nspawn-cgroup.c revision 34829a324b1ffc6cb8405223329a9c55cd8de0ee
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek This file is part of systemd.
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek Copyright 2015 Lennart Poettering
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek systemd is free software; you can redistribute it and/or modify it
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek under the terms of the GNU Lesser General Public License as published by
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek the Free Software Foundation; either version 2.1 of the License, or
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek (at your option) any later version.
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek systemd is distributed in the hope that it will be useful, but
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek WITHOUT ANY WARRANTY; without even the implied warranty of
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek Lesser General Public License for more details.
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek You should have received a copy of the GNU Lesser General Public License
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek along with systemd; If not, see <http://www.gnu.org/licenses/>.
cab6235f748e365198a7939f23c87ab3b8f59b2eLennart Poetteringint chown_cgroup(pid_t pid, uid_t uid_shift) {
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering _cleanup_free_ char *path = NULL, *fs = NULL;
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek r = cg_pid_get_path(NULL, pid, &path);
cab6235f748e365198a7939f23c87ab3b8f59b2eLennart Poettering return log_error_errno(r, "Failed to get container cgroup path: %m");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, path, NULL, &fs);
7410616cd9dbbec97cf98d75324da5cda2b2f7a2Lennart Poettering return log_error_errno(r, "Failed to get file system path for container cgroup: %m");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek fd = open(fs, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
cab6235f748e365198a7939f23c87ab3b8f59b2eLennart Poettering return log_error_errno(errno, "Failed to open %s: %m", fs);
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek "notify_on_release",
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering "cgroup.subtree_control",
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering "cgroup.populated")
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering if (fchownat(fd, fn, uid_shift, uid_shift, 0) < 0)
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno,
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering "Failed to chown() cgroup file %s, ignoring: %m", fn);
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmekint sync_cgroup(pid_t pid, bool unified_requested) {
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek _cleanup_free_ char *cgroup = NULL;
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering char tree[] = "/tmp/unifiedXXXXXX", pid_string[DECIMAL_STR_MAX(pid) + 1];
3f0b2f0f452e94444e4fb7b62030ea05738bb1b6Zbigniew Jędrzejewski-Szmek return log_error_errno(unified, "Failed to determine whether the unified hierachy is used: %m");
79413b673b45adc98dfeaec882bbdda2343cb2f9Lennart Poettering /* When the host uses the legacy cgroup setup, but the
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering * container shall use the unified hierarchy, let's make sure
3f0b2f0f452e94444e4fb7b62030ea05738bb1b6Zbigniew Jędrzejewski-Szmek * we copy the path from the name=systemd hierarchy into the
3f0b2f0f452e94444e4fb7b62030ea05738bb1b6Zbigniew Jędrzejewski-Szmek * unified hierarchy. Similar for the reverse situation. */
79413b673b45adc98dfeaec882bbdda2343cb2f9Lennart Poettering r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
79413b673b45adc98dfeaec882bbdda2343cb2f9Lennart Poettering return log_error_errno(r, "Failed to get control group of " PID_FMT ": %m", pid);
79413b673b45adc98dfeaec882bbdda2343cb2f9Lennart Poettering /* In order to access the unified hierarchy we need to mount it */
3f0b2f0f452e94444e4fb7b62030ea05738bb1b6Zbigniew Jędrzejewski-Szmek return log_error_errno(errno, "Failed to generate temporary mount point for unified hierarchy: %m");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek r = mount("cgroup", tree, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, "none,name=systemd,xattr");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek r = mount("cgroup", tree, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, "__DEVEL__sane_behavior");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek r = log_error_errno(errno, "Failed to mount unified hierarchy: %m");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek fn = strjoina(tree, cgroup, "/cgroup.procs");
6aaa8c2f783cd1b3ac27c5ce40625d032e7e3d71Zbigniew Jędrzejewski-Szmek sprintf(pid_string, PID_FMT, pid);
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek r = write_string_file(fn, pid_string, 0);
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek log_error_errno(r, "Failed to move process: %m");
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmekint create_subcgroup(pid_t pid, bool unified_requested) {
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek _cleanup_free_ char *cgroup = NULL;
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek /* In the unified hierarchy inner nodes may only only contain
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek * subgroups, but not processes. Hence, if we running in the
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering * unified hierarchy and the container does the same, and we
7584d236eac91f9b7128b1eb08bddf18be2bce9fZbigniew Jędrzejewski-Szmek * did not create a scope unit for the container move us and
19f6d710772305610b928bc2678b9d77fe11e770Lennart Poettering * the container into two separate subcgroups. */
if (!unified_requested)
if (unified < 0)
if (unified == 0)