env: add cgroupControllers to /config and warn when certain cgroup controller is not enabled

criyle · criyle · commit 3218fcbab230 · 2025-01-26T00:42:11.000-05:00
diff --git a/env/env_linux.go b/env/env_linux.go
@@ -124,7 +124,7 @@ func NewBuilder(c Config) (pool.EnvBuilder, map[string]any, error) {
 		ContainerUID:  cUID,
 		ContainerGID:  cGID,
 	}
-	cgb, err := newCgroup(c)
+	cgb, ct, err := newCgroup(c)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -154,16 +154,18 @@ func NewBuilder(c Config) (pool.EnvBuilder, map[string]any, error) {
 			"workDir":      workDir,
 			"uid":          cUID,
 			"gid":          cGID,
+
+			"cgroupControllers": ct.Names(),
 		}, nil
 }
 
-func newCgroup(c Config) (cgroup.Cgroup, error) {
+func newCgroup(c Config) (cgroup.Cgroup, *cgroup.Controllers, error) {
 	prefix := c.CgroupPrefix
 	t := cgroup.DetectedCgroupType
 	ct, err := cgroup.GetAvailableController()
 	if err != nil {
 		c.Error("Failed to get available controllers", err)
-		return nil, err
+		return nil, nil, err
 	}
 	if t == cgroup.TypeV2 {
 		// Check if running on a systemd enabled system
@@ -192,32 +194,32 @@ func newCgroup(c Config) (cgroup.Cgroup, error) {
 			}
 			ch := make(chan string, 1)
 			if _, err := conn.StartTransientUnitContext(context.TODO(), scopeName, "replace", properties, ch); err != nil {
-				return nil, fmt.Errorf("failed to start transient unit: %w", err)
+				return nil, nil, fmt.Errorf("failed to start transient unit: %w", err)
 			}
 			s := <-ch
 			if s != "done" {
-				return nil, fmt.Errorf("starting transient unit returns error: %w", err)
+				return nil, nil, fmt.Errorf("starting transient unit returns error: %w", err)
 			}
 			scopeName, err := cgroup.GetCurrentCgroupPrefix()
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 			c.Info("Current cgroup is ", scopeName)
 			prefix = scopeName
 			ct, err = cgroup.GetAvailableControllerWithPrefix(prefix)
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 		}
 	}
 	cgb, err := cgroup.New(prefix, ct)
 	if err != nil {
 		if os.Getuid() == 0 {
 			c.Error("Failed to create cgroup ", prefix, " ", err)
-			return nil, err
+			return nil, nil, err
 		}
 		c.Warn("Not running in root and have no permission on cgroup, falling back to rlimit / rusage mode")
-		return nil, nil
+		return nil, nil, nil
 	}
 	// Create api and migrate current process into it
 	c.Info("Creating nesting api cgroup ", cgb)
@@ -227,7 +229,7 @@ func newCgroup(c Config) (cgroup.Cgroup, error) {
 			c.Warn("Creating api cgroup with error: ", err)
 			c.Warn("As running in non-root mode, falling back back to rlimit / rusage mode")
 			cgb.Destroy()
-			return nil, nil
+			return nil, nil, nil
 		}
 	}
 
@@ -238,7 +240,13 @@ func newCgroup(c Config) (cgroup.Cgroup, error) {
 		c.Warn("Falling back to rlimit / rusage mode")
 		cgb = nil
 	}
-	return cg, nil
+	if !ct.Memory {
+		c.Warn("Memory cgroup is not enabled, failling back to rlimit / rusage mode")
+	}
+	if !ct.Pids {
+		c.Warn("Pid cgroup is not enabled, proc limit does not have effect")
+	}
+	return cg, ct, nil
 }
 
