1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include "process-util.h"
26 #include "path-util.h"
27 // #include "special.h"
28 #include "cgroup-util.h"
31 #define CGROUP_CPU_QUOTA_PERIOD_USEC ((usec_t) 100 * USEC_PER_MSEC)
33 // UNNEEDED by elogind
35 void cgroup_context_init(CGroupContext *c) {
38 /* Initialize everything to the kernel defaults, assuming the
39 * structure is preinitialized to 0 */
41 c->cpu_shares = (unsigned long) -1;
42 c->startup_cpu_shares = (unsigned long) -1;
43 c->memory_limit = (uint64_t) -1;
44 c->blockio_weight = (unsigned long) -1;
45 c->startup_blockio_weight = (unsigned long) -1;
47 c->cpu_quota_per_sec_usec = USEC_INFINITY;
50 void cgroup_context_free_device_allow(CGroupContext *c, CGroupDeviceAllow *a) {
54 LIST_REMOVE(device_allow, c->device_allow, a);
59 void cgroup_context_free_blockio_device_weight(CGroupContext *c, CGroupBlockIODeviceWeight *w) {
63 LIST_REMOVE(device_weights, c->blockio_device_weights, w);
68 void cgroup_context_free_blockio_device_bandwidth(CGroupContext *c, CGroupBlockIODeviceBandwidth *b) {
72 LIST_REMOVE(device_bandwidths, c->blockio_device_bandwidths, b);
77 void cgroup_context_done(CGroupContext *c) {
80 while (c->blockio_device_weights)
81 cgroup_context_free_blockio_device_weight(c, c->blockio_device_weights);
83 while (c->blockio_device_bandwidths)
84 cgroup_context_free_blockio_device_bandwidth(c, c->blockio_device_bandwidths);
86 while (c->device_allow)
87 cgroup_context_free_device_allow(c, c->device_allow);
90 void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) {
91 CGroupBlockIODeviceBandwidth *b;
92 CGroupBlockIODeviceWeight *w;
94 char u[FORMAT_TIMESPAN_MAX];
99 prefix = strempty(prefix);
102 "%sCPUAccounting=%s\n"
103 "%sBlockIOAccounting=%s\n"
104 "%sMemoryAccounting=%s\n"
106 "%sStartupCPUShares=%lu\n"
107 "%sCPUQuotaPerSecSec=%s\n"
108 "%sBlockIOWeight=%lu\n"
109 "%sStartupBlockIOWeight=%lu\n"
110 "%sMemoryLimit=%" PRIu64 "\n"
111 "%sDevicePolicy=%s\n"
113 prefix, yes_no(c->cpu_accounting),
114 prefix, yes_no(c->blockio_accounting),
115 prefix, yes_no(c->memory_accounting),
116 prefix, c->cpu_shares,
117 prefix, c->startup_cpu_shares,
118 prefix, format_timespan(u, sizeof(u), c->cpu_quota_per_sec_usec, 1),
119 prefix, c->blockio_weight,
120 prefix, c->startup_blockio_weight,
121 prefix, c->memory_limit,
122 prefix, cgroup_device_policy_to_string(c->device_policy),
123 prefix, yes_no(c->delegate));
125 LIST_FOREACH(device_allow, a, c->device_allow)
127 "%sDeviceAllow=%s %s%s%s\n",
130 a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "");
132 LIST_FOREACH(device_weights, w, c->blockio_device_weights)
134 "%sBlockIODeviceWeight=%s %lu",
139 LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) {
140 char buf[FORMAT_BYTES_MAX];
145 b->read ? "BlockIOReadBandwidth" : "BlockIOWriteBandwidth",
147 format_bytes(buf, sizeof(buf), b->bandwidth));
151 static int lookup_blkio_device(const char *p, dev_t *dev) {
160 return log_warning_errno(errno, "Couldn't stat device %s: %m", p);
162 if (S_ISBLK(st.st_mode))
164 else if (major(st.st_dev) != 0) {
165 /* If this is not a device node then find the block
166 * device this file is stored on */
169 /* If this is a partition, try to get the originating
171 block_get_whole_disk(*dev, dev);
173 log_warning("%s is not a block device and file system block device cannot be determined or is not local.", p);
180 static int whitelist_device(const char *path, const char *node, const char *acc) {
181 char buf[2+DECIMAL_STR_MAX(dev_t)*2+2+4];
188 if (stat(node, &st) < 0) {
189 log_warning("Couldn't stat device %s", node);
193 if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
194 log_warning("%s is not a device.", node);
200 S_ISCHR(st.st_mode) ? 'c' : 'b',
201 major(st.st_rdev), minor(st.st_rdev),
