github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/sentry/kernel/task_cgroup.go (about)

     1  // Copyright 2021 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package kernel
    16  
    17  import (
    18  	"bytes"
    19  	"fmt"
    20  	"sort"
    21  	"strings"
    22  
    23  	"github.com/MerlinKodo/gvisor/pkg/errors/linuxerr"
    24  	"github.com/MerlinKodo/gvisor/pkg/log"
    25  )
    26  
    27  // EnterInitialCgroups moves t into an initial set of cgroups.
    28  // If initCgroups is not nil, the new task will be placed in the specified cgroups.
    29  // Otherwise, if parent is not nil, the new task will be placed in the parent's cgroups.
    30  // If neither is specified, the new task will be in the root cgroups.
    31  //
    32  // This is analogous to Linux's kernel/cgroup/cgroup.c:cgroup_css_set_fork().
    33  //
    34  // Precondition: t isn't in any cgroups yet, t.cgroups is empty.
    35  func (t *Task) EnterInitialCgroups(parent *Task, initCgroups map[Cgroup]struct{}) {
    36  	var inherit map[Cgroup]struct{}
    37  	if initCgroups != nil {
    38  		inherit = initCgroups
    39  	} else if parent != nil {
    40  		parent.mu.Lock()
    41  		defer parent.mu.Unlock()
    42  		inherit = parent.cgroups
    43  	}
    44  	joinSet := t.k.cgroupRegistry.computeInitialGroups(inherit)
    45  
    46  	t.mu.NestedLock(taskLockChild)
    47  	defer t.mu.NestedUnlock(taskLockChild)
    48  	// Transfer ownership of joinSet refs to the task's cgset.
    49  	t.cgroups = joinSet
    50  	for c := range t.cgroups {
    51  		// Since t isn't in any cgroup yet, we can skip the check against
    52  		// existing cgroups.
    53  		c.Enter(t)
    54  		t.SetMemCgIDFromCgroup(c)
    55  	}
    56  }
    57  
    58  // SetMemCgID sets the given memory cgroup id to the task.
    59  func (t *Task) SetMemCgID(memCgID uint32) {
    60  	t.memCgID.Store(memCgID)
    61  }
    62  
    63  // SetMemCgIDFromCgroup sets the id of the given memory cgroup to the task.
    64  func (t *Task) SetMemCgIDFromCgroup(cg Cgroup) {
    65  	for _, ctl := range cg.Controllers() {
    66  		if ctl.Type() == CgroupControllerMemory {
    67  			t.SetMemCgID(cg.ID())
    68  			return
    69  		}
    70  	}
    71  }
    72  
    73  // ResetMemCgIDFromCgroup sets the memory cgroup id to zero, if the task has
    74  // a memory cgroup.
    75  func (t *Task) ResetMemCgIDFromCgroup(cg Cgroup) {
    76  	for _, ctl := range cg.Controllers() {
    77  		if ctl.Type() == CgroupControllerMemory {
    78  			t.SetMemCgID(0)
    79  			return
    80  		}
    81  	}
    82  }
    83  
    84  // EnterCgroup moves t into c.
    85  func (t *Task) EnterCgroup(c Cgroup) error {
    86  	newControllers := make(map[CgroupControllerType]struct{})
    87  	for _, ctl := range c.Controllers() {
    88  		newControllers[ctl.Type()] = struct{}{}
    89  	}
    90  
    91  	t.mu.Lock()
    92  	defer t.mu.Unlock()
    93  
    94  	for oldCG := range t.cgroups {
    95  		if oldCG.HierarchyID() == c.HierarchyID() {
    96  			log.Warningf("Cannot enter new cgroup %v due to conflicting controllers. Try migrate instead?", c)
    97  			return linuxerr.EBUSY
    98  		}
    99  	}
   100  
   101  	// No migration required.
