jailer: added --node option

The mandatory --node command line option allows the user to specify
which numa node should the microVM be assigned to. This is done by
writing the specified value to the cpuset.mems special file within
the cpuset controller.

Signed-off-by: Alexandru Agache <[email protected]>

Author: alexandruag

jailer/src/cgroup.rs

@@ -2,7 +2,7 @@ use std::collections::HashMap;
 use std::ffi::OsStr;
 use std::fs::{self, File};
 use std::io::{BufRead, BufReader, Write};
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::process;
 
 use regex::Regex;
@@ -17,8 +17,25 @@ pub struct Cgroup {
     tasks_files: Vec<PathBuf>,
 }
 
+// This is called writeln_special because we have to use this rather convoluted way of writing
+// to avoid getting all sorts of weird errors. I would be nice to know why that happens.
+fn writeln_special<T, V>(file_path: T, value: V) -> Result<()>
+where
+    T: AsRef<Path>,
+    V: ::std::fmt::Display,
+{
+    // Open does not work here, or so it seemed at one point :-s
+    let mut f = File::create(file_path.as_ref())
+        .map_err(|e| Error::FileCreate(PathBuf::from(file_path.as_ref()), e))?;
+
+    // For some reason, using writeln!(f, "{}", pid) doesn't work :(
+    let mut bytes = format!("{}\n", value).into_bytes();
+    f.write_all(bytes.as_mut())
+        .map_err(|e| Error::Write(PathBuf::from(file_path.as_ref()), e))
+}
+
 impl Cgroup {
-    pub fn new(id: &str, exec_file_name: &OsStr) -> Result<Self> {
+    pub fn new(id: &str, numa_node: u32, exec_file_name: &OsStr) -> Result<Self> {
         let f =
             File::open(PROC_MOUNTS).map_err(|e| Error::FileOpen(PathBuf::from(PROC_MOUNTS), e))?;
 
@@ -65,14 +82,21 @@ impl Cgroup {
         // We now both create the cgroup subfolders, and fill the tasks_files vector.
         let mut tasks_files = Vec::with_capacity(keys_len);
 
-        for (_controller, mut path_buf) in found_controllers.drain() {
+        for (controller, mut path_buf) in found_controllers.drain() {
             path_buf.push(exec_file_name);
             path_buf.push(id);
 
             // Create the folders first. The cpuset.cpus and cpuset.mems files really do appear to
             // be inherited AND populated automatically :-s
             fs::create_dir_all(&path_buf).map_err(|e| Error::CreateDir(path_buf.clone(), e))?;
 
+            if controller == "cpuset" {
+                // Enforce NUMA node restriction.
+                path_buf.push("cpuset.mems");
+                writeln_special(&path_buf, numa_node)?;
+                path_buf.pop();
+            }
+
             // And now add "tasks" to get the path of the corresponding tasks file.
             path_buf.push("tasks");
 
@@ -87,15 +111,9 @@ impl Cgroup {
     // This writes the pid of the current process to each tasks file. These are special files that,
     // when written to, will assign the process associated with the pid to the respective cgroup.
     pub fn attach_pid(&self) -> Result<()> {
+        let pid = process::id();
         for tasks_file in &self.tasks_files {
-            // Open does not work here, or so it seemed at one point :-s
-            let mut f =
-                File::create(tasks_file).map_err(|e| Error::FileCreate(tasks_file.clone(), e))?;
-
-            // For some reason, using write!("{}\n", pid) doesn't work :( I wonder why ...
-            let mut bytes = format!("{}\n", process::id()).into_bytes();
-            f.write_all(bytes.as_mut())
-                .map_err(|e| Error::Write(tasks_file.clone(), e))?;
+            writeln_special(tasks_file, pid)?;
         }
         Ok(())
     }

jailer/src/env.rs

@@ -20,7 +20,7 @@ pub struct Env {
 impl Env {
     pub fn new(args: JailerArgs) -> Result<Self> {
         let exec_file_name = args.exec_file_name()?;
-        let cgroup = Cgroup::new(args.id, exec_file_name)?;
+        let cgroup = Cgroup::new(args.id, args.numa_node, exec_file_name)?;
 
         let mut chroot_dir = PathBuf::from(&args.chroot_base_dir);
 

jailer/src/lib.rs

@@ -40,6 +40,7 @@ pub enum Error {
     NotAFile(PathBuf),
     NotAFolder(PathBuf),
     NotAlphanumeric(String),
+    NumaNode(String),
     OpenDevKvm(sys_util::Error),
     OpenDevNetTun(sys_util::Error),
     ReadLine(PathBuf, io::Error),
@@ -57,6 +58,7 @@ pub type Result<T> = result::Result<T, Error>;
 
 pub struct JailerArgs<'a> {
     id: &'a str,
+    numa_node: u32,
     exec_file_path: PathBuf,
     chroot_base_dir: PathBuf,
     uid: u32,
@@ -66,6 +68,7 @@ pub struct JailerArgs<'a> {
 impl<'a> JailerArgs<'a> {
     pub fn new(
         id: &'a str,
+        node: &str,
         exec_file: &str,
         chroot_base: &str,
         uid: &str,
@@ -78,6 +81,9 @@ impl<'a> JailerArgs<'a> {
             }
         }
 
+        let numa_node = node.parse::<u32>()
+            .map_err(|_| Error::NumaNode(String::from(node)))?;
+
         let exec_file_path =
             canonicalize(exec_file).map_err(|e| Error::Canonicalize(PathBuf::from(exec_file), e))?;
 
@@ -105,6 +111,7 @@ impl<'a> JailerArgs<'a> {
 
         Ok(JailerArgs {
             id,
+            numa_node,
             exec_file_path,
             chroot_base_dir,
             uid,

src/bin/jailer.rs

@@ -20,10 +20,17 @@ fn main() -> jailer::Result<()> {
     // Initially, the uid and gid params had default values, but it turns out that it's quite
     // easy to shoot yourself in the foot by not setting proper permissions when preparing the
     // contents of the jail, so I think their values should be provided explicitly.
-    let cmd_arguments = App::new("firejailer")
+    let cmd_arguments = App::new("jailer")
         .version(crate_version!())
         .author(crate_authors!())
         .about("Jail a microVM.")
+        .arg(
+            Arg::with_name("numa_node")
+                .long("node")
+                .help("NUMA node to assign this microVM to.")
+                .required(true)
+                .takes_value(true),
+        )
         .arg(
             Arg::with_name("id")
                 .long("id")
@@ -65,6 +72,7 @@ fn main() -> jailer::Result<()> {
     // All arguments are either mandatory, or have default values, so the unwraps should not fail.
     let args = JailerArgs::new(
         cmd_arguments.value_of("id").unwrap(),
+        cmd_arguments.value_of("numa_node").unwrap(),
         cmd_arguments.value_of("exec_file").unwrap(),
         cmd_arguments.value_of("chroot_base").unwrap(),
         cmd_arguments.value_of("uid").unwrap(),