2012-07-13 12:21:27 +01:00
|
|
|
/*
|
2014-03-17 14:49:05 -06:00
|
|
|
* Copyright (C) 2010-2014 Red Hat, Inc.
|
2012-07-13 12:21:27 +01:00
|
|
|
* Copyright IBM Corp. 2008
|
|
|
|
|
*
|
|
|
|
|
* lxc_cgroup.c: LXC cgroup helpers
|
|
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 16:30:55 -06:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 18:06:23 +08:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2012-07-13 12:21:27 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
|
|
#include "lxc_cgroup.h"
|
|
|
|
|
#include "lxc_container.h"
|
2020-02-17 16:29:11 -05:00
|
|
|
#include "domain_cgroup.h"
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
#include "virfile.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2013-04-03 12:36:23 +02:00
|
|
|
#include "virstring.h"
|
2016-02-01 16:50:54 +01:00
|
|
|
#include "virsystemd.h"
|
2020-02-16 22:59:28 +01:00
|
|
|
#include "virutil.h"
|
2012-07-13 12:21:27 +01:00
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_LXC
|
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("lxc.lxc_cgroup");
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupSetupCpuTune(virDomainDef *def,
|
|
|
|
|
virCgroup *cgroup)
|
2012-07-13 12:21:27 +01:00
|
|
|
{
|
2014-03-04 13:56:24 +01:00
|
|
|
if (def->cputune.sharesSpecified) {
|
2021-03-03 14:26:53 +01:00
|
|
|
if (virCgroupSetCpuShares(cgroup, def->cputune.shares) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2014-03-04 13:56:24 +01:00
|
|
|
}
|
2013-07-08 11:08:46 +01:00
|
|
|
|
2020-02-17 16:29:15 -05:00
|
|
|
return virCgroupSetupCpuPeriodQuota(cgroup, def->cputune.period,
|
|
|
|
|
def->cputune.quota);
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupSetupCpusetTune(virDomainDef *def,
|
|
|
|
|
virCgroup *cgroup,
|
|
|
|
|
virBitmap *nodemask)
|
2013-03-20 11:35:09 +08:00
|
|
|
{
|
2020-02-24 11:24:27 -03:00
|
|
|
g_autofree char *mask = NULL;
|
2015-05-19 11:55:26 +02:00
|
|
|
virDomainNumatuneMemMode mode;
|
2013-03-20 11:35:09 +08:00
|
|
|
|
|
|
|
|
if (def->placement_mode != VIR_DOMAIN_CPU_PLACEMENT_MODE_AUTO &&
|
2020-02-17 16:29:13 -05:00
|
|
|
def->cpumask &&
|
|
|
|
|
virCgroupSetupCpusetCpus(cgroup, def->cpumask) < 0) {
|
|
|
|
|
return -1;
|
2013-03-20 11:35:09 +08:00
|
|
|
}
|
|
|
|
|
|
2015-05-19 11:55:26 +02:00
|
|
|
if (virDomainNumatuneGetMode(def->numa, -1, &mode) < 0 ||
|
|
|
|
|
mode == VIR_DOMAIN_NUMATUNE_MEM_STRICT) {
|
2020-02-24 11:24:27 -03:00
|
|
|
return 0;
|
2015-04-20 15:33:31 +02:00
|
|
|
}
|
2014-11-10 21:53:18 +08:00
|
|
|
|
2015-02-11 14:54:59 +01:00
|
|
|
if (virDomainNumatuneMaybeFormatNodeset(def->numa, nodemask,
|
2014-06-26 19:46:45 +02:00
|
|
|
&mask, -1) < 0)
|
2020-02-24 11:24:27 -03:00
|
|
|
return -1;
|
2013-03-20 11:35:09 +08:00
|
|
|
|
2014-06-09 15:00:22 +02:00
|
|
|
if (mask && virCgroupSetCpusetMems(cgroup, mask) < 0)
|
2020-02-24 11:24:27 -03:00
|
|
|
return -1;
|
2013-03-20 11:35:09 +08:00
|
|
|
|
2020-02-24 11:24:27 -03:00
|
|
|
return 0;
|
2013-03-20 11:35:09 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupSetupBlkioTune(virDomainDef *def,
|
|
|
|
|
virCgroup *cgroup)
|
2012-07-13 12:21:27 +01:00
|
|
|
{
|
2020-02-17 16:29:11 -05:00
|
|
|
return virDomainCgroupSetupBlkio(cgroup, def->blkio);
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupSetupMemTune(virDomainDef *def,
