
|
2015-02-25 17:20:01 +08:00
|
|
|
if err := sys.Set(path, container.Cgroups); err != nil {
|
Disable rootless mode except RootlessCgMgr when executed as the root in userns
This PR decomposes `libcontainer/configs.Config.Rootless bool` into `RootlessEUID bool` and
`RootlessCgroups bool`, so as to make "runc-in-userns" to be more compatible with "rootful" runc.
`RootlessEUID` denotes that runc is being executed as a non-root user (euid != 0) in
the current user namespace. `RootlessEUID` is almost identical to the former `Rootless`
except cgroups stuff.
`RootlessCgroups` denotes that runc is unlikely to have the full access to cgroups.
`RootlessCgroups` is set to false if runc is executed as the root (euid == 0) in the initial namespace.
Otherwise `RootlessCgroups` is set to true.
(Hint: if `RootlessEUID` is true, `RootlessCgroups` becomes true as well)
When runc is executed as the root (euid == 0) in an user namespace (e.g. by Docker-in-LXD, Podman, Usernetes),
`RootlessEUID` is set to false but `RootlessCgroups` is set to true.
So, "runc-in-userns" behaves almost same as "rootful" runc except that cgroups errors are ignored.
This PR does not have any impact on CLI flags and `state.json`.
Note about CLI:
* Now `runc --rootless=(auto|true|false)` CLI flag is only used for setting `RootlessCgroups`.
* Now `runc spec --rootless` is only required when `RootlessEUID` is set to true.
For runc-in-userns, `runc spec` without `--rootless` should work, when sufficient numbers of
UID/GID are mapped.
Note about `$XDG_RUNTIME_DIR` (e.g. `/run/user/1000`):
* `$XDG_RUNTIME_DIR` is ignored if runc is being executed as the root (euid == 0) in the initial namespace, for backward compatibility.
(`/run/runc` is used)
* If runc is executed as the root (euid == 0) in an user namespace, `$XDG_RUNTIME_DIR` is honored if `$USER != "" && $USER != "root"`.
This allows unprivileged users to allow execute runc as the root in userns, without mounting writable `/run/runc`.
Note about `state.json`:
* `rootless` is set to true when `RootlessEUID == true && RootlessCgroups == true`.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-07-05 14:28:21 +08:00
|
|
|
if m.Rootless && sys.Name() == "devices" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
// When m.Rootless is true, errors from the device subsystem are ignored because it is really not expected to work.
|
|
|
|
|
// However, errors from other subsystems are not ignored.
|
|
|
|
|
// see @test "runc create (rootless + limits + no cgrouppath + no permission) fails with informative error"
|
2017-09-15 17:39:35 +08:00
|
|
|
if path == "" {
|
2018-03-16 08:33:04 +08:00
|
|
|
// We never created a path for this cgroup, so we cannot set
|
|
|
|
|
// limits for it (though we have already tried at this point).