204 r = cg_set_attribute("devices", path, "devices.allow", buf);
206 log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL) ? LOG_DEBUG : LOG_WARNING, r,
207 "Failed to set devices.allow on %s: %m", path);
212 static int whitelist_major(const char *path, const char *name, char type, const char *acc) {
213 _cleanup_fclose_ FILE *f = NULL;
220 assert(type == 'b' || type == 'c');
222 f = fopen("/proc/devices", "re");
224 return log_warning_errno(errno, "Cannot open /proc/devices to resolve %s (%c): %m", name, type);
226 FOREACH_LINE(line, f, goto fail) {
227 char buf[2+DECIMAL_STR_MAX(unsigned)+3+4], *p, *w;
232 if (type == 'c' && streq(line, "Character devices:")) {
237 if (type == 'b' && streq(line, "Block devices:")) {
252 w = strpbrk(p, WHITESPACE);
257 r = safe_atou(p, &maj);
264 w += strspn(w, WHITESPACE);
266 if (fnmatch(name, w, 0) != 0)
275 r = cg_set_attribute("devices", path, "devices.allow", buf);
277 log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL) ? LOG_DEBUG : LOG_WARNING, r,
278 "Failed to set devices.allow on %s: %m", path);
284 log_warning_errno(errno, "Failed to read /proc/devices: %m");
288 void cgroup_context_apply(CGroupContext *c, CGroupMask mask, const char *path, ManagerState state) {
298 /* Some cgroup attributes are not supported on the root cgroup,
299 * hence silently ignore */
300 is_root = isempty(path) || path_equal(path, "/");
302 /* Make sure we don't try to display messages with an empty path. */
305 /* We generally ignore errors caused by read-only mounted
306 * cgroup trees (assuming we are running in a container then),
307 * and missing cgroups, i.e. EROFS and ENOENT. */
309 if ((mask & CGROUP_MASK_CPU) && !is_root) {
310 char buf[MAX(DECIMAL_STR_MAX(unsigned long), DECIMAL_STR_MAX(usec_t)) + 1];
312 sprintf(buf, "%lu\n",
313 IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING) && c->startup_cpu_shares != (unsigned long) -1 ? c->startup_cpu_shares :
314 c->cpu_shares != (unsigned long) -1 ? c->cpu_shares : 1024);
315 r = cg_set_attribute("cpu", path, "cpu.shares", buf);
317 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
318 "Failed to set cpu.shares on %s: %m", path);
320 sprintf(buf, USEC_FMT "\n", CGROUP_CPU_QUOTA_PERIOD_USEC);
321 r = cg_set_attribute("cpu", path, "cpu.cfs_period_us", buf);
323 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
324 "Failed to set cpu.cfs_period_us on %s: %m", path);
326 if (c->cpu_quota_per_sec_usec != USEC_INFINITY) {
327 sprintf(buf, USEC_FMT "\n", c->cpu_quota_per_sec_usec * CGROUP_CPU_QUOTA_PERIOD_USEC / USEC_PER_SEC);
328 r = cg_set_attribute("cpu", path, "cpu.cfs_quota_us", buf);
330 r = cg_set_attribute("cpu", path, "cpu.cfs_quota_us", "-1");
332 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
333 "Failed to set cpu.cfs_quota_us on %s: %m", path);
336 if (mask & CGROUP_MASK_BLKIO) {
337 char buf[MAX3(DECIMAL_STR_MAX(unsigned long)+1,
338 DECIMAL_STR_MAX(dev_t)*2+2+DECIMAL_STR_MAX(unsigned long)*1,
339 DECIMAL_STR_MAX(dev_t)*2+2+DECIMAL_STR_MAX(uint64_t)+1)];
340 CGroupBlockIODeviceWeight *w;
341 CGroupBlockIODeviceBandwidth *b;
344 sprintf(buf, "%lu\n", IN_SET(state, MANAGER_STARTING, MANAGER_INITIALIZING) && c->startup_blockio_weight != (unsigned long) -1 ? c->startup_blockio_weight :
345 c->blockio_weight != (unsigned long) -1 ? c->blockio_weight : 1000);
346 r = cg_set_attribute("blkio", path, "blkio.weight", buf);
348 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
349 "Failed to set blkio.weight on %s: %m", path);
351 /* FIXME: no way to reset this list */
352 LIST_FOREACH(device_weights, w, c->blockio_device_weights) {
355 r = lookup_blkio_device(w->path, &dev);
359 sprintf(buf, "%u:%u %lu", major(dev), minor(dev), w->weight);
360 r = cg_set_attribute("blkio", path, "blkio.weight_device", buf);
362 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
