pkg/cgroups: use DBUS session when rootless

use the DBUS user session when running in rootless mode. Closes: containers#3801 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe · Aug 14, 2019 · 471b197 · 471b197
1 parent ce64c14
commit 471b197
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 20 deletions.
diff --git a/libpod/util_linux.go b/libpod/util_linux.go
@@ -48,6 +48,9 @@ func makeSystemdCgroup(path string) error {
 		return err
 	}
 
+	if rootless.IsRootless() {
+		return controller.CreateSystemdUserUnit(path, rootless.GetRootlessUID())
+	}
 	return controller.CreateSystemdUnit(path)
 }
 
@@ -57,6 +60,14 @@ func deleteSystemdCgroup(path string) error {
 	if err != nil {
 		return err
 	}
+	if rootless.IsRootless() {
+		conn, err := cgroups.GetUserConnection(rootless.GetRootlessUID())
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		return controller.DeleteByPathConn(path, conn)
+	}
 
 	return controller.DeleteByPath(path)
 }

diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go
@@ -10,6 +10,8 @@ import (
 	"strconv"
 	"strings"
 
+	systemdDbus "github.com/coreos/go-systemd/dbus"
+	"github.com/godbus/dbus"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -352,7 +354,56 @@ func (c *CgroupControl) CreateSystemdUnit(path string) error {
 	if !c.systemd {
 		return fmt.Errorf("the cgroup controller is not using systemd")
 	}
-	return systemdCreate(path)
+
+	conn, err := systemdDbus.New()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	return systemdCreate(path, conn)
+}
+
+// GetUserConnection returns an user connection to D-BUS
+func GetUserConnection(uid int) (*systemdDbus.Conn, error) {
+	return systemdDbus.NewConnection(func() (*dbus.Conn, error) {
+		return dbusAuthConnection(uid, dbus.SessionBusPrivate)
+	})
+}
+
+// CreateSystemdUserUnit creates the systemd cgroup for the specified user
+func (c *CgroupControl) CreateSystemdUserUnit(path string, uid int) error {
+	if !c.systemd {
+		return fmt.Errorf("the cgroup controller is not using systemd")
+	}
+
+	conn, err := GetUserConnection(uid)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	return systemdCreate(path, conn)
+}
+
+func dbusAuthConnection(uid int, createBus func(opts ...dbus.ConnOption) (*dbus.Conn, error)) (*dbus.Conn, error) {
+	conn, err := createBus()
+	if err != nil {
+		return nil, err
+	}
+
+	methods := []dbus.Auth{dbus.AuthExternal(strconv.Itoa(uid))}
+
+	err = conn.Auth(methods)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	if err := conn.Hello(); err != nil {
+		return nil, err
+	}
+
+	return conn, nil
 }
 
 // Delete cleans a cgroup
@@ -386,10 +437,11 @@ func rmDirRecursively(path string) error {
 	return nil
 }
 
-// DeleteByPath deletes the specified cgroup path
-func (c *CgroupControl) DeleteByPath(path string) error {
+// DeleteByPathConn deletes the specified cgroup path using the specified
+// dbus connection if needed.
+func (c *CgroupControl) DeleteByPathConn(path string, conn *systemdDbus.Conn) error {
 	if c.systemd {
-		return systemdDestroy(path)
+		return systemdDestroyConn(path, conn)
 	}
 	if c.cgroup2 {
 		return rmDirRecursively(filepath.Join(cgroupRoot, c.path))
@@ -413,6 +465,19 @@ func (c *CgroupControl) DeleteByPath(path string) error {
 	return lastError
 }
 
+// DeleteByPath deletes the specified cgroup path
+func (c *CgroupControl) DeleteByPath(path string) error {
+	if c.systemd {
+		conn, err := systemdDbus.New()
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		return c.DeleteByPathConn(path, conn)
+	}
+	return c.DeleteByPathConn(path, nil)
+}
+
 // Update updates the cgroups
 func (c *CgroupControl) Update(resources *spec.LinuxResources) error {
 	for _, h := range handlers {

diff --git a/pkg/cgroups/systemd.go b/pkg/cgroups/systemd.go
@@ -9,13 +9,7 @@ import (
 	"github.com/godbus/dbus"
 )
 
-func systemdCreate(path string) error {
-	c, err := systemdDbus.New()
-	if err != nil {
-		return err
-	}
-	defer c.Close()
-
+func systemdCreate(path string, c *systemdDbus.Conn) error {
 	slice, name := filepath.Split(path)
 	slice = strings.TrimSuffix(slice, "/")
 
@@ -43,7 +37,7 @@ func systemdCreate(path string) error {
 		}
 
 		ch := make(chan string)
-		_, err = c.StartTransientUnit(name, "replace", properties, ch)
+		_, err := c.StartTransientUnit(name, "replace", properties, ch)
 		if err != nil {
 			lastError = err
 			continue
@@ -55,7 +49,7 @@ func systemdCreate(path string) error {
 }
 
 /*
-   systemdDestroy is copied from containerd/cgroups/systemd.go file, that
+   systemdDestroyConn is copied from containerd/cgroups/systemd.go file, that
    has the following license:
 
    Copyright The containerd Authors.
@@ -72,18 +66,30 @@ func systemdCreate(path string) error {
    See the License for the specific language governing permissions and
    limitations under the License.
 */
+/*
+   systemdDestroyConn is copied from containerd/cgroups/systemd.go file, that
+   has the following license:
 
-func systemdDestroy(path string) error {
-	c, err := systemdDbus.New()
-	if err != nil {
-		return err
-	}
-	defer c.Close()
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
 
+func systemdDestroyConn(path string, c *systemdDbus.Conn) error {
 	name := filepath.Base(path)
 
 	ch := make(chan string)
-	_, err = c.StopUnit(name, "replace", ch)
+	_, err := c.StopUnit(name, "replace", ch)
 	if err != nil {
 		return err
 	}