cgroupfs: rework cgroup2 mounting

We now explicitly refuse to mount cgroups on pure unified layouts when the container is not running in a separate cgroup namespace. This is not a regression since we simply always failed before anyway. I will likely fix this very soon though. But there are bigger fish to fry currently. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroupfs: rework cgroup2 mounting
a3e5ec26 · Christian Brauner · 3a86fb37 · a3e5ec26
Unverified Commit a3e5ec26 authored Feb 15, 2021 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 57 additions and 10 deletions

cgfsng.c src/lxc/cgroups/cgfsng.c +57 -10

No files found.
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1949,19 +1949,66 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 		 * If cgroup namespaces are supported but the container will
 		 * not have CAP_SYS_ADMIN after it has started we need to mount
 		 * the cgroups manually.
+		 *
+		 * Note that here we know that wants_force_mount is true.
+		 * Otherwise we would've returned early above.
 		 */
-		if (in_cgroup_ns && wants_force_mount)
+		if (in_cgroup_ns) {
+			/*
+			 *  1. cgroup:rw:force    -> Mount the cgroup2 filesystem.
+			 *  2. cgroup:ro:force    -> Mount the cgroup2 filesystem read-only.
+			 *  3. cgroup:mixed:force -> See comment above how this
+			 *                           does not apply so
+			 *                           cgroup:mixed is equal to
+			 *                           cgroup:rw when cgroup
+			 *                           namespaces are supported.
+
+			 *  4. cgroup:rw    -> No-op; init system responsible for mounting.
+			 *  5. cgroup:ro    -> No-op; init system responsible for mounting.
+			 *  6. cgroup:mixed -> No-op; init system responsible for mounting.
+                         *
+			 *  7. cgroup-full:rw    -> Not supported.
+			 *  8. cgroup-full:ro    -> Not supported.
+			 *  9. cgroup-full:mixed -> Not supported.
+
+			 * 10. cgroup-full:rw:force    -> Not supported.
+			 * 11. cgroup-full:ro:force    -> Not supported.
+			 * 12. cgroup-full:mixed:force -> Not supported.
+			 */
 			ret = cgroupfs_mount(cg_flags, ops->unified, rootfs, dfd_mnt_cgroupfs, "");
-		else
-			ret = cgroupfs_bind_mount(cg_flags, ops->unified, rootfs, dfd_mnt_cgroupfs, "");
-		if (ret < 0)
-			return syserrno(false, "Failed to%s mount cgroup filesystem%s",
-					wants_force_mount ? " force mount" : "",
-					in_cgroup_ns ? " in cgroup namespace" : "");
+			if (ret < 0)
+				return syserrno(false, "Failed to force mount cgroup filesystem in cgroup namespace");
+
+			return log_trace(true, "Force mounted cgroup filesystem in new cgroup namespace");
+		} else {
+			/*
+			 * Either no cgroup namespace supported (highly
+			 * unlikely unless we're dealing with a Frankenkernel.
+			 * Or the user requested to keep the cgroup namespace
+			 * of the host or another container.
+			 */
+			if (wants_force_mount) {
+				/*
+				 * 1. cgroup:rw:force    -> Bind-mount the cgroup2 filesystem writable.
+				 * 2. cgroup:ro:force    -> Bind-mount the cgroup2 filesystem read-only.
+				 * 3. cgroup:mixed:force -> bind-mount the cgroup2 filesystem and
+				 *                          and make the parent directory of the
+				 *                          container's cgroup read-only but the
+				 *                          container's cgroup writable.
+                                 *
+				 * 10. cgroup-full:rw:force    ->
+				 * 11. cgroup-full:ro:force    ->
+				 * 12. cgroup-full:mixed:force ->
+				 */
+				errno = EOPNOTSUPP;
+				SYSWARN("Force-mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
+			} else {
+				errno = EOPNOTSUPP;
+				SYSWARN("Mounting the unified cgroup hierarchy without cgroup namespace support is currently not supported");
+			}
+		}

-		return log_trace(true, "%s cgroup filesystem%s",
-				 wants_force_mount ? "Force mounted" : "Mounted",
-				 in_cgroup_ns ? " in cgroup namespace" : "");
+		return syserrno(false, "Failed to mount cgroups");
 	}

 	/*