cgroups/cgfsng: improve cgroup creation and removal

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups/cgfsng: improve cgroup creation and removal
c8f43137 · Christian Brauner · 92adc689 · c8f43137 · c8f43137 · c8f43137
Unverified Commit c8f43137 authored Dec 11, 2019 by Christian Brauner
6 changed files
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
--- a/src/lxc/cgroups/cgroup.c
+++ b/src/lxc/cgroups/cgroup.c
@@ -67,9 +67,6 @@ void cgroup_exit(struct cgroup_ops *ops)
 	if (ops->cgroup2_devices)
 		bpf_program_free(ops->cgroup2_devices);
-	if (ops->unified_fd >= 0)
-		close(ops->unified_fd);
 	for (it = ops->hierarchies; it && *it; it++) {
 		char **p;
@@ -85,6 +82,10 @@ void cgroup_exit(struct cgroup_ops *ops)
 		free((*it)->container_base_path);
 		free((*it)->container_full_path);
 		free((*it)->monitor_full_path);
+		if ((*it)->cgfd_mon >= 0)
+			close((*it)->cgfd_con);
+		if ((*it)->cgfd_mon >= 0)
+			close((*it)->cgfd_mon);
 		free(*it);
 	}
 	free(ops->hierarchies);

--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -14,6 +14,7 @@
 #define DEFAULT_MONITOR_CGROUP_PREFIX "lxc.monitor."
 #define CGROUP_CREATE_RETRY "-NNNN"
 #define CGROUP_CREATE_RETRY_LEN (STRLITERALLEN(CGROUP_CREATE_RETRY))
+#define CGROUP_PIVOT "lxc.pivot"
 struct lxc_handler;
 struct lxc_conf;
@@ -78,6 +79,11 @@ struct hierarchy {
 	/* cgroup2 only */
 	unsigned int bpf_device_controller:1;
+	/* monitor cgroup fd */
+	int cgfd_con;
+	/* container cgroup fd */
+	int cgfd_mon;
 };
 struct cgroup_ops {
@@ -101,8 +107,6 @@ struct cgroup_ops {
 	struct hierarchy **hierarchies;
 	/* Pointer to the unified hierarchy. Do not free! */
 	struct hierarchy *unified;
-	/* File descriptor to the container's cgroup. */
-	int unified_fd;
 	/*
 	 * @cgroup2_devices
@@ -179,4 +183,9 @@ extern int cgroup_attach(const char *name, const char *lxcpath, int64_t pid);
 #define __do_cgroup_exit __attribute__((__cleanup__(__auto_cgroup_exit__)))
+static inline bool pure_unified_layout(const struct cgroup_ops *ops)
+{
+	return ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED;
+}
 #endif
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -1190,7 +1190,7 @@ static int lxc_cmd_freeze_callback(int fd, struct lxc_cmd_req *req,
 	};
 	struct cgroup_ops *ops = handler->cgroup_ops;
-	if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED)
+	if (pure_unified_layout(ops))
 		rsp.ret = ops->freeze(ops, timeout);
 	return lxc_cmd_rsp_send(fd, &rsp);
@@ -1223,7 +1223,7 @@ static int lxc_cmd_unfreeze_callback(int fd, struct lxc_cmd_req *req,
 	};
 	struct cgroup_ops *ops = handler->cgroup_ops;
-	if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED)
+	if (pure_unified_layout(ops))
 		rsp.ret = ops->unfreeze(ops, timeout);
 	return lxc_cmd_rsp_send(fd, &rsp);
@@ -1259,11 +1259,11 @@ static int lxc_cmd_get_cgroup2_fd_callback(int fd, struct lxc_cmd_req *req,
 	struct cgroup_ops *ops = handler->cgroup_ops;
 	int ret;
-	if (ops->cgroup_layout != CGROUP_LAYOUT_UNIFIED)
+	if (!pure_unified_layout(ops) || !ops->unified)
 		return lxc_cmd_rsp_send(fd, &rsp);
 	rsp.ret = 0;
-	ret = lxc_abstract_unix_send_fds(fd, &ops->unified_fd, 1, &rsp,
+	ret = lxc_abstract_unix_send_fds(fd, &ops->unified->cgfd_con, 1, &rsp,
 					 sizeof(rsp));
 	if (ret < 0)
 		return log_error(1, "Failed to send cgroup2 fd");

--- a/src/lxc/file_utils.c
+++ b/src/lxc/file_utils.c
@@ -21,7 +21,7 @@
 int lxc_open_dirfd(const char *dir)
 {
-	return open(dir, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+	return open(dir, O_DIRECTORY | O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
 }
 int lxc_readat(int dirfd, const char *filename, void *buf, size_t count)

--- a/src/lxc/memory_utils.h
+++ b/src/lxc/memory_utils.h
@@ -55,4 +55,6 @@ static inline void *memdup(const void *data, size_t len)
 	return copy ? memcpy(copy, data, len) : NULL;
 }
+#define zalloc(__size__) (calloc(1, __size__))
 #endif /* __LXC_MEMORY_UTILS_H */