Merge pull request #3842 from kolyshkin/rm-warning

mrunalp · web-flow · commit bf6a78c14066 · 2023-04-25T09:22:02.000-07:00
libct/cg/sd: use systemd version when generating device properties
diff --git a/libcontainer/cgroups/devices/systemd.go b/libcontainer/cgroups/devices/systemd.go
@@ -17,7 +17,7 @@ import (
 
 // systemdProperties takes the configured device rules and generates a
 // corresponding set of systemd properties to configure the devices correctly.
-func systemdProperties(r *configs.Resources) ([]systemdDbus.Property, error) {
+func systemdProperties(r *configs.Resources, sdVer int) ([]systemdDbus.Property, error) {
 	if r.SkipDevices {
 		return nil, nil
 	}
@@ -78,9 +78,10 @@ func systemdProperties(r *configs.Resources) ([]systemdDbus.Property, error) {
 		// trickery to convert things:
 		//
 		//  * Concrete rules with non-wildcard major/minor numbers have to use
-		//    /dev/{block,char} paths. This is slightly odd because it means
-		//    that we cannot add whitelist rules for devices that don't exist,
-		//    but there's not too much we can do about that.
+		//    /dev/{block,char}/MAJOR:minor paths. Before v240, systemd uses
+		//    stat(2) on such paths to look up device properties, meaning we
+		//    cannot add whitelist rules for devices that don't exist. Since v240,
+		//    device properties are parsed from the path string.
 		//
 		//    However, path globbing is not support for path-based rules so we
 		//    need to handle wildcards in some other manner.
@@ -128,21 +129,14 @@ func systemdProperties(r *configs.Resources) ([]systemdDbus.Property, error) {
 			case devices.CharDevice:
 				entry.Path = fmt.Sprintf("/dev/char/%d:%d", rule.Major, rule.Minor)
 			}
-			// systemd will issue a warning if the path we give here doesn't exist.
-			// Since all of this logic is best-effort anyway (we manually set these
-			// rules separately to systemd) we can safely skip entries that don't
-			// have a corresponding path.
-			if _, err := os.Stat(entry.Path); err != nil {
-				// Also check /sys/dev so that we don't depend on /dev/{block,char}
-				// being populated. (/dev/{block,char} is populated by udev, which
-				// isn't strictly required for systemd). Ironically, this happens most
-				// easily when starting containerd within a runc created container
-				// itself.
-
-				// We don't bother with securejoin here because we create entry.Path
-				// right above here, so we know it's safe.
-				if _, err := os.Stat("/sys" + entry.Path); err != nil {
-					logrus.Warnf("skipping device %s for systemd: %s", entry.Path, err)
+			if sdVer < 240 {
+				// Old systemd versions use stat(2) on path to find out device major:minor
+				// numbers and type. If the path doesn't exist, it will not add the rule,
+				// emitting a warning instead.
+				// Since all of this logic is best-effort anyway (we manually set these
+				// rules separately to systemd) we can safely skip entries that don't
+				// have a corresponding path.
+				if _, err := os.Stat(entry.Path); err != nil {
 					continue
 				}
 			}
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
@@ -33,7 +33,7 @@ var (
 	isRunningSystemdOnce sync.Once
 	isRunningSystemd     bool
 
-	GenerateDeviceProps func(*configs.Resources) ([]systemdDbus.Property, error)
+	GenerateDeviceProps func(r *configs.Resources, sdVer int) ([]systemdDbus.Property, error)
 )
 
 // NOTE: This function comes from package github.com/coreos/go-systemd/util
@@ -342,13 +342,13 @@ func addCpuset(cm *dbusConnManager, props *[]systemdDbus.Property, cpus, mems st
 
 // generateDeviceProperties takes the configured device rules and generates a
 // corresponding set of systemd properties to configure the devices correctly.
-func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, error) {
+func generateDeviceProperties(r *configs.Resources, cm *dbusConnManager) ([]systemdDbus.Property, error) {
 	if GenerateDeviceProps == nil {
 		if len(r.Devices) > 0 {
 			return nil, cgroups.ErrDevicesUnsupported
 		}
 		return nil, nil
 	}
 