363 "Failed to set blkio.weight_device on %s: %m", path);
367 /* FIXME: no way to reset this list */
368 LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) {
372 r = lookup_blkio_device(b->path, &dev);
376 a = b->read ? "blkio.throttle.read_bps_device" : "blkio.throttle.write_bps_device";
378 sprintf(buf, "%u:%u %" PRIu64 "\n", major(dev), minor(dev), b->bandwidth);
379 r = cg_set_attribute("blkio", path, a, buf);
381 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
382 "Failed to set %s on %s: %m", a, path);
386 if ((mask & CGROUP_MASK_MEMORY) && !is_root) {
387 if (c->memory_limit != (uint64_t) -1) {
388 char buf[DECIMAL_STR_MAX(uint64_t) + 1];
390 sprintf(buf, "%" PRIu64 "\n", c->memory_limit);
392 if (cg_unified() <= 0)
393 r = cg_set_attribute("memory", path, "memory.limit_in_bytes", buf);
395 r = cg_set_attribute("memory", path, "memory.max", buf);
398 if (cg_unified() <= 0)
399 r = cg_set_attribute("memory", path, "memory.limit_in_bytes", "-1");
401 r = cg_set_attribute("memory", path, "memory.max", "max");
405 log_full_errno(IN_SET(r, -ENOENT, -EROFS) ? LOG_DEBUG : LOG_WARNING, r,
406 "Failed to set memory.limit_in_bytes/memory.max on %s: %m", path);
409 if ((mask & CGROUP_MASK_DEVICE) && !is_root) {
410 CGroupDeviceAllow *a;
412 /* Changing the devices list of a populated cgroup
413 * might result in EINVAL, hence ignore EINVAL
416 if (c->device_allow || c->device_policy != CGROUP_AUTO)
417 r = cg_set_attribute("devices", path, "devices.deny", "a");
419 r = cg_set_attribute("devices", path, "devices.allow", "a");
421 log_full_errno(IN_SET(r, -ENOENT, -EROFS, -EINVAL) ? LOG_DEBUG : LOG_WARNING, r,
422 "Failed to reset devices.list on %s: %m", path);
424 if (c->device_policy == CGROUP_CLOSED ||
425 (c->device_policy == CGROUP_AUTO && c->device_allow)) {
426 static const char auto_devices[] =
427 "/dev/null\0" "rwm\0"
428 "/dev/zero\0" "rwm\0"
429 "/dev/full\0" "rwm\0"
430 "/dev/random\0" "rwm\0"
431 "/dev/urandom\0" "rwm\0"
433 "/dev/pts/ptmx\0" "rw\0"; /* /dev/pts/ptmx may not be duplicated, but accessed */
437 NULSTR_FOREACH_PAIR(x, y, auto_devices)
438 whitelist_device(path, x, y);
440 whitelist_major(path, "pts", 'c', "rw");
441 whitelist_major(path, "kdbus", 'c', "rw");
442 whitelist_major(path, "kdbus/*", 'c', "rw");
445 LIST_FOREACH(device_allow, a, c->device_allow) {
461 if (startswith(a->path, "/dev/"))
462 whitelist_device(path, a->path, acc);
463 else if (startswith(a->path, "block-"))
464 whitelist_major(path, a->path + 6, 'b', acc);
465 else if (startswith(a->path, "char-"))
466 whitelist_major(path, a->path + 5, 'c', acc);
468 log_debug("Ignoring device %s while writing cgroup attribute.", a->path);
473 CGroupMask cgroup_context_get_mask(CGroupContext *c) {
476 /* Figure out which controllers we need */
478 if (c->cpu_accounting ||
479 c->cpu_shares != (unsigned long) -1 ||
480 c->startup_cpu_shares != (unsigned long) -1 ||
481 c->cpu_quota_per_sec_usec != USEC_INFINITY)
482 mask |= CGROUP_MASK_CPUACCT | CGROUP_MASK_CPU;
484 if (c->blockio_accounting ||
485 c->blockio_weight != (unsigned long) -1 ||
486 c->startup_blockio_weight != (unsigned long) -1 ||
487 c->blockio_device_weights ||
488 c->blockio_device_bandwidths)
489 mask |= CGROUP_MASK_BLKIO;
491 if (c->memory_accounting ||
492 c->memory_limit != (uint64_t) -1)
493 mask |= CGROUP_MASK_MEMORY;
495 if (c->device_allow ||
496 c->device_policy != CGROUP_AUTO)
497 mask |= CGROUP_MASK_DEVICE;
502 CGroupMask unit_get_own_mask(Unit *u) {
505 /* Returns the mask of controllers the unit needs for itself */
507 c = unit_get_cgroup_context(u);
511 /* If delegation is turned on, then turn on all cgroups,
512 * unless we are on the legacy hierarchy and the process we
513 * fork into it is known to drop privileges, and hence
514 * shouldn't get access to the controllers.
