From: Mike Yuan Date: Wed, 5 Mar 2025 16:53:44 +0000 (+0100) Subject: mount-setup: remove cgroup v1 hierarchy mounting X-Git-Tag: v258-rc1~1071^2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=36dad381a24e73e09a677df6daa48701f2dc7caa;p=thirdparty%2Fsystemd.git mount-setup: remove cgroup v1 hierarchy mounting --- diff --git a/src/core/main.c b/src/core/main.c index ee4b2d6bafb..b294313d870 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -3201,14 +3201,6 @@ int main(int argc, char *argv[]) { goto finish; } - if (!skip_setup) { - r = mount_cgroup_legacy_controllers(loaded_policy); - if (r < 0) { - error_message = "Failed to mount cgroup v1 hierarchy"; - goto finish; - } - } - /* The efivarfs is now mounted, let's lock down the system token. */ lock_down_efi_variables(); } else { diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c index fb08240bc56..611d233167f 100644 --- a/src/shared/mount-setup.c +++ b/src/shared/mount-setup.c @@ -251,56 +251,6 @@ int mount_setup_early(void) { return mount_points_setup(N_EARLY_MOUNT, /* loaded_policy= */ false); } -static const char *join_with(const char *controller) { - - static const char* const pairs[] = { - "cpu", "cpuacct", - "net_cls", "net_prio", - NULL - }; - - assert(controller); - - /* This will lookup which controller to mount another controller with. Input is a controller name, and output - * is the other controller name. The function works both ways: you can input one and get the other, and input - * the other to get the one. */ - - STRV_FOREACH_PAIR(x, y, pairs) { - if (streq(controller, *x)) - return *y; - if (streq(controller, *y)) - return *x; - } - - return NULL; -} - -static int symlink_controller(const char *target, const char *alias) { - const char *a; - int r; - - assert(target); - assert(alias); - - a = strjoina("/sys/fs/cgroup/", alias); - - r = symlink_idempotent(target, a, false); - if (r < 0) - return log_error_errno(r, "Failed to create symlink %s: %m", a); - -#if HAVE_SMACK_RUN_LABEL - const char *p; - - p = strjoina("/sys/fs/cgroup/", target); - - r = mac_smack_copy(a, p); - if (r < 0 && !ERRNO_IS_NOT_SUPPORTED(r)) - return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", p, a); -#endif - - return 0; -} - #if HAVE_SELINUX || ENABLE_SMACK static int relabel_cb( RecurseDirEvent event, @@ -488,143 +438,3 @@ int mount_setup(bool loaded_policy, bool leave_propagation) { return 0; } - -static const MountPoint cgroupv1_mount_table[] = { - { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, - cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER }, - { "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV, - cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE }, - { "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, - cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE }, - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV, - cg_is_legacy_wanted, MNT_IN_CONTAINER }, - { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, - cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER }, -}; - -static void relabel_cgroup_legacy_hierarchy(void) { -#if HAVE_SELINUX || ENABLE_SMACK - struct statfs st; - - assert(cg_is_legacy_wanted()); - - /* Temporarily remount the root cgroup filesystem to give it a proper label. Do this - only when the filesystem has been already populated by a previous instance of systemd - running from initrd. Otherwise don't remount anything and leave the filesystem read-write - for the cgroup filesystems to be mounted inside. */ - if (statfs("/sys/fs/cgroup", &st) < 0) - return (void) log_error_errno(errno, "Failed to determine mount flags for /sys/fs/cgroup/: %m"); - - if (st.f_flags & ST_RDONLY) - (void) mount_nofollow(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL); - - (void) label_fix("/sys/fs/cgroup", 0); - (void) relabel_tree("/sys/fs/cgroup"); - - if (st.f_flags & ST_RDONLY) - (void) mount_nofollow(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL); -#endif -} - -int mount_cgroup_legacy_controllers(bool loaded_policy) { - _cleanup_set_free_ Set *controllers = NULL; - int r; - - /* Before we actually start deleting cgroup v1 code, make it harder to boot in cgroupv1 mode first. - * See also #30852. */ - - if (detect_container() <= 0) { /* If in container, we have to follow host's cgroup hierarchy. Only - * do the deprecation checks below if we're not in a container. */ - if (cg_is_legacy_force_enabled()) - log_warning("Legacy support for cgroup v1 enabled via SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1."); - else if (cg_is_legacy_enabled()) { - log_full(LOG_CRIT, - "Legacy cgroup v1 configured. This will stop being supported soon.\n" - "Will proceed with cgroup v2 after 30 s.\n" - "Set systemd.unified_cgroup_hierarchy=1 to switch to cgroup v2 " - "or set SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 to reenable v1 temporarily."); - (void) usleep_safe(30 * USEC_PER_SEC); - - return 0; - } - } - - if (!cg_is_legacy_wanted()) - return 0; - - FOREACH_ELEMENT(mp, cgroupv1_mount_table) { - r = mount_one(mp, loaded_policy); - if (r < 0) - return r; - } - - if (loaded_policy) - relabel_cgroup_legacy_hierarchy(); - - /* Mount all available cgroup controllers that are built into the kernel. */ - r = cg_kernel_controllers(&controllers); - if (r < 0) - return log_error_errno(r, "Failed to enumerate cgroup controllers: %m"); - - for (;;) { - _cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL; - const char *other_controller; - MountPoint p = { - .what = "cgroup", - .type = "cgroup", - .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV, - .mode = MNT_IN_CONTAINER, - }; - - controller = set_steal_first(controllers); - if (!controller) - break; - - /* Check if we shall mount this together with another controller */ - other_controller = join_with(controller); - if (other_controller) { - _cleanup_free_ char *c = NULL; - - /* Check if the other controller is actually available in the kernel too */ - c = set_remove(controllers, other_controller); - if (c) { - - /* Join the two controllers into one string, and maintain a stable ordering */ - if (strcmp(controller, other_controller) < 0) - options = strjoin(controller, ",", other_controller); - else - options = strjoin(other_controller, ",", controller); - if (!options) - return log_oom(); - } - } - - /* The simple case, where there's only one controller to mount together */ - if (!options) - options = TAKE_PTR(controller); - - where = path_join("/sys/fs/cgroup", options); - if (!where) - return log_oom(); - - p.where = where; - p.options = options; - - r = mount_one(&p, true); - if (r < 0) - return r; - - /* Create symlinks from the individual controller names, in case we have a joined mount */ - if (controller) - (void) symlink_controller(options, controller); - if (other_controller) - (void) symlink_controller(options, other_controller); - } - - /* Now that we mounted everything, let's make the tmpfs the cgroup file systems are mounted into read-only. */ - (void) mount_nofollow("tmpfs", "/sys/fs/cgroup", "tmpfs", - MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, - "mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP); - - return 1; -} diff --git a/src/shared/mount-setup.h b/src/shared/mount-setup.h index 62a528b6a59..c07fe86364d 100644 --- a/src/shared/mount-setup.h +++ b/src/shared/mount-setup.h @@ -9,6 +9,4 @@ bool mount_point_ignore(const char *path); int mount_setup_early(void); int mount_setup(bool loaded_policy, bool leave_propagation); -int mount_cgroup_legacy_controllers(bool loaded_policy); - bool cgroupfs_recursiveprot_supported(void);