Merge pull request #357 from giuseppe/systemd_cgroup_v1

cgroup: support mounting name=systemd on cgroup v2

Author: rhatdan

crun.1.md

@@ -306,6 +306,14 @@ will skip the `setgroups` syscall that is used to either set the
 additional groups specified in the OCI configuration, or to reset the
 list of additional groups if none is specified.
 
+## `run.oci.systemd.force_cgroup_v1=/PATH`
+
+If the annotation `run.oci.systemd.force_cgroup_v1=/PATH` is present, then crun
+will override the specified mount point `/PATH` with a cgroup v1 mount
+made of a single hierarchy `none,name=systemd`.
+It is useful to run on a cgroup v2 system containers using older
+versions of systemd that lack support for cgroup v2.
+
 ## `run.oci.timens_offset=ID SEC NSEC`
 
 Specify the offset to be written to /proc/self/timens_offsets when creating

src/libcrun/cgroup.c

@@ -444,7 +444,7 @@ chown_cgroups (const char *path, uid_t uid, gid_t gid, libcrun_error_t *err)
 
   dir = opendir (cgroup_path);
   if (UNLIKELY (dir == NULL))
-    return crun_make_error (err, errno, "cannot opendir %s", cgroup_path);
+    return crun_make_error (err, errno, "cannot opendir `%s`", cgroup_path);
 
   dfd = dirfd (dir);
 
@@ -458,7 +458,7 @@ chown_cgroups (const char *path, uid_t uid, gid_t gid, libcrun_error_t *err)
 
       ret = fchownat (dfd, name, uid, gid, AT_SYMLINK_NOFOLLOW);
       if (UNLIKELY (ret < 0))
-        return crun_make_error (err, errno, "cannot chown %s/%s", cgroup_path, name);
+        return crun_make_error (err, errno, "cannot chown `%s/%s`", cgroup_path, name);
     }
 
   return 0;
@@ -1839,25 +1839,25 @@ write_blkio_resources (int dirfd, bool cgroup2, runtime_spec_schema_config_linux
 }
 
 static int
-write_network_resources (int dirfd, runtime_spec_schema_config_linux_resources_network *net, libcrun_error_t *err)
+write_network_resources (int dirfd_netclass, int dirfd_netprio, runtime_spec_schema_config_linux_resources_network *net, libcrun_error_t *err)
 {
   char fmt_buf[128];
   size_t len;
   int ret;
   if (net->class_id)
     {
       len = sprintf (fmt_buf, "%d", net->class_id);
-      ret = write_file_at (dirfd, "net_cls.classid", fmt_buf, len, err);
+      ret = write_file_at (dirfd_netclass, "net_cls.classid", fmt_buf, len, err);
       if (UNLIKELY (ret < 0))
         return ret;
     }
   if (net->priorities_len)
     {
       size_t i;
       cleanup_close int fd = -1;
-      fd = openat (dirfd, "net_prio.ifpriomap", O_WRONLY);
+      fd = openat (dirfd_netprio, "net_prio.ifpriomap", O_WRONLY);
       if (UNLIKELY (fd < 0))
-        return crun_make_error (err, errno, "open net_prio.ifpriomap");
+        return crun_make_error (err, errno, "open `net_prio.ifpriomap`");
 
       for (i = 0; i < net->priorities_len; i++)
         {
@@ -2364,16 +2364,24 @@ update_cgroup_v1_resources (runtime_spec_schema_config_linux_resources *resource
 
   if (resources->network)
     {
-      cleanup_free char *path_to_network = NULL;
-      cleanup_close int dirfd_network = -1;
+      cleanup_free char *path_to_netclass = NULL;
+      cleanup_close int dirfd_netclass = -1;
+      cleanup_free char *path_to_netprio = NULL;
+      cleanup_close int dirfd_netprio = -1;
       runtime_spec_schema_config_linux_resources_network *network = resources->network;
 
-      xasprintf (&path_to_network, "/sys/fs/cgroup/net_cls,net_prio%s/", path);
-      dirfd_network = open (path_to_network, O_DIRECTORY | O_RDONLY);
-      if (UNLIKELY (dirfd_network < 0))
-        return crun_make_error (err, errno, "open %s", path_to_network);
+      xasprintf (&path_to_netclass, "/sys/fs/cgroup/net_cls%s/", path);
+      xasprintf (&path_to_netprio, "/sys/fs/cgroup/net_prio%s/", path);
 