516 * Note that on the unified hierarchy it is safe to delegate
517 * controllers to unprivileged services. */
522 e = unit_get_exec_context(u);
524 exec_context_maintains_privileges(e) ||
526 return _CGROUP_MASK_ALL;
529 return cgroup_context_get_mask(c);
532 CGroupMask unit_get_members_mask(Unit *u) {
535 /* Returns the mask of controllers all of the unit's children
538 if (u->cgroup_members_mask_valid)
539 return u->cgroup_members_mask;
541 u->cgroup_members_mask = 0;
543 if (u->type == UNIT_SLICE) {
547 SET_FOREACH(member, u->dependencies[UNIT_BEFORE], i) {
552 if (UNIT_DEREF(member->slice) != u)
555 u->cgroup_members_mask |=
556 unit_get_own_mask(member) |
557 unit_get_members_mask(member);
561 u->cgroup_members_mask_valid = true;
562 return u->cgroup_members_mask;
565 CGroupMask unit_get_siblings_mask(Unit *u) {
568 /* Returns the mask of controllers all of the unit's siblings
569 * require, i.e. the members mask of the unit's parent slice
570 * if there is one. */
572 if (UNIT_ISSET(u->slice))
573 return unit_get_members_mask(UNIT_DEREF(u->slice));
575 return unit_get_own_mask(u) | unit_get_members_mask(u);
578 CGroupMask unit_get_subtree_mask(Unit *u) {
580 /* Returns the mask of this subtree, meaning of the group
581 * itself and its children. */
583 return unit_get_own_mask(u) | unit_get_members_mask(u);
586 CGroupMask unit_get_target_mask(Unit *u) {
589 /* This returns the cgroup mask of all controllers to enable
590 * for a specific cgroup, i.e. everything it needs itself,
591 * plus all that its children need, plus all that its siblings
592 * need. This is primarily useful on the legacy cgroup
593 * hierarchy, where we need to duplicate each cgroup in each
594 * hierarchy that shall be enabled for it. */
596 mask = unit_get_own_mask(u) | unit_get_members_mask(u) | unit_get_siblings_mask(u);
597 mask &= u->manager->cgroup_supported;
602 CGroupMask unit_get_enable_mask(Unit *u) {
605 /* This returns the cgroup mask of all controllers to enable
606 * for the children of a specific cgroup. This is primarily
607 * useful for the unified cgroup hierarchy, where each cgroup
608 * controls which controllers are enabled for its children. */
610 mask = unit_get_members_mask(u);
611 mask &= u->manager->cgroup_supported;
616 /* Recurse from a unit up through its containing slices, propagating
617 * mask bits upward. A unit is also member of itself. */
618 void unit_update_cgroup_members_masks(Unit *u) {
624 /* Calculate subtree mask */
625 m = unit_get_subtree_mask(u);
627 /* See if anything changed from the previous invocation. If
628 * not, we're done. */
629 if (u->cgroup_subtree_mask_valid && m == u->cgroup_subtree_mask)
633 u->cgroup_subtree_mask_valid &&
634 ((m & ~u->cgroup_subtree_mask) != 0) &&
635 ((~m & u->cgroup_subtree_mask) == 0);
637 u->cgroup_subtree_mask = m;
638 u->cgroup_subtree_mask_valid = true;
640 if (UNIT_ISSET(u->slice)) {
641 Unit *s = UNIT_DEREF(u->slice);
644 /* There's more set now than before. We
645 * propagate the new mask to the parent's mask
646 * (not caring if it actually was valid or
649 s->cgroup_members_mask |= m;
652 /* There's less set now than before (or we
653 * don't know), we need to recalculate
654 * everything, so let's invalidate the
655 * parent's members mask */
657 s->cgroup_members_mask_valid = false;
659 /* And now make sure that this change also hits our
661 unit_update_cgroup_members_masks(s);
665 static const char *migrate_callback(CGroupMask mask, void *userdata) {
672 if (u->cgroup_path &&
673 u->cgroup_realized &&
674 (u->cgroup_realized_mask & mask) == mask)
675 return u->cgroup_path;
677 u = UNIT_DEREF(u->slice);
683 char *unit_default_cgroup_path(Unit *u) {
684 _cleanup_free_ char *escaped = NULL, *slice = NULL;
689 if (unit_has_name(u, SPECIAL_ROOT_SLICE))
690 return strdup(u->manager->cgroup_root);
692 if (UNIT_ISSET(u->slice) && !unit_has_name(UNIT_DEREF(u->slice), SPECIAL_ROOT_SLICE)) {
693 r = cg_slice_to_path(UNIT_DEREF(u->slice)->id, &slice);
698 escaped = cg_escape(u->id);
703 return strjoin(u->manager->cgroup_root, "/", slice, "/", escaped, NULL);
705 return strjoin(u->manager->cgroup_root, "/", escaped, NULL);
708 int unit_set_cgroup_path(Unit *u, const char *path) {
709 _cleanup_free_ char *p = NULL;
721 if (streq_ptr(u->cgroup_path, p))
725 r = hashmap_put(u->manager->cgroup_unit, p, u);
730 unit_release_cgroup(u);
738 int unit_watch_cgroup(Unit *u) {
739 _cleanup_free_ char *populated = NULL;
747 if (u->cgroup_inotify_wd >= 0)
750 /* Only applies to the unified hierarchy */
753 return log_unit_error_errno(u, r, "Failed detect wether the unified hierarchy is used: %m");
757 /* Don't watch the root slice, it's pointless. */
758 if (unit_has_name(u, SPECIAL_ROOT_SLICE))
761 r = hashmap_ensure_allocated(&u->manager->cgroup_inotify_wd_unit, &trivial_hash_ops);
765 r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.populated", &populated);
