mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 09:53:10 +00:00
util: new virCommandSetMax(MemLock|Processes|Files)
This patch adds two sets of functions: 1) lower level virProcessSet*() functions that will immediately set the RLIMIT_MEMLOCK. RLIMIT_NPROC, or RLIMIT_NOFILE of either the current process (using setrlimit()) or any other process (using prlimit()). "current process" is indicated by passing a 0 for pid. 2) functions for virCommand* that will setup a virCommand object to set those limits at a later time just after it has forked a new process, but before it execs the new program. configure.ac has prlimit and setrlimit added to the list of functions to check for, and the low level functions log an "unsupported" error) on platforms that don't support those functions.
This commit is contained in:
parent
f3662737b1
commit
776d49f492
@ -194,7 +194,7 @@ dnl Availability of various common functions (non-fatal if missing),
|
|||||||
dnl and various less common threadsafe functions
|
dnl and various less common threadsafe functions
|
||||||
AC_CHECK_FUNCS_ONCE([cfmakeraw geteuid getgid getgrnam_r getmntent_r \
|
AC_CHECK_FUNCS_ONCE([cfmakeraw geteuid getgid getgrnam_r getmntent_r \
|
||||||
getpwuid_r getuid initgroups kill mmap newlocale posix_fallocate \
|
getpwuid_r getuid initgroups kill mmap newlocale posix_fallocate \
|
||||||
posix_memalign regexec sched_getaffinity setns symlink])
|
posix_memalign prlimit regexec sched_getaffinity setns setrlimit symlink])
|
||||||
|
|
||||||
dnl Availability of pthread functions (if missing, win32 threading is
|
dnl Availability of pthread functions (if missing, win32 threading is
|
||||||
dnl assumed). Because of $LIB_PTHREAD, we cannot use AC_CHECK_FUNCS_ONCE.
|
dnl assumed). Because of $LIB_PTHREAD, we cannot use AC_CHECK_FUNCS_ONCE.
|
||||||
|
@ -1185,6 +1185,9 @@ virCommandSetErrorFD;
|
|||||||
virCommandSetGID;
|
virCommandSetGID;
|
||||||
virCommandSetInputBuffer;
|
virCommandSetInputBuffer;
|
||||||
virCommandSetInputFD;
|
virCommandSetInputFD;
|
||||||
|
virCommandSetMaxFiles;
|
||||||
|
virCommandSetMaxMemLock;
|
||||||
|
virCommandSetMaxProcesses;
|
||||||
virCommandSetOutputBuffer;
|
virCommandSetOutputBuffer;
|
||||||
virCommandSetOutputFD;
|
virCommandSetOutputFD;
|
||||||
virCommandSetPidFile;
|
virCommandSetPidFile;
|
||||||
@ -1668,6 +1671,9 @@ virProcessGetNamespaces;
|
|||||||
virProcessKill;
|
virProcessKill;
|
||||||
virProcessKillPainfully;
|
virProcessKillPainfully;
|
||||||
virProcessSetAffinity;
|
virProcessSetAffinity;
|
||||||
|
virProcessSetMaxFiles;
|
||||||
|
virProcessSetMaxMemLock;
|
||||||
|
virProcessSetMaxProcesses;
|
||||||
virProcessSetNamespaces;
|
virProcessSetNamespaces;
|
||||||
virProcessTranslateStatus;
|
virProcessTranslateStatus;
|
||||||
virProcessWait;
|
virProcessWait;
|
||||||
|
@ -107,6 +107,10 @@ struct _virCommand {
|
|||||||
char *pidfile;
|
char *pidfile;
|
||||||
bool reap;
|
bool reap;
|
||||||
|
|
||||||
|
unsigned long long maxMemLock;
|
||||||
|
unsigned int maxProcesses;
|
||||||
|
unsigned int maxFiles;
|
||||||
|
|
||||||
uid_t uid;
|
uid_t uid;
|
||||||
gid_t gid;
|
gid_t gid;
|
||||||
unsigned long long capabilities;
|
unsigned long long capabilities;
|
||||||
@ -598,6 +602,13 @@ virExec(virCommandPtr cmd)
|
|||||||
goto fork_error;
|
goto fork_error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (virProcessSetMaxMemLock(0, cmd->maxMemLock) < 0)
|
||||||
|
goto fork_error;
|
||||||
|
if (virProcessSetMaxProcesses(0, cmd->maxProcesses) < 0)
|
||||||
|
goto fork_error;
|
||||||
|
if (virProcessSetMaxFiles(0, cmd->maxFiles) < 0)
|
||||||
|
goto fork_error;
|
||||||
|
|
||||||
if (cmd->hook) {
|
if (cmd->hook) {
|
||||||
VIR_DEBUG("Run hook %p %p", cmd->hook, cmd->opaque);
|
VIR_DEBUG("Run hook %p %p", cmd->hook, cmd->opaque);
|
||||||
ret = cmd->hook(cmd->opaque);
|
ret = cmd->hook(cmd->opaque);
|
||||||
@ -958,6 +969,33 @@ virCommandSetUID(virCommandPtr cmd, uid_t uid)
|
|||||||
cmd->uid = uid;
|
cmd->uid = uid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
virCommandSetMaxMemLock(virCommandPtr cmd, unsigned long long bytes)
|
||||||
|
{
|
||||||
|
