shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-21 02:50:18 +03:00
Code

mount-setup: remove cgroup v1 hierarchy mounting

Browse Source
This commit is contained in:
Mike Yuan 2025-03-05 17:53:44 +01:00
parent 5329be530f
commit 3fcb4e51a3
No known key found for this signature in database
GPG Key ID: 417471C0A40F58B3
3 changed files with 0 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/core/main.c
View File

@ -3201,14 +3201,6 @@ int main(int argc, char *argv[]) {
goto finish;
}
if (!skip_setup) {
r = mount_cgroup_legacy_controllers(loaded_policy);
if (r < 0) {
error_message = "Failed to mount cgroup v1 hierarchy";
goto finish;
}
}
/* The efivarfs is now mounted, let's lock down the system token. */
lock_down_efi_variables();
} else {

190
src/shared/mount-setup.c
View File

@ -251,56 +251,6 @@ int mount_setup_early(void) {
return mount_points_setup(N_EARLY_MOUNT, /* loaded_policy= */ false);
}
static const char *join_with(const char *controller) {
static const char* const pairs[] = {
"cpu", "cpuacct",
"net_cls", "net_prio",
NULL
};
assert(controller);
/* This will lookup which controller to mount another controller with. Input is a controller name, and output
* is the other controller name. The function works both ways: you can input one and get the other, and input
* the other to get the one. */
STRV_FOREACH_PAIR(x, y, pairs) {
if (streq(controller, *x))
return *y;
if (streq(controller, *y))
return *x;
}
return NULL;
}
static int symlink_controller(const char *target, const char *alias) {
const char *a;
int r;
assert(target);
assert(alias);
a = strjoina("/sys/fs/cgroup/", alias);
r = symlink_idempotent(target, a, false);
if (r < 0)
return log_error_errno(r, "Failed to create symlink %s: %m", a);
#if HAVE_SMACK_RUN_LABEL
const char *p;
p = strjoina("/sys/fs/cgroup/", target);
r = mac_smack_copy(a, p);
if (r < 0 && !ERRNO_IS_NOT_SUPPORTED(r))
return log_error_errno(r, "Failed to copy smack label from %s to %s: %m", p, a);
#endif
return 0;
}
#if HAVE_SELINUX || ENABLE_SMACK
static int relabel_cb(
RecurseDirEvent event,
@ -488,143 +438,3 @@ int mount_setup(bool loaded_policy, bool leave_propagation) {
return 0;
}
static const MountPoint cgroupv1_mount_table[] = {
{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
{ "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", "nsdelegate", MS_NOSUID|MS_NOEXEC|MS_NODEV,
cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
{ "cgroup2", "/sys/fs/cgroup/unified", "cgroup2", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
cg_is_hybrid_wanted, MNT_IN_CONTAINER|MNT_CHECK_WRITABLE },
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
cg_is_legacy_wanted, MNT_IN_CONTAINER },
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV,
cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER },
};
static void relabel_cgroup_legacy_hierarchy(void) {
#if HAVE_SELINUX || ENABLE_SMACK
struct statfs st;
assert(cg_is_legacy_wanted());
/* Temporarily remount the root cgroup filesystem to give it a proper label. Do this
only when the filesystem has been already populated by a previous instance of systemd
running from initrd. Otherwise don't remount anything and leave the filesystem read-write
for the cgroup filesystems to be mounted inside. */
if (statfs("/sys/fs/cgroup", &st) < 0)
return (void) log_error_errno(errno, "Failed to determine mount flags for /sys/fs/cgroup/: %m");
if (st.f_flags & ST_RDONLY)
(void) mount_nofollow(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT, NULL);
(void) label_fix("/sys/fs/cgroup", 0);
(void) relabel_tree("/sys/fs/cgroup");
if (st.f_flags & ST_RDONLY)
(void) mount_nofollow(NULL, "/sys/fs/cgroup", NULL, MS_REMOUNT|MS_RDONLY, NULL);
#endif
}
int mount_cgroup_legacy_controllers(bool loaded_policy) {
_cleanup_set_free_ Set *controllers = NULL;
int r;
/* Before we actually start deleting cgroup v1 code, make it harder to boot in cgroupv1 mode first.
* See also #30852. */
if (detect_container() <= 0) { /* If in container, we have to follow host's cgroup hierarchy. Only
* do the deprecation checks below if we're not in a container. */
if (cg_is_legacy_force_enabled())
log_warning("Legacy support for cgroup v1 enabled via SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1.");
else if (cg_is_legacy_enabled()) {
log_full(LOG_CRIT,
"Legacy cgroup v1 configured. This will stop being supported soon.\n"
"Will proceed with cgroup v2 after 30 s.\n"
"Set systemd.unified_cgroup_hierarchy=1 to switch to cgroup v2 "
"or set SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 to reenable v1 temporarily.");
(void) usleep_safe(30 * USEC_PER_SEC);
return 0;
}
}
if (!cg_is_legacy_wanted())
return 0;
FOREACH_ELEMENT(mp, cgroupv1_mount_table) {
r = mount_one(mp, loaded_policy);
if (r < 0)
return r;
}
if (loaded_policy)
relabel_cgroup_legacy_hierarchy();
/* Mount all available cgroup controllers that are built into the kernel. */
r = cg_kernel_controllers(&controllers);
if (r < 0)
return log_error_errno(r, "Failed to enumerate cgroup controllers: %m");
for (;;) {
_cleanup_free_ char *options = NULL, *controller = NULL, *where = NULL;
const char *other_controller;
MountPoint p = {
.what = "cgroup",
.type = "cgroup",
.flags = MS_NOSUID|MS_NOEXEC|MS_NODEV,
.mode = MNT_IN_CONTAINER,
};
controller = set_steal_first(controllers);
if (!controller)
break;
/* Check if we shall mount this together with another controller */
other_controller = join_with(controller);
if (other_controller) {
_cleanup_free_ char *c = NULL;
/* Check if the other controller is actually available in the kernel too */
c = set_remove(controllers, other_controller);
if (c) {
/* Join the two controllers into one string, and maintain a stable ordering */
if (strcmp(controller, other_controller) < 0)
options = strjoin(controller, ",", other_controller);
else
options = strjoin(other_controller, ",", controller);
if (!options)
return log_oom();
}
}
/* The simple case, where there's only one controller to mount together */
if (!options)
options = TAKE_PTR(controller);
where = path_join("/sys/fs/cgroup", options);
if (!where)
return log_oom();
p.where = where;
p.options = options;
r = mount_one(&p, true);
if (r < 0)
return r;
/* Create symlinks from the individual controller names, in case we have a joined mount */
if (controller)
(void) symlink_controller(options, controller);
if (other_controller)
(void) symlink_controller(options, other_controller);
}
/* Now that we mounted everything, let's make the tmpfs the cgroup file systems are mounted into read-only. */
(void) mount_nofollow("tmpfs", "/sys/fs/cgroup", "tmpfs",
MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY,
"mode=0755" TMPFS_LIMITS_SYS_FS_CGROUP);
return 1;
}

2
src/shared/mount-setup.h
View File

@ -9,6 +9,4 @@ bool mount_point_ignore(const char *path);
int mount_setup_early(void);
int mount_setup(bool loaded_policy, bool leave_propagation);
int mount_cgroup_legacy_controllers(bool loaded_policy);
bool cgroupfs_recursiveprot_supported(void);