769 u->cgroup_inotify_wd = inotify_add_watch(u->manager->cgroup_inotify_fd, populated, IN_MODIFY);
770 if (u->cgroup_inotify_wd < 0) {
772 if (errno == ENOENT) /* If the directory is already
773 * gone we don't need to track
774 * it, so this is not an error */
777 return log_unit_error_errno(u, errno, "Failed to add inotify watch descriptor for control group %s: %m", u->cgroup_path);
780 r = hashmap_put(u->manager->cgroup_inotify_wd_unit, INT_TO_PTR(u->cgroup_inotify_wd), u);
782 return log_unit_error_errno(u, r, "Failed to add inotify watch descriptor to hash map: %m");
787 static int unit_create_cgroup(
789 CGroupMask target_mask,
790 CGroupMask enable_mask) {
797 c = unit_get_cgroup_context(u);
801 if (!u->cgroup_path) {
802 _cleanup_free_ char *path = NULL;
804 path = unit_default_cgroup_path(u);
808 r = unit_set_cgroup_path(u, path);
810 return log_unit_error_errno(u, r, "Control group %s exists already.", path);
812 return log_unit_error_errno(u, r, "Failed to set unit's control group path to %s: %m", path);
815 /* First, create our own group */
816 r = cg_create_everywhere(u->manager->cgroup_supported, target_mask, u->cgroup_path);
818 return log_unit_error_errno(u, r, "Failed to create cgroup %s: %m", u->cgroup_path);
820 /* Start watching it */
821 (void) unit_watch_cgroup(u);
823 /* Enable all controllers we need */
824 r = cg_enable_everywhere(u->manager->cgroup_supported, enable_mask, u->cgroup_path);
826 log_unit_warning_errno(u, r, "Failed to enable controllers on cgroup %s, ignoring: %m", u->cgroup_path);
828 /* Keep track that this is now realized */
829 u->cgroup_realized = true;
830 u->cgroup_realized_mask = target_mask;
832 if (u->type != UNIT_SLICE && !c->delegate) {
834 /* Then, possibly move things over, but not if
835 * subgroups may contain processes, which is the case
836 * for slice and delegation units. */
837 r = cg_migrate_everywhere(u->manager->cgroup_supported, u->cgroup_path, u->cgroup_path, migrate_callback, u);
839 log_unit_warning_errno(u, r, "Failed to migrate cgroup from to %s, ignoring: %m", u->cgroup_path);
845 int unit_attach_pids_to_cgroup(Unit *u) {
849 r = unit_realize_cgroup(u);
853 r = cg_attach_many_everywhere(u->manager->cgroup_supported, u->cgroup_path, u->pids, migrate_callback, u);
860 static bool unit_has_mask_realized(Unit *u, CGroupMask target_mask) {
863 return u->cgroup_realized && u->cgroup_realized_mask == target_mask;
866 /* Check if necessary controllers and attributes for a unit are in place.
869 * If not, create paths, move processes over, and set attributes.
871 * Returns 0 on success and < 0 on failure. */
872 static int unit_realize_cgroup_now(Unit *u, ManagerState state) {
873 CGroupMask target_mask, enable_mask;
878 if (u->in_cgroup_queue) {
879 LIST_REMOVE(cgroup_queue, u->manager->cgroup_queue, u);
880 u->in_cgroup_queue = false;
883 target_mask = unit_get_target_mask(u);
884 if (unit_has_mask_realized(u, target_mask))
887 /* First, realize parents */
888 if (UNIT_ISSET(u->slice)) {
889 r = unit_realize_cgroup_now(UNIT_DEREF(u->slice), state);
894 /* And then do the real work */
895 enable_mask = unit_get_enable_mask(u);
896 r = unit_create_cgroup(u, target_mask, enable_mask);
900 /* Finally, apply the necessary attributes. */
901 cgroup_context_apply(unit_get_cgroup_context(u), target_mask, u->cgroup_path, state);
906 static void unit_add_to_cgroup_queue(Unit *u) {
908 if (u->in_cgroup_queue)
911 LIST_PREPEND(cgroup_queue, u->manager->cgroup_queue, u);
912 u->in_cgroup_queue = true;
915 unsigned manager_dispatch_cgroup_queue(Manager *m) {
921 state = manager_state(m);
923 while ((i = m->cgroup_queue)) {
924 assert(i->in_cgroup_queue);
926 r = unit_realize_cgroup_now(i, state);
928 log_warning_errno(r, "Failed to realize cgroups for queued unit %s, ignoring: %m", i->id);
936 static void unit_queue_siblings(Unit *u) {
939 /* This adds the siblings of the specified unit and the
940 * siblings of all parent units to the cgroup queue. (But
941 * neither the specified unit itself nor the parents.) */
943 while ((slice = UNIT_DEREF(u->slice))) {
947 SET_FOREACH(m, slice->dependencies[UNIT_BEFORE], i) {
951 /* Skip units that have a dependency on the slice
952 * but aren't actually in it. */
953 if (UNIT_DEREF(m->slice) != slice)
956 /* No point in doing cgroup application for units
957 * without active processes. */
958 if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(m)))
961 /* If the unit doesn't need any new controllers
962 * and has current ones realized, it doesn't need
964 if (unit_has_mask_realized(m, unit_get_target_mask(m)))
967 unit_add_to_cgroup_queue(m);
974 int unit_realize_cgroup(Unit *u) {
977 if (!UNIT_HAS_CGROUP_CONTEXT(u))
980 /* So, here's the deal: when realizing the cgroups for this
981 * unit, we need to first create all parents, but there's more
982 * actually: for the weight-based controllers we also need to
983 * make sure that all our siblings (i.e. units that are in the