|
|
|
|
|
return fmt.Errorf("cannot set %s limit: container could not join or create cgroup", sys.Name())
|
2017-09-15 17:39:35 +08:00
|
|
|
}
|
2015-02-25 17:20:01 +08:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-12-20 19:30:35 +08:00
|
|
|
|
|
|
|
|
if m.Paths["cpu"] != "" {
|
|
|
|
|
if err := CheckCpushares(m.Paths["cpu"], container.Cgroups.Resources.CpuShares); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-02-25 17:20:01 +08:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2014-05-31 06:09:07 +08:00
|
|
|
// Freeze toggles the container's freezer cgroup depending on the state
|
|
|
|
|
// provided
|
2015-02-01 11:56:27 +08:00
|
|
|
func (m *Manager) Freeze(state configs.FreezerState) error {
|
2019-08-11 15:27:34 +08:00
|
|
|
if m.Cgroups == nil {
|
|
|
|
|
return errors.New("cannot toggle freezer: cgroups not configured for container")
|
|
|
|
|
}
|
|
|
|
|
|
2016-09-12 16:02:56 +08:00
|
|
|
paths := m.GetPaths()
|
|
|
|
|
dir := paths["freezer"]
|
2015-12-15 08:26:29 +08:00
|
|
|
prevState := m.Cgroups.Resources.Freezer
|
|
|
|
|
m.Cgroups.Resources.Freezer = state
|
2019-09-02 16:25:04 +08:00
|
|
|
freezer, err := m.getSubsystems().Get("freezer")
|
2015-10-17 02:32:19 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-03-04 13:45:44 +08:00
|
|
|
err = freezer.Set(dir, m.Cgroups)
|
2015-01-15 00:39:29 +08:00
|
|
|
if err != nil {
|
2015-12-15 08:26:29 +08:00
|
|
|
m.Cgroups.Resources.Freezer = prevState
|
2015-01-15 00:39:29 +08:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return nil
|
2014-05-31 06:09:07 +08:00
|
|
|
}
|
|
|
|
|
|
2015-01-13 05:54:00 +08:00
|
|
|
func (m *Manager) GetPids() ([]int, error) {
|
2016-09-01 17:50:01 +08:00
|
|
|
paths := m.GetPaths()
|
|
|
|
|
return cgroups.GetPids(paths["devices"])
|
2016-01-09 03:37:18 +08:00
|
|
|
}
|
2014-05-31 06:09:07 +08:00
|
|
|
|
2016-01-09 03:37:18 +08:00
|
|
|
func (m *Manager) GetAllPids() ([]int, error) {
|
2016-09-01 17:50:01 +08:00
|
|
|
paths := m.GetPaths()
|
|
|
|
|
return cgroups.GetAllPids(paths["devices"])
|
2014-05-31 06:09:07 +08:00
|
|
|
}
|
|
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
func getCgroupData(c *configs.Cgroup, pid int) (*cgroupData, error) {
|
2015-02-07 01:54:52 +08:00
|
|
|
root, err := getCgroupRoot()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2014-05-22 04:48:06 +08:00
|
|
|
}
|
|
|
|
|
|
2016-01-21 10:04:59 +08:00
|
|
|
if (c.Name != "" || c.Parent != "") && c.Path != "" {
|
|
|
|
|
return nil, fmt.Errorf("cgroup: either Path or Name and Parent should be used")
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-11 18:15:50 +08:00
|
|
|
// XXX: Do not remove this code. Path safety is important! -- cyphar
|
|
|
|
|
cgPath := libcontainerUtils.CleanPath(c.Path)
|
|
|
|
|
cgParent := libcontainerUtils.CleanPath(c.Parent)
|
|
|
|
|
cgName := libcontainerUtils.CleanPath(c.Name)
|
|
|
|
|
|
|
|
|
|
innerPath := cgPath
|
2016-01-21 10:04:59 +08:00
|
|
|
if innerPath == "" {
|
2016-02-11 18:15:50 +08:00
|
|
|
innerPath = filepath.Join(cgParent, cgName)
|
2016-01-21 10:04:59 +08:00
|
|
|
}
|
2015-12-31 08:05:45 +08:00
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
return &cgroupData{
|
2016-01-21 10:04:59 +08:00
|
|
|
root: root,
|
2016-02-11 16:57:46 +08:00
|
|
|
innerPath: innerPath,
|
2016-01-21 10:04:59 +08:00
|
|
|
config: c,
|
|
|
|
|
pid: pid,
|
2014-05-31 06:09:07 +08:00
|
|
|
}, nil
|
2014-05-22 04:48:06 +08:00
|
|
|
}
|
|
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
func (raw *cgroupData) path(subsystem string) (string, error) {
|
2018-08-17 23:18:18 +08:00
|
|
|
mnt, err := cgroups.FindCgroupMountpoint(raw.root, subsystem)
|
2015-03-09 09:16:56 +08:00
|
|
|
// If we didn't mount the subsystem, there is no point we make the path.