|
|
|
|
|
virCgroup *cgroup)
|
2012-07-13 12:21:27 +01:00
|
|
|
{
|
2015-02-17 18:01:09 +01:00
|
|
|
if (virCgroupSetMemory(cgroup, virDomainDefGetMemoryInitial(def)) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2020-02-17 16:29:12 -05:00
|
|
|
return virDomainCgroupSetupMemtune(cgroup, def->mem);
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupGetMemSwapUsage(virCgroup *cgroup,
|
|
|
|
|
struct virLXCMeminfo *meminfo)
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
{
|
|
|
|
|
return virCgroupGetMemSwapUsage(cgroup, &meminfo->swapusage);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupGetMemSwapTotal(virCgroup *cgroup,
|
|
|
|
|
struct virLXCMeminfo *meminfo)
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
{
|
|
|
|
|
return virCgroupGetMemSwapHardLimit(cgroup, &meminfo->swaptotal);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupGetMemUsage(virCgroup *cgroup,
|
|
|
|
|
struct virLXCMeminfo *meminfo)
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
unsigned long memUsage;
|
|
|
|
|
|
|
|
|
|
ret = virCgroupGetMemoryUsage(cgroup, &memUsage);
|
2018-04-25 14:42:34 +02:00
|
|
|
meminfo->memusage = (unsigned long long)memUsage;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupGetMemTotal(virCgroup *cgroup,
|
|
|
|
|
struct virLXCMeminfo *meminfo)
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
{
|
|
|
|
|
return virCgroupGetMemoryHardLimit(cgroup, &meminfo->memtotal);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupGetMemStat(virCgroup *cgroup,
|
|
|
|
|
struct virLXCMeminfo *meminfo)
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
{
|
2018-07-20 14:48:56 +02:00
|
|
|
return virCgroupGetMemoryStat(cgroup,
|
|
|
|
|
&meminfo->cached,
|
|
|
|
|
&meminfo->inactive_anon,
|
|
|
|
|
&meminfo->active_anon,
|
|
|
|
|
&meminfo->inactive_file,
|
|
|
|
|
&meminfo->active_file,
|
|
|
|
|
&meminfo->unevictable);
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
int virLXCCgroupGetMeminfo(struct virLXCMeminfo *meminfo)
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
{
|
2020-09-22 12:49:58 +02:00
|
|
|
g_autoptr(virCgroup) cgroup = NULL;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
2013-07-04 16:49:24 +01:00
|
|
|
if (virCgroupNewSelf(&cgroup) < 0)
|
|
|
|
|
return -1;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virLXCCgroupGetMemStat(cgroup, meminfo) < 0)
|
2020-09-22 12:49:58 +02:00
|
|
|
return -1;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virLXCCgroupGetMemTotal(cgroup, meminfo) < 0)
|
2020-09-22 12:49:58 +02:00
|
|
|
return -1;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virLXCCgroupGetMemUsage(cgroup, meminfo) < 0)
|
2020-09-22 12:49:58 +02:00
|
|
|
return -1;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
2014-06-25 09:57:32 +08:00
|
|
|
if (virLXCCgroupGetMemSwapTotal(cgroup, meminfo) < 0)
|
2020-09-22 12:49:58 +02:00
|
|
|
return -1;
|
2014-06-25 09:57:32 +08:00
|
|
|
|
|
|
|
|
if (virLXCCgroupGetMemSwapUsage(cgroup, meminfo) < 0)
|
2020-09-22 12:49:58 +02:00
|
|
|
return -1;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
|
2020-09-22 12:49:58 +02:00
|
|
|
return 0;
|
make /proc/meminfo isolate with host through fuse
with this patch,container's meminfo will be shown based on
containers' mem cgroup.