984 * same slice as we are) have cgroups, too. Otherwise, things
985 * would become very uneven as each of their processes would
986 * get as much resources as all our group together. This call
987 * will synchronously create the parent cgroups, but will
988 * defer work on the siblings to the next event loop
991 /* Add all sibling slices to the cgroup queue. */
992 unit_queue_siblings(u);
994 /* And realize this one now (and apply the values) */
995 return unit_realize_cgroup_now(u, manager_state(u->manager));
998 void unit_release_cgroup(Unit *u) {
1001 /* Forgets all cgroup details for this cgroup */
1003 if (u->cgroup_path) {
1004 (void) hashmap_remove(u->manager->cgroup_unit, u->cgroup_path);
1005 u->cgroup_path = mfree(u->cgroup_path);
1008 if (u->cgroup_inotify_wd >= 0) {
1009 if (inotify_rm_watch(u->manager->cgroup_inotify_fd, u->cgroup_inotify_wd) < 0)
1010 log_unit_debug_errno(u, errno, "Failed to remove cgroup inotify watch %i for %s, ignoring", u->cgroup_inotify_wd, u->id);
1012 (void) hashmap_remove(u->manager->cgroup_inotify_wd_unit, INT_TO_PTR(u->cgroup_inotify_wd));
1013 u->cgroup_inotify_wd = -1;
1017 void unit_prune_cgroup(Unit *u) {
1023 /* Removes the cgroup, if empty and possible, and stops watching it. */
1025 if (!u->cgroup_path)
1028 is_root_slice = unit_has_name(u, SPECIAL_ROOT_SLICE);
1030 r = cg_trim_everywhere(u->manager->cgroup_supported, u->cgroup_path, !is_root_slice);
1032 log_debug_errno(r, "Failed to destroy cgroup %s, ignoring: %m", u->cgroup_path);
1039 unit_release_cgroup(u);
1041 u->cgroup_realized = false;
1042 u->cgroup_realized_mask = 0;
1045 int unit_search_main_pid(Unit *u, pid_t *ret) {
1046 _cleanup_fclose_ FILE *f = NULL;
1047 pid_t pid = 0, npid, mypid;
1053 if (!u->cgroup_path)
1056 r = cg_enumerate_processes(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, &f);
1061 while (cg_read_pid(f, &npid) > 0) {
1067 /* Ignore processes that aren't our kids */
1068 if (get_parent_of_pid(npid, &ppid) >= 0 && ppid != mypid)
1072 /* Dang, there's more than one daemonized PID
1073 in this group, so we don't know what process
1074 is the main process. */
1085 static int unit_watch_pids_in_path(Unit *u, const char *path) {
1086 _cleanup_closedir_ DIR *d = NULL;
1087 _cleanup_fclose_ FILE *f = NULL;
1093 r = cg_enumerate_processes(SYSTEMD_CGROUP_CONTROLLER, path, &f);
1099 while ((r = cg_read_pid(f, &pid)) > 0) {
1100 r = unit_watch_pid(u, pid);
1101 if (r < 0 && ret >= 0)
1105 if (r < 0 && ret >= 0)
1109 r = cg_enumerate_subgroups(SYSTEMD_CGROUP_CONTROLLER, path, &d);
1116 while ((r = cg_read_subgroup(d, &fn)) > 0) {
1117 _cleanup_free_ char *p = NULL;
1119 p = strjoin(path, "/", fn, NULL);
1125 r = unit_watch_pids_in_path(u, p);
1126 if (r < 0 && ret >= 0)
1130 if (r < 0 && ret >= 0)
1137 int unit_watch_all_pids(Unit *u) {
1140 /* Adds all PIDs from our cgroup to the set of PIDs we
1141 * watch. This is a fallback logic for cases where we do not
1142 * get reliable cgroup empty notifications: we try to use
1143 * SIGCHLD as replacement. */
1145 if (!u->cgroup_path)
1148 if (cg_unified() > 0) /* On unified we can use proper notifications */
1151 return unit_watch_pids_in_path(u, u->cgroup_path);
1154 int unit_notify_cgroup_empty(Unit *u) {
1159 if (!u->cgroup_path)
1162 r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path);
1166 unit_add_to_gc_queue(u);
1168 if (UNIT_VTABLE(u)->notify_cgroup_empty)
1169 UNIT_VTABLE(u)->notify_cgroup_empty(u);
1174 static int on_cgroup_inotify_event(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1175 Manager *m = userdata;
1182 union inotify_event_buffer buffer;
1183 struct inotify_event *e;
1186 l = read(fd, &buffer, sizeof(buffer));
1188 if (errno == EINTR || errno == EAGAIN)
1191 return log_error_errno(errno, "Failed to read control group inotify events: %m");
1194 FOREACH_INOTIFY_EVENT(e, buffer, l) {
1198 /* Queue overflow has no watch descriptor */
1201 if (e->mask & IN_IGNORED)
1202 /* The watch was just removed */
1205 u = hashmap_get(m->cgroup_inotify_wd_unit, INT_TO_PTR(e->wd));
1206 if (!u) /* Not that inotify might deliver
1207 * events for a watch even after it
1208 * was removed, because it was queued
1209 * before the removal. Let's ignore
1210 * this here safely. */
1213 (void) unit_notify_cgroup_empty(u);
1219 int manager_setup_cgroup(Manager *m) {
1220 _cleanup_free_ char *path = NULL;
1227 /* 1. Determine hierarchy */
1228 m->cgroup_root = mfree(m->cgroup_root);
1229 r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &m->cgroup_root);
1231 return log_error_errno(r, "Cannot determine cgroup we are running in: %m");
1233 /// elogind does not support systemd scopes and slices
1235 /* Chop off the init scope, if we are already located in it */
1236 e = endswith(m->cgroup_root, "/" SPECIAL_INIT_SCOPE);
1238 /* LEGACY: Also chop off the system slice if we are in
1239 * it. This is to support live upgrades from older systemd
1240 * versions where PID 1 was moved there. Also see