if (!cmd || cmd->has_error)
|
||||||
|
return;
|
||||||
|
|
||||||
|
cmd->maxMemLock = bytes;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
virCommandSetMaxProcesses(virCommandPtr cmd, unsigned int procs)
|
||||||
|
{
|
||||||
|
if (!cmd || cmd->has_error)
|
||||||
|
return;
|
||||||
|
|
||||||
|
cmd->maxProcesses = procs;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
virCommandSetMaxFiles(virCommandPtr cmd, unsigned int files)
|
||||||
|
{
|
||||||
|
if (!cmd || cmd->has_error)
|
||||||
|
return;
|
||||||
|
|
||||||
|
cmd->maxFiles = files;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* virCommandClearCaps:
|
* virCommandClearCaps:
|
||||||
* @cmd: the command to modify
|
* @cmd: the command to modify
|
||||||
|
@ -65,6 +65,10 @@ void virCommandSetGID(virCommandPtr cmd, gid_t gid);
|
|||||||
|
|
||||||
void virCommandSetUID(virCommandPtr cmd, uid_t uid);
|
void virCommandSetUID(virCommandPtr cmd, uid_t uid);
|
||||||
|
|
||||||
|
void virCommandSetMaxMemLock(virCommandPtr cmd, unsigned long long bytes);
|
||||||
|
void virCommandSetMaxProcesses(virCommandPtr cmd, unsigned int procs);
|
||||||
|
void virCommandSetMaxFiles(virCommandPtr cmd, unsigned int files);
|
||||||
|
|
||||||
void virCommandClearCaps(virCommandPtr cmd);
|
void virCommandClearCaps(virCommandPtr cmd);
|
||||||
|
|
||||||
void virCommandAllowCap(virCommandPtr cmd,
|
void virCommandAllowCap(virCommandPtr cmd,
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/*
|
/*
|
||||||
* virprocess.c: interaction with processes
|
* virprocess.c: interaction with processes
|
||||||
*
|
*
|
||||||
* Copyright (C) 2010-2012 Red Hat, Inc.
|
* Copyright (C) 2010-2013 Red Hat, Inc.
|
||||||
*
|
*
|
||||||
* This library is free software; you can redistribute it and/or
|
* This library is free software; you can redistribute it and/or
|
||||||
* modify it under the terms of the GNU Lesser General Public
|
* modify it under the terms of the GNU Lesser General Public
|
||||||
@ -27,6 +27,10 @@
|
|||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <sys/wait.h>
|
#include <sys/wait.h>
|
||||||
|
#if HAVE_SETRLIMIT
|
||||||
|
# include <sys/time.h>
|
||||||
|
# include <sys/resource.h>
|
||||||
|
#endif
|
||||||
#include <sched.h>
|
#include <sched.h>
|
||||||
|
|
||||||
#include "virprocess.h"
|
#include "virprocess.h"
|
||||||
@ -605,3 +609,149 @@ int virProcessSetNamespaces(size_t nfdlist ATTRIBUTE_UNUSED,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#endif /* ! HAVE_SETNS */
|
#endif /* ! HAVE_SETNS */
|
||||||
|
|
||||||
|
#if HAVE_PRLIMIT
|
||||||
|
static int
|
||||||
|
virProcessPrLimit(pid_t pid, int resource, struct rlimit *rlim)
|
||||||
|
{
|
||||||
|
return prlimit(pid, resource, rlim, NULL);
|
||||||
|
}
|
||||||
|
#else /* ! HAVE_PRLIMIT */
|
||||||
|
static int
|
||||||
|
virProcessPrLimit(pid_t pid ATTRIBUTE_UNUSED,
|
||||||
|
int resource ATTRIBUTE_UNUSED,
|
||||||
|
struct rlimit *rlim ATTRIBUTE_UNUSED)
|
||||||
|
{
|
||||||
|
errno = ENOSYS;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* ! HAVE_PRLIMIT */
|
||||||
|
|
||||||
|
#if HAVE_SETRLIMIT && defined(RLIMIT_MEMLOCK)
|
||||||
|
int
|
||||||
|
virProcessSetMaxMemLock(pid_t pid, unsigned long long bytes)
|
||||||
|
{
|
||||||
|
struct rlimit rlim;
|
||||||
|
|
||||||
|
if (bytes == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
rlim.rlim_cur = rlim.rlim_max = bytes;
|
||||||
|
if (pid == 0) {
|
||||||
|
if (setrlimit(RLIMIT_MEMLOCK, &rlim) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("cannot limit locked memory to %llu"),
|
||||||
|
bytes);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (virProcessPrLimit(pid, RLIMIT_MEMLOCK, &rlim) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("cannot limit locked memory "
|
||||||
|
"of process %lld to %llu"),
|
||||||
|
(long long int)pid, bytes);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#else /* ! (HAVE_SETRLIMIT && defined(RLIMIT_MEMLOCK)) */
|
||||||
|
int
|
||||||
|
virProcessSetMaxMemLock(pid_t pid ATTRIBUTE_UNUSED, unsigned long long bytes)
|
||||||
|
{
|
||||||
|
if (bytes == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
