libcontainer/cgroups/rootless/rootless.go - external/github.com/docker/runc - Git at Google

 // +build linux

 package rootless

 import (
 	"fmt"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/configs/validate"
 )

 // TODO: This is copied from libcontainer/cgroups/fs, which duplicates this code
 //       needlessly. We should probably export this list.

 var subsystems = []subsystem{
 	&fs.CpusetGroup{},
 	&fs.DevicesGroup{},
 	&fs.MemoryGroup{},
 	&fs.CpuGroup{},
 	&fs.CpuacctGroup{},
 	&fs.PidsGroup{},
 	&fs.BlkioGroup{},
 	&fs.HugetlbGroup{},
 	&fs.NetClsGroup{},
 	&fs.NetPrioGroup{},
 	&fs.PerfEventGroup{},
 	&fs.FreezerGroup{},
 	&fs.NameGroup{GroupName: "name=systemd"},
 }

 type subsystem interface {
 	// Name returns the name of the subsystem.
 	Name() string

 	// Returns the stats, as 'stats', corresponding to the cgroup under 'path'.
 	GetStats(path string, stats *cgroups.Stats) error
 }

 // The noop cgroup manager is used for rootless containers, because we currently
 // cannot manage cgroups if we are in a rootless setup. This manager is chosen
 // by factory if we are in rootless mode. We error out if any cgroup options are
 // set in the config -- this may change in the future with upcoming kernel features
 // like the cgroup namespace.

 type Manager struct {
 	Cgroups *configs.Cgroup
 	Paths   map[string]string
 }

 func (m *Manager) Apply(pid int) error {
 	// If there are no cgroup settings, there's nothing to do.
 	if m.Cgroups == nil {
 		return nil
 	}

 	// We can't set paths.
 	// TODO(cyphar): Implement the case where the runner of a rootless container
 	//               owns their own cgroup, which would allow us to set up a
 	//               cgroup for each path.
 	if m.Cgroups.Paths != nil {
 		return fmt.Errorf("cannot change cgroup path in rootless container")
 	}

 	// We load the paths into the manager.
 	paths := make(map[string]string)
 	for _, sys := range subsystems {
 		name := sys.Name()

 		path, err := cgroups.GetOwnCgroupPath(name)
 		if err != nil {
 			// Ignore paths we couldn't resolve.
 			continue
 		}

 		paths[name] = path
 	}

 	m.Paths = paths
 	return nil
 }

 func (m *Manager) GetPaths() map[string]string {
 	return m.Paths
 }

 func (m *Manager) Set(container *configs.Config) error {
 	// We have to re-do the validation here, since someone might decide to
 	// update a rootless container.
 	return validate.New().Validate(container)
 }

 func (m *Manager) GetPids() ([]int, error) {
 	dir, err := cgroups.GetOwnCgroupPath("devices")
 	if err != nil {
 		return nil, err
 	}
 	return cgroups.GetPids(dir)
 }

 func (m *Manager) GetAllPids() ([]int, error) {
 	dir, err := cgroups.GetOwnCgroupPath("devices")
 	if err != nil {
 		return nil, err
 	}
 	return cgroups.GetAllPids(dir)
 }

 func (m *Manager) GetStats() (*cgroups.Stats, error) {
 	// TODO(cyphar): We can make this work if we figure out a way to allow usage
 	//               of cgroups with a rootless container. While this doesn't
 	//               actually require write access to a cgroup directory, the
 	//               statistics are not useful if they can be affected by
 	//               non-container processes.
 	return nil, fmt.Errorf("cannot get cgroup stats in rootless container")
 }

 func (m *Manager) Freeze(state configs.FreezerState) error {
 	// TODO(cyphar): We can make this work if we figure out a way to allow usage
 	//               of cgroups with a rootless container.
 	return fmt.Errorf("cannot use freezer cgroup in rootless container")
 }

 func (m *Manager) Destroy() error {
 	// We don't have to do anything here because we didn't do any setup.
 	return nil
 }
	// +build linux

	package rootless

	import (
	"fmt"