Right now,it's impossible to virtualize all values in meminfo,
I collect some values such as MemTotal,MemFree,Cached,Active,
Inactive,Active(anon),Inactive(anon),Active(file),Inactive(anon),
Active(file),Inactive(file),Unevictable,SwapTotal,SwapFree.
if I miss something, please let me know.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2012-11-12 19:52:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2012-07-13 12:21:27 +01:00
|
|
|
typedef struct _virLXCCgroupDevicePolicy virLXCCgroupDevicePolicy;
|
|
|
|
|
struct _virLXCCgroupDevicePolicy {
|
|
|
|
|
char type;
|
|
|
|
|
int major;
|
|
|
|
|
int minor;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
2012-11-23 14:46:18 +00:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
virLXCSetupHostUSBDeviceCgroup(virUSBDevice *dev G_GNUC_UNUSED,
|
2012-11-23 14:46:18 +00:00
|
|
|
const char *path,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virCgroup *cgroup = opaque;
|
2012-11-23 14:46:18 +00:00
|
|
|
|
|
|
|
|
VIR_DEBUG("Process path '%s' for USB device", path);
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virCgroupAllowDevicePath(cgroup, path,
|
2016-02-16 14:43:41 +01:00
|
|
|
VIR_CGROUP_DEVICE_RWM, false) < 0)
|
2012-11-23 14:46:18 +00:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
virLXCTeardownHostUSBDeviceCgroup(virUSBDevice *dev G_GNUC_UNUSED,
|
2012-11-23 14:46:18 +00:00
|
|
|
const char *path,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virCgroup *cgroup = opaque;
|
2012-11-23 14:46:18 +00:00
|
|
|
|
|
|
|
|
VIR_DEBUG("Process path '%s' for USB device", path);
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virCgroupDenyDevicePath(cgroup, path,
|
2016-02-16 14:43:41 +01:00
|
|
|
VIR_CGROUP_DEVICE_RWM, false) < 0)
|
2012-11-23 14:46:18 +00:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
static int virLXCCgroupSetupDeviceACL(virDomainDef *def,
|
|
|
|
|
virCgroup *cgroup)
|
2012-07-13 12:21:27 +01:00
|
|
|
{
|
2019-10-25 14:50:15 +02:00
|
|
|
int capMknod = def->caps_features[VIR_DOMAIN_PROCES_CAPS_FEATURE_MKNOD];
|
2012-07-13 12:21:27 +01:00
|
|
|
size_t i;
|
|
|
|
|
static virLXCCgroupDevicePolicy devices[] = {
|
|
|
|
|
{'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_NULL},
|
|
|
|
|
{'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_ZERO},
|
|
|
|
|
{'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_FULL},
|
|
|
|
|
{'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_RANDOM},
|
|
|
|
|
{'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_URANDOM},
|
|
|
|
|
{'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_TTY},
|
|
|
|
|
{'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX},
|
2012-11-14 17:39:04 +08:00
|
|
|
{'c', LXC_DEV_MAJ_FUSE, LXC_DEV_MIN_FUSE},
|
2012-07-13 12:21:27 +01:00
|
|
|
{0, 0, 0}};
|
|
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virCgroupDenyAllDevices(cgroup) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2014-07-18 10:02:29 +02:00
|
|
|
/* white list mknod if CAP_MKNOD has to be kept */
|
2014-06-27 17:18:53 +02:00
|
|
|
if (capMknod == VIR_TRISTATE_SWITCH_ON) {
|
