return mount_points_setup(N_EARLY_MOUNT, /* loaded_policy= */ false);
}
-static const char *join_with(const char *controller) {
-
- static const char* const pairs[] = {
- "cpu", "cpuacct",
- "net_cls", "net_prio",
- NULL
- };
-
- assert(controller);
-
- /* This will lookup which controller to mount another controller with. Input is a controller name, and output
- * is the other controller name. The function works both ways: you can input one and get the other, and input
- * the other to get the one. */
-
- STRV_FOREACH_PAIR(x, y, pairs) {
- if (streq(controller, *x))
- return *y;
- if (streq(controller, *y))
- return *x;
- }
-
- return NULL;
-}
-
-static int symlink_controller(const char *target, const char *alias) {
- const char *a;
- int r;
-
- assert(target);
- assert(alias);
-
- a = strjoina("/sys/fs/cgroup/", alias);
-
- r = symlink_idempotent(target, a, false);
- if (r < 0)
- return log_error_errno(r, "Failed to create symlink %s: %m", a);
-
-#if HAVE_SMACK_RUN_LABEL
- const char *p;
-
- p = strjoina("/sys/fs/cgroup/", target);
-
- r = mac_smack_copy(a, p);
- if (r < 0 && !ERRNO_IS_NOT_SUPPORTED(r))
- return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", p, a);
-#endif
-
- return 0;
-}
-
#if HAVE_SELINUX || ENABLE_SMACK
static int relabel_cb(
RecurseDirEvent event,
return 0;
}
-
-static const MountPoint cgroupv1_mount_table[] = {
- { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
- cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
- { "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV,
- cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
- { "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
- cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
- { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
- cg_is_legacy_wanted, MNT_IN_CONTAINER },
- { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
- cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
-};
-
-static void relabel_cgroup_legacy_hierarchy(void) {
-#if HAVE_SELINUX || ENABLE_SMACK
- struct statfs st;
-
- assert(cg_is_legacy_wanted());
-
- /* Temporarily remount the root cgroup filesystem to give it a proper label. Do this
- only when the filesystem has been already populated by a previous instance of systemd
- running from initrd. Otherwise don't remount anything and leave the filesystem read-write
- for the cgroup filesystems to be mounted inside. */
- if (statfs("/sys/fs/cgroup", &st) < 0)
- return (void) log_error_errno(errno, "Failed to determine mount flags for /sys/fs/cgroup/: %m");
-
- if (st.f_flags & ST_RDONLY)
- (void) mount_nofollow(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
-
- (void) label_fix("/sys/fs/cgroup", 0);
- (void) relabel_tree("/sys/fs/cgroup");
-
- if (st.f_flags & ST_RDONLY)
- (void) mount_nofollow(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
-#endif
-}
-
-int mount_cgroup_legacy_controllers(bool loaded_policy) {
- _cleanup_set_free_ Set *controllers = NULL;
- int r;
-
- /* Before we actually start deleting cgroup v1 code, make it harder to boot in cgroupv1 mode first.
- * See also #30852. */
-
- if (detect_container() <= 0) { /* If in container, we have to follow host's cgroup hierarchy. Only
- * do the deprecation checks below if we're not in a container. */
- if (cg_is_legacy_force_enabled())
- log_warning("Legacy support for cgroup v1 enabled via SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1.");
- else if (cg_is_legacy_enabled()) {
- log_full(LOG_CRIT,
- "Legacy cgroup v1 configured. This will stop being supported soon.\n"
- "Will proceed with cgroup v2 after 30 s.\n"
- "Set systemd.unified_cgroup_hierarchy=1 to switch to cgroup v2 "
- "or set SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 to reenable v1 temporarily.");
- (void) usleep_safe(30 * USEC_PER_SEC);
-
- return 0;
- }
- }
-
- if (!cg_is_legacy_wanted())
- return 0;
-
- FOREACH_ELEMENT(mp, cgroupv1_mount_table) {
- r = mount_one(mp, loaded_policy);
- if (r < 0)
- return r;
- }
-
- if (loaded_policy)
- relabel_cgroup_legacy_hierarchy();
-
- /* Mount all available cgroup controllers that are built into the kernel. */
- r = cg_kernel_controllers(&controllers);
- if (r < 0)
- return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");
-
- for (;;) {
- _cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL;
- const char *other_controller;
- MountPoint p = {
- .what = "cgroup",
- .type = "cgroup",
- .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
- .mode = MNT_IN_CONTAINER,
- };
-
- controller = set_steal_first(controllers);
- if (!controller)
- break;
-
- /* Check if we shall mount this together with another controller */
- other_controller = join_with(controller);
- if (other_controller) {
- _cleanup_free_ char *c = NULL;
-
- /* Check if the other controller is actually available in the kernel too */
- c = set_remove(controllers, other_controller);
- if (c) {
-
- /* Join the two controllers into one string, and maintain a stable ordering */
- if (strcmp(controller, other_controller) < 0)
- options = strjoin(controller, ",", other_controller);
- else
- options = strjoin(other_controller, ",", controller);
- if (!options)
- return log_oom();
- }
- }
-
- /* The simple case, where there's only one controller to mount together */
- if (!options)
- options = TAKE_PTR(controller);
-
- where = path_join("/sys/fs/cgroup", options);
- if (!where)
- return log_oom();
-
- p.where = where;
- p.options = options;
-
- r = mount_one(&p, true);
- if (r < 0)
- return r;
-
- /* Create symlinks from the individual controller names, in case we have a joined mount */
- if (controller)
- (void) symlink_controller(options, controller);
- if (other_controller)
- (void) symlink_controller(options, other_controller);
- }
-
- /* Now that we mounted everything, let's make the tmpfs the cgroup file systems are mounted into read-only. */
- (void) mount_nofollow("tmpfs", "/sys/fs/cgroup", "tmpfs",
- MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
- "mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP);
-
- return 1;
-}
projects / thirdparty / systemd.git / commitdiff
