2018-09-24 18:37:45 +00:00
|
|
|
package executor
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"os"
|
2020-11-25 14:34:10 +00:00
|
|
|
"os/exec"
|
2018-09-24 18:37:45 +00:00
|
|
|
"os/user"
|
|
|
|
|
"strconv"
|
|
|
|
|
"syscall"
|
|
|
|
|
|
2019-06-17 03:56:20 +00:00
|
|
|
"github.com/containernetworking/plugins/pkg/ns"
|
2018-09-24 18:37:45 +00:00
|
|
|
multierror "github.com/hashicorp/go-multierror"
|
client: enable support for cgroups v2
This PR introduces support for using Nomad on systems with cgroups v2 [1]
enabled as the cgroups controller mounted on /sys/fs/cgroups. Newer Linux
distros like Ubuntu 21.10 are shipping with cgroups v2 only, causing problems
for Nomad users.
Nomad mostly "just works" with cgroups v2 due to the indirection via libcontainer,
but not so for managing cpuset cgroups. Before, Nomad has been making use of
a feature in v1 where a PID could be a member of more than one cgroup. In v2
this is no longer possible, and so the logic around computing cpuset values
must be modified. When Nomad detects v2, it manages cpuset values in-process,
rather than making use of cgroup heirarchy inheritence via shared/reserved
parents.
Nomad will only activate the v2 logic when it detects cgroups2 is mounted at
/sys/fs/cgroups. This means on systems running in hybrid mode with cgroups2
mounted at /sys/fs/cgroups/unified (as is typical) Nomad will continue to
use the v1 logic, and should operate as before. Systems that do not support
cgroups v2 are also not affected.
When v2 is activated, Nomad will create a parent called nomad.slice (unless
otherwise configured in Client conifg), and create cgroups for tasks using
naming convention <allocID>-<task>.scope. These follow the naming convention
set by systemd and also used by Docker when cgroups v2 is detected.
Client nodes now export a new fingerprint attribute, unique.cgroups.version
which will be set to 'v1' or 'v2' to indicate the cgroups regime in use by
Nomad.
The new cpuset management strategy fixes #11705, where docker tasks that
spawned processes on startup would "leak". In cgroups v2, the PIDs are
started in the cgroup they will always live in, and thus the cause of
the leak is eliminated.
[1] https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html
Closes #11289
Fixes #11705 #11773 #11933
2022-02-28 22:24:01 +00:00
|
|
|
"github.com/hashicorp/nomad/client/lib/cgutil"
|
2019-09-30 15:50:22 +00:00
|
|
|
"github.com/hashicorp/nomad/plugins/drivers"
|
2018-09-24 18:37:45 +00:00
|
|
|
"github.com/opencontainers/runc/libcontainer/cgroups"
|
|
|
|
|
cgroupFs "github.com/opencontainers/runc/libcontainer/cgroups/fs"
|
|
|
|
|
lconfigs "github.com/opencontainers/runc/libcontainer/configs"
|
2020-08-19 15:57:26 +00:00
|
|
|
"github.com/opencontainers/runc/libcontainer/specconv"
|
2018-09-24 18:37:45 +00:00
|
|
|
)
|
|
|
|
|
|
2020-11-25 14:34:10 +00:00
|
|
|
// setCmdUser takes a user id as a string and looks up the user, and sets the command
|
2018-09-24 18:37:45 +00:00
|
|
|
// to execute as that user.
|
2020-11-25 14:34:10 +00:00
|
|
|
func setCmdUser(cmd *exec.Cmd, userid string) error {
|
2018-09-24 18:37:45 +00:00
|
|
|
u, err := user.Lookup(userid)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Failed to identify user %v: %v", userid, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the groups the user is a part of
|
|
|
|
|
gidStrings, err := u.GroupIds()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Unable to lookup user's group membership: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
gids := make([]uint32, len(gidStrings))
|
|
|
|
|
for _, gidString := range gidStrings {
|
2022-01-25 16:16:48 +00:00
|
|
|
u, err := strconv.ParseUint(gidString, 10, 32)
|
2018-09-24 18:37:45 +00:00
|
|
|
if err != nil {
|
2022-01-25 16:16:48 +00:00
|
|
|
return fmt.Errorf("Unable to convert user's group to uint32 %s: %v", gidString, err)
|
2018-09-24 18:37:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
gids = append(gids, uint32(u))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Convert the uid and gid
|
|
|
|
|
uid, err := strconv.ParseUint(u.Uid, 10, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Unable to convert userid to uint32: %s", err)
|
|
|
|
|
}
|
|
|
|
|
gid, err := strconv.ParseUint(u.Gid, 10, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("Unable to convert groupid to uint32: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set the command to run as that user and group.