2014-07-18 10:02:29 +02:00
|
|
|
if (virCgroupAllowAllDevices(cgroup,
|
|
|
|
|
VIR_CGROUP_DEVICE_MKNOD) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2014-07-18 10:02:29 +02:00
|
|
|
}
|
|
|
|
|
|
2012-07-13 12:21:27 +01:00
|
|
|
for (i = 0; devices[i].type != 0; i++) {
|
2021-03-11 08:16:13 +01:00
|
|
|
virLXCCgroupDevicePolicy *dev = &devices[i];
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virCgroupAllowDevice(cgroup,
|
|
|
|
|
dev->type,
|
|
|
|
|
dev->major,
|
|
|
|
|
dev->minor,
|
|
|
|
|
VIR_CGROUP_DEVICE_RWM) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
|
|
|
|
|
2013-10-08 16:35:38 +01:00
|
|
|
VIR_DEBUG("Allowing any disk block devs");
|
2013-05-21 16:03:33 +08:00
|
|
|
for (i = 0; i < def->ndisks; i++) {
|
2016-05-02 13:42:32 +02:00
|
|
|
if (virStorageSourceIsEmpty(def->disks[i]->src) ||
|
|
|
|
|
!virStorageSourceIsBlockLocal(def->disks[i]->src))
|
2012-11-22 14:33:48 +00:00
|
|
|
continue;
|
|
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virCgroupAllowDevicePath(cgroup,
|
2014-03-17 14:49:05 -06:00
|
|
|
virDomainDiskGetSource(def->disks[i]),
|
2014-06-24 15:15:55 +02:00
|
|
|
(def->disks[i]->src->readonly ?
|
2013-07-08 11:08:46 +01:00
|
|
|
VIR_CGROUP_DEVICE_READ :
|
|
|
|
|
VIR_CGROUP_DEVICE_RW) |
|
2016-02-16 14:43:41 +01:00
|
|
|
VIR_CGROUP_DEVICE_MKNOD, false) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-11-22 14:33:48 +00:00
|
|
|
}
|
|
|
|
|
|
2013-10-08 16:35:38 +01:00
|
|
|
VIR_DEBUG("Allowing any filesystem block devs");
|
2013-05-21 16:03:33 +08:00
|
|
|
for (i = 0; i < def->nfss; i++) {
|
2012-07-13 12:21:27 +01:00
|
|
|
if (def->fss[i]->type != VIR_DOMAIN_FS_TYPE_BLOCK)
|
|
|
|
|
continue;
|
|
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
if (virCgroupAllowDevicePath(cgroup,
|
2016-07-14 16:52:38 +03:00
|
|
|
def->fss[i]->src->path,
|
2013-07-08 11:08:46 +01:00
|
|
|
def->fss[i]->readonly ?
|
|
|
|
|
VIR_CGROUP_DEVICE_READ :
|
2016-02-16 14:43:41 +01:00
|
|
|
VIR_CGROUP_DEVICE_RW, false) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
|
|
|
|
|
2013-10-08 16:35:38 +01:00
|
|
|
VIR_DEBUG("Allowing any hostdev block devs");
|
2012-11-23 14:46:18 +00:00
|
|
|
for (i = 0; i < def->nhostdevs; i++) {
|
2021-03-11 08:16:13 +01:00
|
|
|
virDomainHostdevDef *hostdev = def->hostdevs[i];
|
|
|
|
|
virDomainHostdevSubsysUSB *usbsrc = &hostdev->source.subsys.u.usb;
|
|
|
|
|
virUSBDevice *usb;
|
2012-11-23 14:46:18 +00:00
|
|
|
|
2012-11-28 16:13:27 +00:00
|
|
|
switch (hostdev->mode) {
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
|
|
|
|
|
if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB)
|
|
|
|
|
continue;
|
|
|
|
|
if (hostdev->missing)
|
|
|
|
|
continue;
|
|
|
|
|
|
2014-07-03 15:43:05 -04:00
|
|
|
if ((usb = virUSBDeviceNew(usbsrc->bus, usbsrc->device,
|
2013-01-14 22:11:44 +00:00
|
|
|
NULL)) == NULL)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-11-28 16:13:27 +00:00
|
|
|
|
2014-03-13 11:58:17 +00:00
|
|
|
if (virUSBDeviceFileIterate(usb, virLXCSetupHostUSBDeviceCgroup,
|
2013-01-14 22:11:44 +00:00
|
|
|
cgroup) < 0) {
|
|
|
|
|
virUSBDeviceFree(usb);
