1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
From ef31366523d784d92f25abd99b3782acda29a01c Mon Sep 17 00:00:00 2001
From: xujing <xujing125@huawei.com>
Date: Fri, 8 Jul 2022 19:47:45 +0800
Subject: [PATCH] support disable cgroup controllers we don't want
---
src/basic/cgroup-util.c | 14 +++++++++++
src/basic/cgroup-util.h | 1 +
src/core/cgroup.c | 1 +
src/core/main.c | 7 ++++++
src/core/manager.h | 2 ++
src/core/system.conf.in | 1 +
src/shared/conf-parser.c | 54 ++++++++++++++++++++++++++++++++++++++++
src/shared/conf-parser.h | 1 +
8 files changed, 81 insertions(+)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 3e60488..a555437 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -2115,6 +2115,20 @@ int cg_mask_supported(CGroupMask *ret) {
return cg_mask_supported_subtree(root, ret);
}
+int cg_mask_disable_cgroup(CGroupMask disabled, CGroupMask *ret) {
+ int r;
+
+ r = cg_all_unified();
+ if (r < 0)
+ return r;
+
+ /* We only care CGROUP_V1 */
+ if (r == 0)
+ *ret &= ~disabled;
+
+ return 0;
+}
+
int cg_kernel_controllers(Set **ret) {
_cleanup_set_free_ Set *controllers = NULL;
_cleanup_fclose_ FILE *f = NULL;
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index eb7ace5..3eb14b8 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -303,6 +303,7 @@ typedef const char* (*cg_migrate_callback_t)(CGroupMask mask, void *userdata);
int cg_mask_supported(CGroupMask *ret);
int cg_mask_supported_subtree(const char *root, CGroupMask *ret);
+int cg_mask_disable_cgroup(CGroupMask disabled, CGroupMask *ret);
int cg_mask_from_string(const char *s, CGroupMask *ret);
int cg_mask_to_string(CGroupMask mask, char **ret);
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 775ece5..88c976a 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -3922,6 +3922,7 @@ int manager_setup_cgroup(Manager *m) {
if (r < 0)
return log_error_errno(r, "Failed to determine supported bpf-based pseudo-controllers: %m");
m->cgroup_supported |= mask;
+ m->system_cgroup_supported = m->cgroup_supported;
/* 10. Log which controllers are supported */
for (CGroupController c = 0; c < _CGROUP_CONTROLLER_MAX; c++)
diff --git a/src/core/main.c b/src/core/main.c
index 964adb5..8f01780 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -143,6 +143,7 @@ static bool arg_no_new_privs;
static nsec_t arg_timer_slack_nsec;
static Set* arg_syscall_archs;
static FILE* arg_serialization;
+static CGroupMask arg_disable_cgroup_controllers;
static sd_id128_t arg_machine_id;
static EmergencyAction arg_cad_burst_action;
static CPUSet arg_cpu_affinity;
@@ -675,6 +676,7 @@ static int parse_config_file(void) {
{ "Manager", "DefaultLimitNICE", config_parse_rlimit, RLIMIT_NICE, arg_defaults.rlimit },
{ "Manager", "DefaultLimitRTPRIO", config_parse_rlimit, RLIMIT_RTPRIO, arg_defaults.rlimit },
{ "Manager", "DefaultLimitRTTIME", config_parse_rlimit, RLIMIT_RTTIME, arg_defaults.rlimit },
+ { "Manager", "DisableCGroupControllers", config_parse_cgroup, 0, &arg_disable_cgroup_controllers },
{ "Manager", "DefaultCPUAccounting", config_parse_bool, 0, &arg_defaults.cpu_accounting },
{ "Manager", "DefaultIOAccounting", config_parse_bool, 0, &arg_defaults.io_accounting },
{ "Manager", "DefaultIPAccounting", config_parse_bool, 0, &arg_defaults.ip_accounting },
@@ -743,6 +745,10 @@ static void set_manager_defaults(Manager *m) {
assert(m);
