runc exec: use CLONE_INTO_CGROUP when available

This is based on work done in [1].

Since the functionality requires a recent kernel and might not work,
implement a fallback.

[1]: https://go-review.googlesource.com/c/go/+/417695
Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

libcontainer/process_linux.go

@@ -13,6 +13,7 @@ import (
 	"runtime"
 	"strconv"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -229,9 +230,38 @@ func (p *setnsProcess) addIntoCgroup() error {
 func (p *setnsProcess) start() (retErr error) {
 	defer p.comm.closeParent()
 
+	useCgroupFD := false
+	if cg, ok := p.cgroupPaths[""]; ok && len(p.cgroupPaths) == 1 {
+		// Try using clone3(CLONE_INTO_CGROUP).
+		fd, err := os.OpenFile(cg, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+		if err != nil {
+			if !p.rootlessCgroups {
+				return fmt.Errorf("can't open cgroup: %w", err)
+			}
+		} else {
+			defer fd.Close()
+
+			useCgroupFD = true
+			if p.cmd.SysProcAttr == nil {
+				p.cmd.SysProcAttr = &syscall.SysProcAttr{}
+			}
+			p.cmd.SysProcAttr.UseCgroupFD = true
+			p.cmd.SysProcAttr.CgroupFD = int(fd.Fd())
+		}
+	}
+
 	// Get the "before" value of oom kill count.
 	oom, _ := p.manager.OOMKillCount()
+
 	err := p.startWithCPUAffinity()
+	if useCgroupFD && (errors.Is(err, errors.ErrUnsupported) || errors.Is(err, unix.EBUSY)) {
+		logrus.Debugf("exec(CLONE_INTO_CGROUP) failed with %v, retrying", err)
+		// Older kernel? Try again without CLONE_INTO_CGROUP.
+		useCgroupFD = false
+		p.cmd.SysProcAttr.UseCgroupFD = false
+		err = p.startWithCPUAffinity()
+	}
+
 	// Close the child-side of the pipes (controlled by child).
 	p.comm.closeChild()
 	if err != nil {
@@ -259,8 +289,10 @@ func (p *setnsProcess) start() (retErr error) {
 	if err := p.execSetns(); err != nil {
 		return fmt.Errorf("error executing setns process: %w", err)
 	}
-	if err := p.addIntoCgroup(); err != nil {
-		return err
+	if !useCgroupFD {
+		if err := p.addIntoCgroup(); err != nil {
+			return err
+		}
 	}
 	// Set final CPU affinity right after the process is moved into container's cgroup.
 	if err := p.setFinalCPUAffinity(); err != nil {

tests/integration/exec.bats

@@ -282,7 +282,7 @@ function check_exec_debug() {
 	# Check we can't join non-existing subcgroup.
 	runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+	[[ "$output" == *" can't open cgroup:"*"/nonexistent: no such file "* ]]
 
 	# Check we can join top-level cgroup (implicit).
 	runc exec test_busybox grep '^0::/$' /proc/self/cgroup