-      ret = write_network_resources (dirfd_network, network, err);
+      dirfd_netclass = open (path_to_netclass, O_DIRECTORY | O_RDONLY);
+      if (UNLIKELY (dirfd_netclass < 0))
+        return crun_make_error (err, errno, "open `%s`", path_to_netclass);
+
+      dirfd_netprio = open (path_to_netprio, O_DIRECTORY | O_RDONLY);
+      if (UNLIKELY (dirfd_netprio < 0))
+        return crun_make_error (err, errno, "open `%s`", path_to_netprio);
+
+      ret = write_network_resources (dirfd_netclass, dirfd_netprio, network, err);
       if (UNLIKELY (ret < 0))
         return ret;
     }

src/libcrun/linux.c

@@ -599,6 +599,45 @@ has_mount_for (libcrun_container_t *container, const char *destination)
   return false;
 }
 
+static int
+do_mount_cgroup_systemd_v1 (libcrun_container_t *container,
+                            const char *source,
+                            int targetfd,
+                            const char *target,
+                            unsigned long mountflags,
+                            libcrun_error_t *err)
+{
+  int ret;
+  cleanup_close int fd = -1;
+  const char *subsystem = "systemd";
+  cleanup_free char *subsystem_path = NULL;
+  cleanup_close int tmpfsdirfd = -1;
+
+  mountflags = mountflags & ~MS_BIND;
+
+  ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags, "size=1024k", 1, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  /* Get a reference to the newly created cgroup directory.  */
+  tmpfsdirfd = open_mount_target (container, target, err);
+  if (UNLIKELY (tmpfsdirfd < 0))
+    return tmpfsdirfd;
+  targetfd = tmpfsdirfd;
+
+  ret = mkdirat (targetfd, subsystem, 0755);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "mkdir `%s`", subsystem);
+
+  fd = openat (targetfd, subsystem, O_CLOEXEC | O_DIRECTORY | O_NOFOLLOW);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "open `%s`", subsystem_path);
+
+  xasprintf (&subsystem_path, "%s/%s", target, subsystem);
+
+  return do_mount (container, "cgroup", fd, subsystem_path, "cgroup", mountflags, "none,name=systemd,xattr", true, err);
+}
+
 static int
 do_mount_cgroup_v1 (libcrun_container_t *container,
                     const char *source,
@@ -623,7 +662,7 @@ do_mount_cgroup_v1 (libcrun_container_t *container,
   if (UNLIKELY (subsystems == NULL))
     return -1;
 
-  ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags, "size=1024k", 1, err);
+  ret = do_mount (container, source, targetfd, target, "tmpfs", mountflags & ~MS_RDONLY, "size=1024k", true, err);
   if (UNLIKELY (ret < 0))
     return ret;
 
@@ -658,7 +697,12 @@ do_mount_cgroup_v1 (libcrun_container_t *container,
 
       it = strstr (subsystem, "name=");
       if (it)
-        subsystem += 5;
+        subsystem = it + 5;
+
+      if (strcmp (subsystem, "net_prio,net_cls") == 0)
+        subsystem = "net_cls,net_prio";
+      if (strcmp (subsystem, "cpuacct,cpu") == 0)
+        subsystem = "cpu,cpuacct";
 
       xasprintf (&source_subsystem, "/sys/fs/cgroup/%s", subsystem);
 
@@ -1144,6 +1188,8 @@ do_mounts (libcrun_container_t *container, int rootfsfd, const char *rootfs, lib
   int ret;
   runtime_spec_schema_config_schema *def = container->container_def;
   size_t rootfs_len = get_private_data (container)->rootfs_len;
+  const char *systemd_cgroup_v1 = find_annotation (container, "run.oci.systemd.force_cgroup_v1");
+
   for (i = 0; i < def->mounts_len; i++)
     {
       cleanup_free char *data = NULL;
@@ -1157,7 +1203,6 @@ do_mounts (libcrun_container_t *container, int rootfsfd, const char *rootfs, lib
       cleanup_close int targetfd = -1;
 
       target = def->mounts[i]->destination;
-
       while (*target == '/')
         target++;
 
@@ -1275,7 +1320,14 @@ do_mounts (libcrun_container_t *container, int rootfsfd, const char *rootfs, lib
       if (UNLIKELY (targetfd < 0))
         return targetfd;
 
-      if (strcmp (type, "cgroup") == 0)
+      if (systemd_cgroup_v1 && strcmp (def->mounts[i]->destination, systemd_cgroup_v1) == 0)
+        {
+          /* Override the cgroup mount with a single named cgroup name=systemd.  */
+          ret = do_mount_cgroup_systemd_v1 (container, source, targetfd, target, flags, err);
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
+      else if (strcmp (type, "cgroup") == 0)
         {
           ret = do_mount_cgroup (container, source, targetfd, target, flags, err);
           if (UNLIKELY (ret < 0))