virReportSystemError(ENOSYS, "%s", _("Not supported on this platform"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* ! (HAVE_SETRLIMIT && defined(RLIMIT_MEMLOCK)) */
|
||||||
|
|
||||||
|
|
||||||
|
#if HAVE_SETRLIMIT && defined(RLIMIT_NPROC)
|
||||||
|
int
|
||||||
|
virProcessSetMaxProcesses(pid_t pid, unsigned int procs)
|
||||||
|
{
|
||||||
|
struct rlimit rlim;
|
||||||
|
|
||||||
|
if (procs == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
rlim.rlim_cur = rlim.rlim_max = procs;
|
||||||
|
if (pid == 0) {
|
||||||
|
if (setrlimit(RLIMIT_NPROC, &rlim) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("cannot limit number of subprocesses to %u"),
|
||||||
|
procs);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (virProcessPrLimit(pid, RLIMIT_NPROC, &rlim) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("cannot limit number of subprocesses "
|
||||||
|
"of process %lld to %u"),
|
||||||
|
(long long int)pid, procs);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#else /* ! (HAVE_SETRLIMIT && defined(RLIMIT_NPROC)) */
|
||||||
|
int
|
||||||
|
virProcessSetMaxProcesses(pid_t pid ATTRIBUTE_UNUSED, unsigned int procs)
|
||||||
|
{
|
||||||
|
if (procs == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
virReportSystemError(ENOSYS, "%s", _("Not supported on this platform"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* ! (HAVE_SETRLIMIT && defined(RLIMIT_NPROC)) */
|
||||||
|
|
||||||
|
#if HAVE_SETRLIMIT && defined(RLIMIT_NOFILE)
|
||||||
|
int
|
||||||
|
virProcessSetMaxFiles(pid_t pid, unsigned int files)
|
||||||
|
{
|
||||||
|
struct rlimit rlim;
|
||||||
|
|
||||||
|
if (files == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Max number of opened files is one greater than actual limit. See
|
||||||
|
* man setrlimit.
|
||||||
|
*
|
||||||
|
* NB: That indicates to me that we would want the following code
|
||||||
|
* to say "files - 1", but the original of this code in
|
||||||
|
* qemu_process.c also had files + 1, so this preserves current
|
||||||
|
* behavior.
|
||||||
|
*/
|
||||||
|
rlim.rlim_cur = rlim.rlim_max = files + 1;
|
||||||
|
if (pid == 0) {
|
||||||
|
if (setrlimit(RLIMIT_NOFILE, &rlim) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("cannot limit number of open files to %u"),
|
||||||
|
files);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (virProcessPrLimit(pid, RLIMIT_NOFILE, &rlim) < 0) {
|
||||||
|
virReportSystemError(errno,
|
||||||
|
_("cannot limit number of open files "
|
||||||
|
"of process %lld to %u"),
|
||||||
|
(long long int)pid, files);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#else /* ! (HAVE_SETRLIMIT && defined(RLIMIT_NOFILE)) */
|
||||||
|
int
|
||||||
|
virProcessSetMaxFiles(pid_t pid ATTRIBUTE_UNUSED, unsigned int files)
|
||||||
|
{
|
||||||
|
if (files == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
virReportSystemError(ENOSYS, "%s", _("Not supported on this platform"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
#endif /* ! (HAVE_SETRLIMIT && defined(RLIMIT_NOFILE)) */
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/*
|
/*
|
||||||
* virprocess.h: interaction with processes
|
* virprocess.h: interaction with processes
|
||||||
*
|
*
|
||||||
* Copyright (C) 2010-2012 Red Hat, Inc.
|
* Copyright (C) 2010-2013 Red Hat, Inc.
|
||||||
*
|
*
|
||||||
* This library is free software; you can redistribute it and/or
|
* This library is free software; you can redistribute it and/or
|
||||||
* modify it under the terms of the GNU Lesser General Public
|
* modify it under the terms of the GNU Lesser General Public
|
||||||
@ -54,4 +54,7 @@ int virProcessGetNamespaces(pid_t pid,
|
|||||||
int virProcessSetNamespaces(size_t nfdlist,
|
int virProcessSetNamespaces(size_t nfdlist,
|
||||||
int *fdlist);
|
int *fdlist);
|
||||||
|
|
||||||
|
int virProcessSetMaxMemLock(pid_t pid, unsigned long long bytes);
|
||||||
|
int virProcessSetMaxProcesses(pid_t pid, unsigned int procs);
|
||||||
|
int virProcessSetMaxFiles(pid_t pid, unsigned int files);
|
||||||
#endif /* __VIR_PROCESS_H__ */
|
#endif /* __VIR_PROCESS_H__ */
|
||||||
|
Loading…
Reference in New Issue
Block a user