   102  	t.enterCgroupLocked(c)
   103  
   104  	return nil
   105  }
   106  
   107  // +checklocks:t.mu
   108  func (t *Task) enterCgroupLocked(c Cgroup) {
   109  	c.IncRef()
   110  	t.cgroups[c] = struct{}{}
   111  	c.Enter(t)
   112  	t.SetMemCgIDFromCgroup(c)
   113  }
   114  
   115  // +checklocks:t.mu
   116  func (t *Task) enterCgroupIfNotYetLocked(c Cgroup) {
   117  	if _, ok := t.cgroups[c]; ok {
   118  		return
   119  	}
   120  	t.enterCgroupLocked(c)
   121  }
   122  
   123  // LeaveCgroups removes t out from all its cgroups.
   124  func (t *Task) LeaveCgroups() {
   125  	t.tg.pidns.owner.mu.Lock() // Prevent migration.
   126  	t.mu.Lock()
   127  	cgs := t.cgroups
   128  	t.cgroups = nil
   129  	for c := range cgs {
   130  		c.Leave(t)
   131  	}
   132  	t.SetMemCgID(0)
   133  	t.mu.Unlock()
   134  	t.tg.pidns.owner.mu.Unlock()
   135  
   136  	for c := range cgs {
   137  		c.decRef()
   138  	}
   139  }
   140  
   141  // +checklocks:t.mu
   142  func (t *Task) findCgroupWithMatchingHierarchyLocked(other Cgroup) (Cgroup, bool) {
   143  	for c := range t.cgroups {
   144  		if c.HierarchyID() != other.HierarchyID() {
   145  			continue
   146  		}
   147  		return c, true
   148  	}
   149  	return Cgroup{}, false
   150  }
   151  
   152  // CgroupPrepareMigrate starts a cgroup migration for this task to dst. The
   153  // migration must be completed through the returned context.
   154  func (t *Task) CgroupPrepareMigrate(dst Cgroup) (*CgroupMigrationContext, error) {
   155  	t.mu.Lock()
   156  	defer t.mu.Unlock()
   157  	src, found := t.findCgroupWithMatchingHierarchyLocked(dst)
   158  	if !found {
   159  		log.Warningf("Cannot migrate to cgroup %v since task %v not currently in target hierarchy %v", dst, t, dst.HierarchyID())
   160  		return nil, linuxerr.EINVAL
   161  	}
   162  	if err := dst.PrepareMigrate(t, &src); err != nil {
   163  		return nil, err
   164  	}
   165  	return &CgroupMigrationContext{
   166  		src: src,
   167  		dst: dst,
   168  		t:   t,
   169  	}, nil
   170  }
   171  
   172  // MigrateCgroup migrates all tasks in tg to the dst cgroup. Either all tasks
   173  // are migrated, or none are. Atomicity of migrations wrt cgroup membership
   174  // (i.e. a task can't switch cgroups mid-migration due to another migration) is
   175  // guaranteed because migrations are serialized by TaskSet.mu.
   176  func (tg *ThreadGroup) MigrateCgroup(dst Cgroup) error {
   177  	tg.pidns.owner.mu.RLock()
   178  	defer tg.pidns.owner.mu.RUnlock()
   179  
   180  	var ctxs []*CgroupMigrationContext
   181  
   182  	// Prepare migrations. On partial failure, abort.
   183  	for t := tg.tasks.Front(); t != nil; t = t.Next() {
   184  		ctx, err := t.CgroupPrepareMigrate(dst)
   185  		if err != nil {
   186  			// Rollback.
   187  			for _, ctx := range ctxs {
   188  				ctx.Abort()
   189  			}
   190  			return err
   191  		}
   192  		ctxs = append(ctxs, ctx)
   193  	}
   194  
   195  	// All migrations are now guaranteed to succeed.
   196  
   197  	for _, ctx := range ctxs {
   198  		ctx.Commit()
   199  	}
   200  
   201  	return nil
   202  }
   203  
   204  // MigrateCgroup migrates this task to the dst cgroup.