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
2014-07-29 09:41:52 +08:00
|
|
|
// If the cgroup name/path is absolute do not look relative to the cgroup of the init process.
|
2016-01-21 10:04:59 +08:00
|
|
|
if filepath.IsAbs(raw.innerPath) {
|
2016-10-12 07:22:48 +08:00
|
|
|
// Sometimes subsystems can be mounted together as 'cpu,cpuacct'.
|
2016-01-21 10:04:59 +08:00
|
|
|
return filepath.Join(raw.root, filepath.Base(mnt), raw.innerPath), nil
|
2014-07-29 09:41:52 +08:00
|
|
|
}
|
2014-08-21 01:14:56 +08:00
|
|
|
|
2016-04-26 00:19:39 +08:00
|
|
|
// Use GetOwnCgroupPath instead of GetInitCgroupPath, because the creating
|
|
|
|
|
// process could in container and shared pid namespace with host, and
|
|
|
|
|
// /proc/1/cgroup could point to whole other world of cgroups.
|
|
|
|
|
parentPath, err := cgroups.GetOwnCgroupPath(subsystem)
|
2014-05-15 06:21:44 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2014-08-21 01:14:56 +08:00
|
|
|
|
2016-01-21 10:04:59 +08:00
|
|
|
return filepath.Join(parentPath, raw.innerPath), nil
|
2014-05-15 06:21:44 +08:00
|
|
|
}
|
|
|
|
|
|
2015-11-05 18:41:08 +08:00
|
|
|
func (raw *cgroupData) join(subsystem string) (string, error) {
|
2014-05-15 06:21:44 +08:00
|
|
|
path, err := raw.path(subsystem)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
Simplify and fix os.MkdirAll() usage
TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.
Quoting MkdirAll documentation:
> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.
This means two things:
1. If a directory to be created already exists, no error is
returned.
2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.
The above is a theory, based on quoted documentation and my UNIX
knowledge.
3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.
Because of #1, IsExist check after MkdirAll is not needed.
Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.
Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.
[1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
2015-07-30 09:01:41 +08:00
|
|
|
if err := os.MkdirAll(path, 0755); err != nil {
|
2014-05-15 06:21:44 +08:00
|
|
|
return "", err
|
|
|
|
|
}
|
2016-07-20 07:33:09 +08:00
|
|
|
if err := cgroups.WriteCgroupProc(path, raw.pid); err != nil {
|
2014-05-15 06:21:44 +08:00
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
return path, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func removePath(p string, err error) error {
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if p != "" {
|
|
|
|
|
return os.RemoveAll(p)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2015-04-17 13:18:44 +08:00
|
|
|
|
2017-03-20 18:51:39 +08:00
|
|
|
func CheckCpushares(path string, c uint64) error {
|
|
|
|
|
var cpuShares uint64
|
2015-04-17 13:18:44 +08:00
|
|
|
|
2015-06-18 21:15:52 +08:00
|
|
|
if c == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-17 13:18:44 +08:00
|
|
|
fd, err := os.Open(filepath.Join(path, "cpu.shares"))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
defer fd.Close()
|
|
|
|
|
|
|
|
|
|
_, err = fmt.Fscanf(fd, "%d", &cpuShares)
|
|
|
|
|
if err != nil && err != io.EOF {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-06-18 21:15:52 +08:00
|
|
|
|
|
|
|
|
if c > cpuShares {
|
|
|
|
|
return fmt.Errorf("The maximum allowed cpu-shares is %d", cpuShares)
|
|
|
|
|
} else if c < cpuShares {
|
|
|
|
|
return fmt.Errorf("The minimum allowed cpu-shares is %d", cpuShares)
|
2015-04-17 13:18:44 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-12-06 23:43:08 +08:00
|
|
|
|
|
|
|
|
func (m *Manager) GetCgroups() (*configs.Cgroup, error) {
|
|
|
|
|
return m.Cgroups, nil
|
|
|
|
|
}
|