|
2020-11-25 14:34:10 +00:00
|
|
|
if cmd.SysProcAttr == nil {
|
|
|
|
|
cmd.SysProcAttr = &syscall.SysProcAttr{}
|
2018-09-24 18:37:45 +00:00
|
|
|
}
|
2020-11-25 14:34:10 +00:00
|
|
|
if cmd.SysProcAttr.Credential == nil {
|
|
|
|
|
cmd.SysProcAttr.Credential = &syscall.Credential{}
|
2018-09-24 18:37:45 +00:00
|
|
|
}
|
2020-11-25 14:34:10 +00:00
|
|
|
cmd.SysProcAttr.Credential.Uid = uint32(uid)
|
|
|
|
|
cmd.SysProcAttr.Credential.Gid = uint32(gid)
|
|
|
|
|
cmd.SysProcAttr.Credential.Groups = gids
|
2018-09-24 18:37:45 +00:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// configureResourceContainer configured the cgroups to be used to track pids
|
|
|
|
|
// created by the executor
|
|
|
|
|
func (e *UniversalExecutor) configureResourceContainer(pid int) error {
|
|
|
|
|
cfg := &lconfigs.Config{
|
|
|
|
|
Cgroups: &lconfigs.Cgroup{
|
2020-08-19 15:57:26 +00:00
|
|
|
Resources: &lconfigs.Resources{},
|
2018-09-24 18:37:45 +00:00
|
|
|
},
|
|
|
|
|
}
|
2020-08-19 15:57:26 +00:00
|
|
|
for _, device := range specconv.AllowedDevices {
|
2021-03-31 14:57:02 +00:00
|
|
|
cfg.Cgroups.Resources.Devices = append(cfg.Cgroups.Resources.Devices, &device.Rule)
|
2020-08-19 15:57:26 +00:00
|
|
|
}
|
2018-09-24 18:37:45 +00:00
|
|
|
|
client: enable support for cgroups v2
This PR introduces support for using Nomad on systems with cgroups v2 [1]
enabled as the cgroups controller mounted on /sys/fs/cgroups. Newer Linux
distros like Ubuntu 21.10 are shipping with cgroups v2 only, causing problems
for Nomad users.
Nomad mostly "just works" with cgroups v2 due to the indirection via libcontainer,
but not so for managing cpuset cgroups. Before, Nomad has been making use of
a feature in v1 where a PID could be a member of more than one cgroup. In v2
this is no longer possible, and so the logic around computing cpuset values
must be modified. When Nomad detects v2, it manages cpuset values in-process,
rather than making use of cgroup heirarchy inheritence via shared/reserved
parents.
Nomad will only activate the v2 logic when it detects cgroups2 is mounted at
/sys/fs/cgroups. This means on systems running in hybrid mode with cgroups2
mounted at /sys/fs/cgroups/unified (as is typical) Nomad will continue to
use the v1 logic, and should operate as before. Systems that do not support
cgroups v2 are also not affected.
When v2 is activated, Nomad will create a parent called nomad.slice (unless
otherwise configured in Client conifg), and create cgroups for tasks using
naming convention <allocID>-<task>.scope. These follow the naming convention
set by systemd and also used by Docker when cgroups v2 is detected.
Client nodes now export a new fingerprint attribute, unique.cgroups.version
which will be set to 'v1' or 'v2' to indicate the cgroups regime in use by
Nomad.
The new cpuset management strategy fixes #11705, where docker tasks that
spawned processes on startup would "leak". In cgroups v2, the PIDs are
started in the cgroup they will always live in, and thus the cause of
the leak is eliminated.
[1] https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html
Closes #11289
Fixes #11705 #11773 #11933
2022-02-28 22:24:01 +00:00
|
|
|
if err := cgutil.ConfigureBasicCgroups(cfg); err != nil {
|
2019-07-24 16:10:05 +00:00
|
|
|
// Log this error to help diagnose cases where nomad is run with too few
|
2019-07-22 19:16:13 +00:00
|
|
|
// permissions, but don't return an error. There is no separate check for
|
|
|
|
|
// cgroup creation permissions, so this may be the happy path.