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2013-02-05 15:14:46 +00:00
|
|
|
}
|
2013-01-14 22:11:44 +00:00
|
|
|
virUSBDeviceFree(usb);
|
2012-11-28 16:13:27 +00:00
|
|
|
break;
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
|
|
|
|
|
switch (hostdev->source.caps.type) {
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE:
|
|
|
|
|
if (virCgroupAllowDevicePath(cgroup,
|
|
|
|
|
hostdev->source.caps.u.storage.block,
|
|
|
|
|
VIR_CGROUP_DEVICE_RW |
|
2016-02-16 14:43:41 +01:00
|
|
|
VIR_CGROUP_DEVICE_MKNOD, false) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-11-28 16:13:27 +00:00
|
|
|
break;
|
2012-11-28 18:07:47 +00:00
|
|
|
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC:
|
|
|
|
|
if (virCgroupAllowDevicePath(cgroup,
|
|
|
|
|
hostdev->source.caps.u.misc.chardev,
|
|
|
|
|
VIR_CGROUP_DEVICE_RW |
|
2016-02-16 14:43:41 +01:00
|
|
|
VIR_CGROUP_DEVICE_MKNOD, false) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-11-28 18:07:47 +00:00
|
|
|
break;
|
2012-11-28 16:13:27 +00:00
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
2012-11-23 14:46:18 +00:00
|
|
|
}
|
|
|
|
|
|
2016-02-16 13:57:10 +01:00
|
|
|
if (virCgroupAllowDevice(cgroup, 'c', LXC_DEV_MAJ_PTY, -1,
|
|
|
|
|
VIR_CGROUP_DEVICE_RWM) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2020-03-01 21:54:12 -03:00
|
|
|
VIR_DEBUG("Allowing timers char devices");
|
|
|
|
|
|
|
|
|
|
/* Sync'ed with Host clock */
|
|
|
|
|
for (i = 0; i < def->clock.ntimers; i++) {
|
2021-03-11 08:16:13 +01:00
|
|
|
virDomainTimerDef *timer = def->clock.timers[i];
|
2020-03-01 21:54:12 -03:00
|
|
|
const char *dev = NULL;
|
|
|
|
|
|
|
|
|
|
/* Check if "present" is set to "no" otherwise enable it. */
|
2022-01-23 21:15:10 +01:00
|
|
|
if (timer->present == VIR_TRISTATE_BOOL_NO)
|
2020-03-01 21:54:12 -03:00
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
switch ((virDomainTimerNameType)timer->name) {
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_PLATFORM:
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_TSC:
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_KVMCLOCK:
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_HYPERVCLOCK:
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_PIT:
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_ARMVTIMER:
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_LAST:
|
|
|
|
|
break;
|
|
|
|
|
case VIR_DOMAIN_TIMER_NAME_RTC:
|
|
|
|
|
dev = "/dev/rtc0";
|
|
|
|
|
break;
|
2020-03-01 21:54:13 -03:00
|
|
|
case VIR_DOMAIN_TIMER_NAME_HPET:
|
|
|
|
|
dev = "/dev/hpet";
|
|
|
|
|
break;
|
2020-03-01 21:54:12 -03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!dev)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (!virFileExists(dev)) {
|
|
|
|
|
VIR_DEBUG("Ignoring non-existent device %s", dev);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (virCgroupAllowDevicePath(cgroup, dev,
|
|
|
|
|
VIR_CGROUP_DEVICE_READ,
|
|
|
|
|
false) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-16 11:24:48 +01:00
|
|
|
VIR_DEBUG("Device ACL setup complete");
|
2013-10-08 16:35:38 +01:00
|
|
|
|
