vtpm: Put vTPMs into container's cgroup

Put vTPMs into a container's cgroup to limit their CPU usage.

Signed-off-by: Stefan Berger <[email protected]>

Author: stefanberger

libcontainer/container_linux.go

@@ -24,6 +24,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/intelrdt"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper"
 	"github.com/opencontainers/runtime-spec/specs-go"
 
 	"github.com/checkpoint-restore/go-criu/v4"
@@ -391,6 +392,11 @@ func (c *linuxContainer) start(process *Process) error {
 				return err
 			}
 		}
+		if len(c.config.VTPMs) > 0 {
+			if err := vtpmhelper.ApplyCGroupVTPMs(c.config.VTPMs, c.cgroupManager); err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }

libcontainer/vtpm/vtpm-helper/vtpm_helper.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"syscall"
 
+	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/vtpm"
 
@@ -153,3 +154,13 @@ func DestroyVTPMs(vtpms []*vtpm.VTPM) {
 		vtpm.Stop(vtpm.CreatedStatepath)
 	}
 }
+
+// ApplyCGroupVTPMs puts all VTPMs into the given Cgroup manager's cgroup
+func ApplyCGroupVTPMs(vtpms []*vtpm.VTPM, cgroupManager cgroups.Manager) error {
+	for _, vtpm := range vtpms {
+		if err := cgroupManager.Apply(vtpm.Pid); err != nil {
+			return fmt.Errorf("cGroupManager failed to apply vtpm with pid %d: %v", vtpm.Pid, err)
+		}
+	}
+	return nil
+}