   205  func (t *Task) MigrateCgroup(dst Cgroup) error {
   206  	t.tg.pidns.owner.mu.RLock()
   207  	defer t.tg.pidns.owner.mu.RUnlock()
   208  
   209  	ctx, err := t.CgroupPrepareMigrate(dst)
   210  	if err != nil {
   211  		return err
   212  	}
   213  	ctx.Commit()
   214  	return nil
   215  }
   216  
   217  // TaskCgroupEntry represents a line in /proc/<pid>/cgroup, and is used to
   218  // format a cgroup for display.
   219  type TaskCgroupEntry struct {
   220  	HierarchyID uint32 `json:"hierarchy_id"`
   221  	Controllers string `json:"controllers,omitempty"`
   222  	Path        string `json:"path,omitempty"`
   223  }
   224  
   225  // GetCgroupEntries generates the contents of /proc/<pid>/cgroup as
   226  // a TaskCgroupEntry array.
   227  func (t *Task) GetCgroupEntries() []TaskCgroupEntry {
   228  	t.mu.Lock()
   229  	defer t.mu.Unlock()
   230  
   231  	cgEntries := make([]TaskCgroupEntry, 0, len(t.cgroups))
   232  	for c := range t.cgroups {
   233  		ctls := c.Controllers()
   234  		ctlNames := make([]string, 0, len(ctls))
   235  
   236  		// We're guaranteed to have a valid name, a non-empty controller list,
   237  		// or both.
   238  
   239  		// Explicit hierachy name, if any.
   240  		if name := c.Name(); name != "" {
   241  			ctlNames = append(ctlNames, fmt.Sprintf("name=%s", name))
   242  		}
   243  
   244  		// Controllers attached to this hierarchy, if any.
   245  		for _, ctl := range ctls {
   246  			ctlNames = append(ctlNames, string(ctl.Type()))
   247  		}
   248  
   249  		cgEntries = append(cgEntries, TaskCgroupEntry{
   250  			HierarchyID: c.HierarchyID(),
   251  			Controllers: strings.Join(ctlNames, ","),
   252  			Path:        c.Path(),
   253  		})
   254  	}
   255  
   256  	sort.Slice(cgEntries, func(i, j int) bool { return cgEntries[i].HierarchyID > cgEntries[j].HierarchyID })
   257  	return cgEntries
   258  }
   259  
   260  // GenerateProcTaskCgroup writes the contents of /proc/<pid>/cgroup for t to buf.
   261  func (t *Task) GenerateProcTaskCgroup(buf *bytes.Buffer) {
   262  	cgEntries := t.GetCgroupEntries()
   263  	for _, cgE := range cgEntries {
   264  		fmt.Fprintf(buf, "%d:%s:%s\n", cgE.HierarchyID, cgE.Controllers, cgE.Path)
   265  	}
   266  }
   267  
   268  // +checklocks:t.mu
   269  func (t *Task) chargeLocked(target *Task, ctl CgroupControllerType, res CgroupResourceType, value int64) (bool, Cgroup, error) {
   270  	// Due to the uniqueness of controllers on hierarchies, at most one cgroup
   271  	// in t.cgroups will match.
   272  	for c := range t.cgroups {
   273  		err := c.Charge(target, c.Dentry, ctl, res, value)
   274  		if err == nil {
   275  			c.IncRef()
   276  		}
   277  		return err == nil, c, err
   278  	}
   279  	return false, Cgroup{}, nil
   280  }
   281  
   282  // ChargeFor charges t's cgroup on behalf of some other task. Returns
   283  // the cgroup that's charged if any. Returned cgroup has an extra ref
   284  // that's transferred to the caller.
   285  func (t *Task) ChargeFor(other *Task, ctl CgroupControllerType, res CgroupResourceType, value int64) (bool, Cgroup, error) {
   286  	t.mu.Lock()
   287  	defer t.mu.Unlock()
   288  	return t.chargeLocked(other, ctl, res, value)
   289  }