+ m->cgroup_disabled = arg_disable_cgroup_controllers;
+ m->cgroup_supported = m->system_cgroup_supported;
+ (void) cg_mask_disable_cgroup(m->cgroup_disabled, &m->cgroup_supported);
+
/* Propagates the various default unit property settings into the manager object, i.e. properties
* that do not affect the manager itself, but are just what newly allocated units will have set if
* they haven't set anything else. (Also see set_manager_settings() for the settings that affect the
@@ -2518,6 +2524,7 @@ static void reset_arguments(void) {
/* arg_runtime_scope — ignore */
+ arg_disable_cgroup_controllers = 0;
arg_dump_core = true;
arg_crash_chvt = -1;
arg_crash_shell = false;
diff --git a/src/core/manager.h b/src/core/manager.h
index 0c9a2ea..65cc0c9 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -354,6 +354,8 @@ struct Manager {
/* Data specific to the cgroup subsystem */
Hashmap *cgroup_unit;
CGroupMask cgroup_supported;
+ CGroupMask system_cgroup_supported;
+ CGroupMask cgroup_disabled;
char *cgroup_root;
/* Notifications from cgroups, when the unified hierarchy is used is done via inotify. */
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index f48452d..8ffc48e 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -54,6 +54,7 @@
#DefaultStartLimitIntervalSec=10s
#DefaultStartLimitBurst=5
#DefaultEnvironment=
+#DisableCGroupControllers=no
#DefaultCPUAccounting=yes
#DefaultIOAccounting=no
#DefaultIPAccounting=no
diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c
index 59a529d..8382271 100644
--- a/src/shared/conf-parser.c
+++ b/src/shared/conf-parser.c
@@ -10,6 +10,7 @@
#include "alloc-util.h"
#include "conf-files.h"
#include "conf-parser.h"
+#include "cgroup-util.h"
#include "constants.h"
#include "dns-domain.h"
#include "escape.h"
@@ -1634,6 +1635,59 @@ int config_parse_rlimit(
return 0;
}
+int config_parse_cgroup(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+
+ CGroupMask *disabled_mask = data;
+ int r;
+
+ for (;;) {
+ _cleanup_free_ char *word = NULL;
+ CGroupController cc;
+ int yes_or_no = 0;
+
+ r = extract_first_word(&rvalue, &word, NULL, EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE);
+ if (r == 0)
+ break;
+ if (r == -ENOMEM)
+ return log_oom();
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, r, "Invalid syntax, ignoring: %s", rvalue);
+ break;
+ }
+
+ yes_or_no = parse_boolean(word);
+ if (yes_or_no == 0) {
+ *disabled_mask = 0;
+ break;
+ } else if (yes_or_no == 1) {
+ *disabled_mask = CGROUP_MASK_V1;
+ break;
+ }
+
+ cc = cgroup_controller_from_string(word);
+ if (cc < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse DisableCGroupControllers, ignoring: %s", word);
+ break;
+ }
+ *disabled_mask |= CGROUP_CONTROLLER_TO_MASK(cc);
+ }
+ return 0;
+}
+
int config_parse_permille(
const char* unit,
const char *filename,
diff --git a/src/shared/conf-parser.h b/src/shared/conf-parser.h
index a1768cd..8e7c987 100644
--- a/src/shared/conf-parser.h
+++ b/src/shared/conf-parser.h
@@ -214,6 +214,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_ifnames);
CONFIG_PARSER_PROTOTYPE(config_parse_ip_port);
CONFIG_PARSER_PROTOTYPE(config_parse_mtu);
CONFIG_PARSER_PROTOTYPE(config_parse_rlimit);
+CONFIG_PARSER_PROTOTYPE(config_parse_cgroup);
CONFIG_PARSER_PROTOTYPE(config_parse_vlanprotocol);
CONFIG_PARSER_PROTOTYPE(config_parse_hw_addr);
CONFIG_PARSER_PROTOTYPE(config_parse_hw_addrs);
--
2.33.0
|