	"github.com/opencontainers/runc/libcontainer/cgroups"
	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
	"github.com/opencontainers/runc/libcontainer/configs"
	"github.com/opencontainers/runc/libcontainer/configs/validate"
	)

	// TODO: This is copied from libcontainer/cgroups/fs, which duplicates this code
	// needlessly. We should probably export this list.

	var subsystems = []subsystem{
	&fs.CpusetGroup{},
	&fs.DevicesGroup{},
	&fs.MemoryGroup{},
	&fs.CpuGroup{},
	&fs.CpuacctGroup{},
	&fs.PidsGroup{},
	&fs.BlkioGroup{},
	&fs.HugetlbGroup{},
	&fs.NetClsGroup{},
	&fs.NetPrioGroup{},
	&fs.PerfEventGroup{},
	&fs.FreezerGroup{},
	&fs.NameGroup{GroupName: "name=systemd"},
	}

	type subsystem interface {
	// Name returns the name of the subsystem.
	Name() string

	// Returns the stats, as 'stats', corresponding to the cgroup under 'path'.
	GetStats(path string, stats *cgroups.Stats) error
	}

	// The noop cgroup manager is used for rootless containers, because we currently
	// cannot manage cgroups if we are in a rootless setup. This manager is chosen
	// by factory if we are in rootless mode. We error out if any cgroup options are
	// set in the config -- this may change in the future with upcoming kernel features
	// like the cgroup namespace.

	type Manager struct {
	Cgroups *configs.Cgroup
	Paths map[string]string
	}

	func (m *Manager) Apply(pid int) error {
	// If there are no cgroup settings, there's nothing to do.
	if m.Cgroups == nil {
	return nil
	}

	// We can't set paths.
	// TODO(cyphar): Implement the case where the runner of a rootless container
	// owns their own cgroup, which would allow us to set up a
	// cgroup for each path.
	if m.Cgroups.Paths != nil {
	return fmt.Errorf("cannot change cgroup path in rootless container")
	}

	// We load the paths into the manager.
	paths := make(map[string]string)
	for _, sys := range subsystems {
	name := sys.Name()

	path, err := cgroups.GetOwnCgroupPath(name)
	if err != nil {
	// Ignore paths we couldn't resolve.
	continue
	}

	paths[name] = path
	}

	m.Paths = paths
	return nil
	}

	func (m *Manager) GetPaths() map[string]string {
	return m.Paths
	}

	func (m Manager) Set(container configs.Config) error {
	// We have to re-do the validation here, since someone might decide to
	// update a rootless container.
	return validate.New().Validate(container)
	}

	func (m *Manager) GetPids() ([]int, error) {
	dir, err := cgroups.GetOwnCgroupPath("devices")
	if err != nil {
	return nil, err
	}
	return cgroups.GetPids(dir)
	}

	func (m *Manager) GetAllPids() ([]int, error) {
	dir, err := cgroups.GetOwnCgroupPath("devices")
	if err != nil {
	return nil, err
	}
	return cgroups.GetAllPids(dir)
	}

	func (m Manager) GetStats() (cgroups.Stats, error) {
	// TODO(cyphar): We can make this work if we figure out a way to allow usage
	// of cgroups with a rootless container. While this doesn't
	// actually require write access to a cgroup directory, the
	// statistics are not useful if they can be affected by
	// non-container processes.
	return nil, fmt.Errorf("cannot get cgroup stats in rootless container")
	}

	func (m *Manager) Freeze(state configs.FreezerState) error {
	// TODO(cyphar): We can make this work if we figure out a way to allow usage
	// of cgroups with a rootless container.
	return fmt.Errorf("cannot use freezer cgroup in rootless container")
	}

	func (m *Manager) Destroy() error {
	// We don't have to do anything here because we didn't do any setup.
	return nil
	}