-	return GenerateDeviceProps(r)
+	return GenerateDeviceProps(r, systemdVersion(cm))
 }
diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
@@ -75,7 +75,7 @@ var legacySubsystems = []subsystem{
 func genV1ResourcesProperties(r *configs.Resources, cm *dbusConnManager) ([]systemdDbus.Property, error) {
 	var properties []systemdDbus.Property
 
-	deviceProperties, err := generateDeviceProperties(r)
+	deviceProperties, err := generateDeviceProperties(r, cm)
 	if err != nil {
 		return nil, err
 	}
diff --git a/libcontainer/cgroups/systemd/v2.go b/libcontainer/cgroups/systemd/v2.go
@@ -214,7 +214,7 @@ func genV2ResourcesProperties(dirPath string, r *configs.Resources, cm *dbusConn
 	//       aren't the end of the world, but it is a bit concerning. However
 	//       it's unclear if systemd removes all eBPF programs attached when
 	//       doing SetUnitProperties...
-	deviceProperties, err := generateDeviceProperties(r)
+	deviceProperties, err := generateDeviceProperties(r, cm)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ var (`
`33`	`33`	`isRunningSystemdOnce sync.Once`
`34`	`34`	`isRunningSystemd bool`
`35`	`35`
`36`		`- GenerateDeviceProps func(*configs.Resources) ([]systemdDbus.Property, error)`
	`36`	`+ GenerateDeviceProps func(r *configs.Resources, sdVer int) ([]systemdDbus.Property, error)`
`37`	`37`	`)`
`38`	`38`
`39`	`39`	`// NOTE: This function comes from package github.com/coreos/go-systemd/util`
`@@ -342,13 +342,13 @@ func addCpuset(cm dbusConnManager, props []systemdDbus.Property, cpus, mems st`
`342`	`342`
`343`	`343`	`// generateDeviceProperties takes the configured device rules and generates a`
`344`	`344`	`// corresponding set of systemd properties to configure the devices correctly.`
`345`		`-func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, error) {`
	`345`	`+func generateDeviceProperties(r configs.Resources, cm dbusConnManager) ([]systemdDbus.Property, error) {`
`346`	`346`	`if GenerateDeviceProps == nil {`
`347`	`347`	`if len(r.Devices) > 0 {`
`348`	`348`	`return nil, cgroups.ErrDevicesUnsupported`
`349`	`349`	`}`
`350`	`350`	`return nil, nil`
`351`	`351`	`}`
`352`	`352`
`353`		`- return GenerateDeviceProps(r)`
	`353`	`+ return GenerateDeviceProps(r, systemdVersion(cm))`
`354`	`354`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ var legacySubsystems = []subsystem{`
`75`	`75`	`func genV1ResourcesProperties(r configs.Resources, cm dbusConnManager) ([]systemdDbus.Property, error) {`
`76`	`76`	`var properties []systemdDbus.Property`
`77`	`77`
`78`		`- deviceProperties, err := generateDeviceProperties(r)`
	`78`	`+ deviceProperties, err := generateDeviceProperties(r, cm)`
`79`	`79`	`if err != nil {`
`80`	`80`	`return nil, err`
`81`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ func genV2ResourcesProperties(dirPath string, r configs.Resources, cm dbusConn`
`214`	`214`	`// aren't the end of the world, but it is a bit concerning. However`
`215`	`215`	`// it's unclear if systemd removes all eBPF programs attached when`
`216`	`216`	`// doing SetUnitProperties...`
`217`		`- deviceProperties, err := generateDeviceProperties(r)`
	`217`	`+ deviceProperties, err := generateDeviceProperties(r, cm)`
`218`	`218`	`if err != nil {`
`219`	`219`	`return nil, err`
`220`	`220`	`}`