2019-10-21 15:18:55 -03:00
|
|
|
return 0;
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
virCgroup *virLXCCgroupCreate(virDomainDef *def,
|
2015-01-16 16:58:39 +00:00
|
|
|
pid_t initpid,
|
|
|
|
|
size_t nnicindexes,
|
|
|
|
|
int *nicindexes)
|
2012-07-13 12:21:27 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virCgroup *cgroup = NULL;
|
2020-05-12 17:53:07 +01:00
|
|
|
g_autofree char *machineName = virLXCDomainGetMachineName(def, 0);
|
2016-02-01 16:50:54 +01:00
|
|
|
|
|
|
|
|
if (!machineName)
|
2020-05-12 17:53:07 +01:00
|
|
|
return NULL;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2021-04-20 12:44:12 +08:00
|
|
|
if (!g_path_is_absolute(def->resource->partition)) {
|
2013-07-22 13:59:28 +01:00
|
|
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
|
|
|
|
_("Resource partition '%s' must start with '/'"),
|
|
|
|
|
def->resource->partition);
|
2020-05-12 17:53:07 +01:00
|
|
|
return NULL;
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
2013-07-22 13:59:28 +01:00
|
|
|
|
2016-02-01 16:50:54 +01:00
|
|
|
if (virCgroupNewMachine(machineName,
|
2013-07-22 17:11:09 +01:00
|
|
|
"lxc",
|
|
|
|
|
def->uuid,
|
|
|
|
|
NULL,
|
2015-01-16 16:23:45 +00:00
|
|
|
initpid,
|
2013-07-22 17:11:09 +01:00
|
|
|
true,
|
2015-01-16 16:58:39 +00:00
|
|
|
nnicindexes, nicindexes,
|
2013-07-22 17:11:09 +01:00
|
|
|
def->resource->partition,
|
|
|
|
|
-1,
|
2019-05-22 17:12:14 -06:00
|
|
|
0,
|
2016-01-14 11:01:50 -05:00
|
|
|
&cgroup) < 0)
|
2020-05-12 17:53:07 +01:00
|
|
|
return NULL;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2014-02-24 12:23:33 +00:00
|
|
|
/* setup control group permissions for user namespace */
|
|
|
|
|
if (def->idmap.uidmap) {
|
|
|
|
|
if (virCgroupSetOwner(cgroup,
|
|
|
|
|
def->idmap.uidmap[0].target,
|
|
|
|
|
def->idmap.gidmap[0].target,
|
|
|
|
|
(1 << VIR_CGROUP_CONTROLLER_SYSTEMD)) < 0) {
|
2020-09-22 14:07:27 +02:00
|
|
|
virCgroupFree(cgroup);
|
2020-05-12 17:53:07 +01:00
|
|
|
return NULL;
|
2014-02-24 12:23:33 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-03-14 12:47:28 +00:00
|
|
|
return cgroup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-03-11 08:16:13 +01:00
|
|
|
int virLXCCgroupSetup(virDomainDef *def,
|
|
|
|
|
virCgroup *cgroup,
|
|
|
|
|
virBitmap *nodemask)
|
2013-03-14 12:47:28 +00:00
|
|
|
{
|
2012-07-13 12:21:27 +01:00
|
|
|
if (virLXCCgroupSetupCpuTune(def, cgroup) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
2013-03-20 11:35:09 +08:00
|
|
|
if (virLXCCgroupSetupCpusetTune(def, cgroup, nodemask) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2013-03-20 11:35:09 +08:00
|
|
|
|
2012-07-13 12:21:27 +01:00
|
|
|
if (virLXCCgroupSetupBlkioTune(def, cgroup) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
|
|
|
|
if (virLXCCgroupSetupMemTune(def, cgroup) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-07-13 12:21:27 +01:00
|
|
|
|
|
|
|
|
if (virLXCCgroupSetupDeviceACL(def, cgroup) < 0)
|
2019-10-21 15:18:55 -03:00
|
|
|
return -1;
|
2012-11-23 10:42:18 +00:00
|
|
|
|
2019-10-21 15:18:55 -03:00
|
|
|
return 0;
|
2012-07-13 12:21:27 +01:00
|
|
|
}
|
