Merge pull request #69 from Furisto/cg-escape

Fix issues with cgroup v1 and v2
youki-dev · Jun 7, 2021 · 2cc1433 · 2cc1433
2 parents 87221b9 + edeac86
commit 2cc1433
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 10 deletions.
diff --git a/src/cgroups/v2/manager.rs b/src/cgroups/v2/manager.rs
@@ -47,11 +47,13 @@ impl Manager {
     fn create_unified_cgroup(&self, cgroup_path: &Path, pid: Pid) -> Result<PathBuf> {
         let full_path = self.root_path.join_absolute_path(cgroup_path)?;
         let controllers: Vec<String> = self
-            .get_available_controllers(common::DEFAULT_CGROUP_ROOT)?
+            .get_available_controllers(&self.root_path)?
             .into_iter()
             .map(|c| format!("{}{}", "+", c.to_string()))
             .collect();
 
+        Self::write_controllers(&self.root_path, &controllers)?;
+
         let mut current_path = self.root_path.clone();
         let mut components = cgroup_path.components().skip(1).peekable();
         while let Some(component) = components.next() {
@@ -64,12 +66,7 @@ impl Manager {
             // last component cannot have subtree_control enabled due to internal process constraint
             // if this were set, writing to the cgroups.procs file will fail with Erno 16 (device or resource busy)
             if components.peek().is_some() {
-                for controller in &controllers {
-                    common::write_cgroup_file_str(
-                        &current_path.join(CGROUP_SUBTREE_CONTROL),
-                        controller,
-                    )?;
-                }
+                Self::write_controllers(&current_path, &controllers)?;
             }
         }
 
@@ -104,6 +101,14 @@ impl Manager {
 
         Ok(controllers)
     }
+
+    fn write_controllers(path: &Path, controllers: &Vec<String>) -> Result<()> {
+        for controller in controllers {
+            common::write_cgroup_file_str(path.join(CGROUP_SUBTREE_CONTROL), controller)?;
+        }
+
+        Ok(())
+    }
 }
 
 impl CgroupManager for Manager {

diff --git a/src/create.rs b/src/create.rs
@@ -51,6 +51,8 @@ impl Create {
         let bundle_canonicalized = fs::canonicalize(&self.bundle)
             .unwrap_or_else(|_| panic!("failed to canonicalied {:?}", &self.bundle));
         let container_dir = root_path.join(&self.container_id);
+        log::debug!("container directory will be {:?}", container_dir);
+
         if !container_dir.exists() {
             fs::create_dir(&container_dir).unwrap();
         } else {

diff --git a/src/process/fork.rs b/src/process/fork.rs
@@ -11,6 +11,7 @@ use init::InitProcess;
 use nix::sched;
 use nix::sys::wait::{waitpid, WaitStatus};
 use nix::unistd;
+use nix::unistd::Pid;
 
 use crate::cgroups::common::CgroupManager;
 use crate::container::ContainerStatus;
@@ -62,11 +63,11 @@ pub fn fork_first<P: AsRef<Path>>(
             unistd::ForkResult::Parent { child } => {
                 ccond.wait()?;
 
-                // apply the control group to the child process
-                cmanager.apply(&linux.resources.as_ref().unwrap(), child)?;
-
                 // wait for child to fork init process and report back its pid
                 let init_pid = parent.wait_for_child_ready()?;
+                log::debug!("init pid is {:?}", init_pid);
+                cmanager.apply(&linux.resources.as_ref().unwrap(), Pid::from_raw(init_pid))?;
+
                 // update status and pid of the container process
                 container
                     .update_status(ContainerStatus::Created)?