 func newSystemdProperty(name string, units any) dbus.Property {
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.23
 require (
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/creack/pty v1.1.24
-	github.com/criyle/go-sandbox v0.10.5
+	github.com/criyle/go-sandbox v0.10.6
 	github.com/elastic/go-seccomp-bpf v1.5.0
 	github.com/elastic/go-ucfg v0.8.8
 	github.com/gin-contrib/zap v1.1.4
diff --git a/go.sum b/go.sum
@@ -18,8 +18,8 @@ github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
-github.com/criyle/go-sandbox v0.10.5 h1:VIlsXjh7cB+q6Sgm45+YpzQGk7vHQfRicnRzcuJ+6Ko=
-github.com/criyle/go-sandbox v0.10.5/go.mod h1:sYJUuTmJ72Jilkc1/PO7eDdpJq3rOZ55o8MxzP80vw0=
+github.com/criyle/go-sandbox v0.10.6 h1:vyp+r7V2Vl5xY4Pt/2kYvRF5wu1NhMwLgmPKD0lXZ/o=
+github.com/criyle/go-sandbox v0.10.6/go.mod h1:nZLj0b/45fZ/a+xWmWrPrcKSepnXu0iPAVF3xF54UEI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ func NewBuilder(c Config) (pool.EnvBuilder, map[string]any, error) {`
`124`	`124`	`ContainerUID: cUID,`
`125`	`125`	`ContainerGID: cGID,`
`126`	`126`	`}`
`127`		`- cgb, err := newCgroup(c)`
	`127`	`+ cgb, ct, err := newCgroup(c)`
`128`	`128`	`if err != nil {`
`129`	`129`	`return nil, nil, err`
`130`	`130`	`}`
`@@ -154,16 +154,18 @@ func NewBuilder(c Config) (pool.EnvBuilder, map[string]any, error) {`
`154`	`154`	`"workDir": workDir,`
`155`	`155`	`"uid": cUID,`
`156`	`156`	`"gid": cGID,`
	`157`	`+`
	`158`	`+ "cgroupControllers": ct.Names(),`
`157`	`159`	`}, nil`
`158`	`160`	`}`
`159`	`161`
`160`		`-func newCgroup(c Config) (cgroup.Cgroup, error) {`
	`162`	`+func newCgroup(c Config) (cgroup.Cgroup, *cgroup.Controllers, error) {`
`161`	`163`	`prefix := c.CgroupPrefix`
`162`	`164`	`t := cgroup.DetectedCgroupType`
`163`	`165`	`ct, err := cgroup.GetAvailableController()`
`164`	`166`	`if err != nil {`
`165`	`167`	`c.Error("Failed to get available controllers", err)`
`166`		`- return nil, err`
	`168`	`+ return nil, nil, err`
`167`	`169`	`}`
`168`	`170`	`if t == cgroup.TypeV2 {`
`169`	`171`	`// Check if running on a systemd enabled system`
`@@ -192,32 +194,32 @@ func newCgroup(c Config) (cgroup.Cgroup, error) {`
`192`	`194`	`}`
`193`	`195`	`ch := make(chan string, 1)`
`194`	`196`	`if _, err := conn.StartTransientUnitContext(context.TODO(), scopeName, "replace", properties, ch); err != nil {`
`195`		`- return nil, fmt.Errorf("failed to start transient unit: %w", err)`
	`197`	`+ return nil, nil, fmt.Errorf("failed to start transient unit: %w", err)`
`196`	`198`	`}`
`197`	`199`	`s := <-ch`
`198`	`200`	`if s != "done" {`
`199`		`- return nil, fmt.Errorf("starting transient unit returns error: %w", err)`
	`201`	`+ return nil, nil, fmt.Errorf("starting transient unit returns error: %w", err)`
`200`	`202`	`}`
`201`	`203`	`scopeName, err := cgroup.GetCurrentCgroupPrefix()`
`202`	`204`	`if err != nil {`
`203`		`- return nil, err`
	`205`	`+ return nil, nil, err`
`204`	`206`	`}`
`205`	`207`	`c.Info("Current cgroup is ", scopeName)`
`206`	`208`	`prefix = scopeName`
`207`	`209`	`ct, err = cgroup.GetAvailableControllerWithPrefix(prefix)`
`208`	`210`	`if err != nil {`
`209`		`- return nil, err`
	`211`	`+ return nil, nil, err`
`210`	`212`	`}`
`211`	`213`	`}`
`212`	`214`	`}`
`213`	`215`	`cgb, err := cgroup.New(prefix, ct)`
`214`	`216`	`if err != nil {`
`215`	`217`	`if os.Getuid() == 0 {`
`216`	`218`	`c.Error("Failed to create cgroup ", prefix, " ", err)`
`217`		`- return nil, err`
	`219`	`+ return nil, nil, err`
`218`	`220`	`}`
`219`	`221`	`c.Warn("Not running in root and have no permission on cgroup, falling back to rlimit / rusage mode")`
`220`		`- return nil, nil`
	`222`	`+ return nil, nil, nil`
`221`	`223`	`}`
`222`	`224`	`// Create api and migrate current process into it`
`223`	`225`	`c.Info("Creating nesting api cgroup ", cgb)`
`@@ -227,7 +229,7 @@ func newCgroup(c Config) (cgroup.Cgroup, error) {`
`227`	`229`	`c.Warn("Creating api cgroup with error: ", err)`
`228`	`230`	`c.Warn("As running in non-root mode, falling back back to rlimit / rusage mode")`
`229`	`231`	`cgb.Destroy()`
`230`		`- return nil, nil`
	`232`	`+ return nil, nil, nil`
`231`	`233`	`}`
`232`	`234`	`}`
`233`	`235`
`@@ -238,7 +240,13 @@ func newCgroup(c Config) (cgroup.Cgroup, error) {`
`238`	`240`	`c.Warn("Falling back to rlimit / rusage mode")`
`239`	`241`	`cgb = nil`
`240`	`242`	`}`
`241`		`- return cg, nil`
	`243`	`+ if !ct.Memory {`
	`244`	`+ c.Warn("Memory cgroup is not enabled, failling back to rlimit / rusage mode")`
	`245`	`+ }`
	`246`	`+ if !ct.Pids {`
	`247`	`+ c.Warn("Pid cgroup is not enabled, proc limit does not have effect")`
	`248`	`+ }`
	`249`	`+ return cg, ct, nil`
`242`	`250`	`}`
`243`	`251`
`244`	`252`	`func newSystemdProperty(name string, units any) dbus.Property {`