cgroup: cgroupfs attempt new sibling cgroup

giuseppe · giuseppe · commit ba6c957d45b4 · 2023-03-21T12:56:36.000+01:00
when using cgroupfs, if there was no cgroup path specified in the OCI configuration and using the absolute path failed, e.g. because we are rootless and don't have access to it, then attempt to create a sibling cgroup. Closes: #1173 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
diff --git a/src/libcrun/cgroup-cgroupfs.c b/src/libcrun/cgroup-cgroupfs.c
@@ -86,6 +86,23 @@ libcrun_precreate_cgroup_cgroupfs (struct libcrun_cgroup_args *args, int *dirfd,
   return 0;
 }
 
+static int
+make_new_sibling_cgroup (char **out, const char *id, libcrun_error_t *err)
+{
+  cleanup_free char *current_cgroup = NULL;
+  char *dir;
+  int ret;
+
+  ret = libcrun_get_current_unified_cgroup (&current_cgroup, false, err);
+  if (UNLIKELY (ret < 0))
+    return ret;
+
+  dir = dirname (current_cgroup);
+
+  append_paths (out, err, dir, id, NULL);
+  return 0;
+}
+
 static int
 libcrun_cgroup_enter_cgroupfs (struct libcrun_cgroup_args *args, struct libcrun_cgroup_status *out, libcrun_error_t *err)
 {
@@ -104,7 +121,30 @@ libcrun_cgroup_enter_cgroupfs (struct libcrun_cgroup_args *args, struct libcrun_
 
       ret = enable_controllers (out->path, err);
       if (UNLIKELY (ret < 0))
-        return ret;
+        {
+          /* If the generated path cannot be used attempt to create the new cgroup
+             as a sibling of the current one.  */
+          if (args->cgroup_path == NULL)
+            {
+              libcrun_error_t tmp_err = NULL;
+              int tmp_ret;
+
+              free (out->path);
+              out->path = NULL;
+
+              tmp_ret = make_new_sibling_cgroup (&out->path, args->id, &tmp_err);
+              if (UNLIKELY (tmp_ret < 0))
+                {
+                  crun_error_release (&tmp_err);
+                  return ret;
+                }
+
+              crun_error_release (err);
+              ret = enable_controllers (out->path, err);
+            }
+          if (UNLIKELY (ret < 0))
+            return ret;
+        }
     }
 
   /* The cgroup was already joined, nothing more left to do.  */