1241 * cg_get_root_path(). */
1243 e = endswith(m->cgroup_root, "/" SPECIAL_SYSTEM_SLICE);
1245 e = endswith(m->cgroup_root, "/system"); /* even more legacy */
1251 /* And make sure to store away the root value without trailing
1252 * slash, even for the root dir, so that we can easily prepend
1254 while ((e = endswith(m->cgroup_root, "/")))
1256 log_debug_elogind("Cgroup Controller \"%s\" -> root \"%s\"",
1257 SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root);
1260 r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root, NULL, &path);
1262 return log_error_errno(r, "Cannot find cgroup mount point: %m");
1264 unified = cg_unified();
1266 return log_error_errno(r, "Couldn't determine if we are running in the unified hierarchy: %m");
1268 log_debug("Unified cgroup hierarchy is located at %s.", path);
1270 log_debug("Using cgroup controller " SYSTEMD_CGROUP_CONTROLLER ". File system hierarchy is at %s.", path);
1273 const char *scope_path;
1275 /* 3. Install agent */
1278 /* In the unified hierarchy we can can get
1279 * cgroup empty notifications via inotify. */
1280 /// elogind does not support the unified hierarchy, yet.
1282 m->cgroup_inotify_event_source = sd_event_source_unref(m->cgroup_inotify_event_source);
1283 safe_close(m->cgroup_inotify_fd);
1285 m->cgroup_inotify_fd = inotify_init1(IN_NONBLOCK|IN_CLOEXEC);
1286 if (m->cgroup_inotify_fd < 0)
1287 return log_error_errno(errno, "Failed to create control group inotify object: %m");
1289 r = sd_event_add_io(m->event, &m->cgroup_inotify_event_source, m->cgroup_inotify_fd, EPOLLIN, on_cgroup_inotify_event, m);
1291 return log_error_errno(r, "Failed to watch control group inotify object: %m");
1293 r = sd_event_source_set_priority(m->cgroup_inotify_event_source, SD_EVENT_PRIORITY_IDLE - 5);
1295 return log_error_errno(r, "Failed to set priority of inotify event source: %m");
1297 (void) sd_event_source_set_description(m->cgroup_inotify_event_source, "cgroup-inotify");
1300 return log_error_errno(EOPNOTSUPP, "Unified cgroup hierarchy not supported: %m");
1302 } else if (m->running_as == MANAGER_SYSTEM) {
1303 /* On the legacy hierarchy we only get
1304 * notifications via cgroup agents. (Which
1305 * isn't really reliable, since it does not
1306 * generate events when control groups with
1307 * children run empty. */
1309 r = cg_install_release_agent(SYSTEMD_CGROUP_CONTROLLER, ELOGIND_CGROUP_AGENT_PATH);
1311 log_warning_errno(r, "Failed to install release agent, ignoring: %m");
1313 log_debug("Installed release agent.");
1315 log_debug("Release agent already installed.");
1318 /// elogind is not meant to run in systemd init scope
1320 /* 4. Make sure we are in the special "init.scope" unit in the root slice. */
1321 scope_path = strjoina(m->cgroup_root, "/" SPECIAL_INIT_SCOPE);
1322 r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, scope_path, 0);
1324 if (streq(SYSTEMD_CGROUP_CONTROLLER, "name=elogind"))
1325 // we are our own cgroup controller
1326 scope_path = strjoina("");
1327 else if (streq(m->cgroup_root, "/elogind"))
1328 // root already is our cgroup
1329 scope_path = strjoina(m->cgroup_root);
1331 // we have to create our own group
1332 scope_path = strjoina(m->cgroup_root, "/elogind");
1333 r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, scope_path, 0);
1336 return log_error_errno(r, "Failed to create %s control group: %m", scope_path);
1337 log_debug_elogind("Created control group \"%s\"", scope_path);
1339 /* also, move all other userspace processes remaining
1340 * in the root cgroup into that scope. */
1341 if (!streq(m->cgroup_root, scope_path)) {
1342 r = cg_migrate(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root, SYSTEMD_CGROUP_CONTROLLER, scope_path, false);
1344 log_warning_errno(r, "Couldn't move remaining userspace processes, ignoring: %m");
1347 /* 5. And pin it, so that it cannot be unmounted */
1348 safe_close(m->pin_cgroupfs_fd);
1349 m->pin_cgroupfs_fd = open(path, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY|O_NONBLOCK);
1350 if (m->pin_cgroupfs_fd < 0)
1351 return log_error_errno(errno, "Failed to open pin file: %m");
1353 /* 6. Always enable hierarchical support if it exists... */
1355 (void) cg_set_attribute("memory", "/", "memory.use_hierarchy", "1");
1358 /* 7. Figure out which controllers are supported */
1359 r = cg_mask_supported(&m->cgroup_supported);
1361 return log_error_errno(r, "Failed to determine supported controllers: %m");
1363 for (c = 0; c < _CGROUP_CONTROLLER_MAX; c++)
1364 log_debug("Controller '%s' supported: %s", cgroup_controller_to_string(c), yes_no(m->cgroup_supported & c));
1369 void manager_shutdown_cgroup(Manager *m, bool delete) {
1372 /* We can't really delete the group, since we are in it. But
1374 if (delete && m->cgroup_root)
1375 (void) cg_trim(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_root, false);
1377 /// elogind does not support the unified hierarchy, yet.
1379 m->cgroup_inotify_wd_unit = hashmap_free(m->cgroup_inotify_wd_unit);
1381 m->cgroup_inotify_event_source = sd_event_source_unref(m->cgroup_inotify_event_source);
1382 m->cgroup_inotify_fd = safe_close(m->cgroup_inotify_fd);
1385 m->pin_cgroupfs_fd = safe_close(m->pin_cgroupfs_fd);
1387 m->cgroup_root = mfree(m->cgroup_root);
1390 /// UNNEEDED by elogind
1392 Unit* manager_get_unit_by_cgroup(Manager *m, const char *cgroup) {
1399 u = hashmap_get(m->cgroup_unit, cgroup);
1403 p = strdupa(cgroup);
1407 e = strrchr(p, '/');
1409 return hashmap_get(m->cgroup_unit, SPECIAL_ROOT_SLICE);
1413 u = hashmap_get(m->cgroup_unit, p);
1419 Unit *manager_get_unit_by_pid_cgroup(Manager *m, pid_t pid) {
1420 _cleanup_free_ char *cgroup = NULL;
1428 r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
1432 return manager_get_unit_by_cgroup(m, cgroup);
1435 Unit *manager_get_unit_by_pid(Manager *m, pid_t pid) {
1444 return hashmap_get(m->units, SPECIAL_INIT_SCOPE);
1446 u = hashmap_get(m->watch_pids1, PID_TO_PTR(pid));
1450 u = hashmap_get(m->watch_pids2, PID_TO_PTR(pid));
1454 return manager_get_unit_by_pid_cgroup(m, pid);
1457 int manager_notify_cgroup_empty(Manager *m, const char *cgroup) {
1463 u = manager_get_unit_by_cgroup(m, cgroup);
1467 return unit_notify_cgroup_empty(u);
1470 int unit_get_memory_current(Unit *u, uint64_t *ret) {
1471 _cleanup_free_ char *v = NULL;
1477 if (!u->cgroup_path)
1480 if ((u->cgroup_realized_mask & CGROUP_MASK_MEMORY) == 0)
1483 if (cg_unified() <= 0)
1484 r = cg_get_attribute("memory", u->cgroup_path, "memory.usage_in_bytes", &v);
1486 r = cg_get_attribute("memory", u->cgroup_path, "memory.current", &v);
1492 return safe_atou64(v, ret);
1495 static int unit_get_cpu_usage_raw(Unit *u, nsec_t *ret) {
1496 _cleanup_free_ char *v = NULL;
1503 if (!u->cgroup_path)
1506 if ((u->cgroup_realized_mask & CGROUP_MASK_CPUACCT) == 0)
1509 r = cg_get_attribute("cpuacct", u->cgroup_path, "cpuacct.usage", &v);
1515 r = safe_atou64(v, &ns);
1523 int unit_get_cpu_usage(Unit *u, nsec_t *ret) {
1527 r = unit_get_cpu_usage_raw(u, &ns);
1531 if (ns > u->cpuacct_usage_base)
1532 ns -= u->cpuacct_usage_base;
1540 int unit_reset_cpu_usage(Unit *u) {
1546 r = unit_get_cpu_usage_raw(u, &ns);
1548 u->cpuacct_usage_base = 0;
1552 u->cpuacct_usage_base = ns;
1556 bool unit_cgroup_delegate(Unit *u) {
1561 c = unit_get_cgroup_context(u);
1568 static const char* const cgroup_device_policy_table[_CGROUP_DEVICE_POLICY_MAX] = {
1569 [CGROUP_AUTO] = "auto",
1570 [CGROUP_CLOSED] = "closed",
1571 [CGROUP_STRICT] = "strict",
1574 DEFINE_STRING_TABLE_LOOKUP(cgroup_device_policy, CGroupDevicePolicy);
~ianmdlvl / elogind.git / blob