|
2019-07-24 16:10:05 +00:00
|
|
|
e.logger.Warn("failed to create cgroup",
|
|
|
|
|
"docs", "https://www.nomadproject.io/docs/drivers/raw_exec.html#no_cgroups",
|
|
|
|
|
"error", err)
|
2019-07-22 19:16:13 +00:00
|
|
|
return nil
|
2019-07-10 17:45:32 +00:00
|
|
|
}
|
2018-09-24 18:37:45 +00:00
|
|
|
e.resConCtx.groups = cfg.Cgroups
|
|
|
|
|
return cgroups.EnterPid(cfg.Cgroups.Paths, pid)
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-10 17:45:32 +00:00
|
|
|
func (e *UniversalExecutor) getAllPids() (map[int]*nomadPid, error) {
|
|
|
|
|
if e.resConCtx.isEmpty() {
|
|
|
|
|
return getAllPidsByScanning()
|
|
|
|
|
} else {
|
|
|
|
|
return e.resConCtx.getAllPidsByCgroup()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-24 18:37:45 +00:00
|
|
|
// DestroyCgroup kills all processes in the cgroup and removes the cgroup
|
|
|
|
|
// configuration from the host. This function is idempotent.
|
|
|
|
|
func DestroyCgroup(groups *lconfigs.Cgroup, executorPid int) error {
|
|
|
|
|
mErrs := new(multierror.Error)
|
|
|
|
|
if groups == nil {
|
|
|
|
|
return fmt.Errorf("Can't destroy: cgroup configuration empty")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Move the executor into the global cgroup so that the task specific
|
|
|
|
|
// cgroup can be destroyed.
|
|
|
|
|
path, err := cgroups.GetInitCgroupPath("freezer")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := cgroups.EnterPid(map[string]string{"freezer": path}, executorPid); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Freeze the Cgroup so that it can not continue to fork/exec.
|
|
|
|
|
groups.Resources.Freezer = lconfigs.Frozen
|
|
|
|
|
freezer := cgroupFs.FreezerGroup{}
|
2022-01-14 15:46:06 +00:00
|
|
|
if err := freezer.Set(groups.Paths[freezer.Name()], groups.Resources); err != nil {
|
2018-09-24 18:37:45 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var procs []*os.Process
|
|
|
|
|
pids, err := cgroups.GetAllPids(groups.Paths[freezer.Name()])
|
|
|
|
|
if err != nil {
|
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("error getting pids: %v", err))
|
|
|
|
|
|
|
|
|
|
// Unfreeze the cgroup.
|
|
|
|
|
groups.Resources.Freezer = lconfigs.Thawed
|
|
|
|
|
freezer := cgroupFs.FreezerGroup{}
|
2022-01-14 15:46:06 +00:00
|
|
|
if err := freezer.Set(groups.Paths[freezer.Name()], groups.Resources); err != nil {
|
2018-09-24 18:37:45 +00:00
|
|
|
multierror.Append(mErrs, fmt.Errorf("failed to unfreeze cgroup: %v", err))
|
|
|
|
|
return mErrs.ErrorOrNil()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Kill the processes in the cgroup
|
|
|
|
|
for _, pid := range pids {
|
|
|
|
|
proc, err := os.FindProcess(pid)
|
|
|
|
|
if err != nil {
|
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("error finding process %v: %v", pid, err))
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
procs = append(procs, proc)
|
|
|
|
|
if e := proc.Kill(); e != nil {
|
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("error killing process %v: %v", pid, e))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Unfreeze the cgroug so we can wait.
|
|
|
|
|
groups.Resources.Freezer = lconfigs.Thawed
|
2022-01-14 15:46:06 +00:00
|
|
|
if err := freezer.Set(groups.Paths[freezer.Name()], groups.Resources); err != nil {
|
2018-09-24 18:37:45 +00:00
|
|
|
multierror.Append(mErrs, fmt.Errorf("failed to unfreeze cgroup: %v", err))
|
|
|
|
|
return mErrs.ErrorOrNil()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Wait on the killed processes to ensure they are cleaned up.
|
|
|
|
|
for _, proc := range procs {
|
|
|
|
|
// Don't capture the error because we expect this to fail for
|
|
|
|
|
// processes we didn't fork.
|
|
|
|
|
proc.Wait()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Remove the cgroup.
|
|
|
|
|
if err := cgroups.RemovePaths(groups.Paths); err != nil {
|
|
|
|
|
multierror.Append(mErrs, fmt.Errorf("failed to delete the cgroup directories: %v", err))
|
|
|
|
|
}
|
|
|
|
|
return mErrs.ErrorOrNil()
|
|
|
|
|
}
|
2019-06-17 03:56:20 +00:00
|
|
|
|
2019-10-01 01:38:31 +00:00
|
|
|
// withNetworkIsolation calls the passed function the network namespace `spec`
|
|
|
|
|
func withNetworkIsolation(f func() error, spec *drivers.NetworkIsolationSpec) error {
|
2019-09-30 15:50:22 +00:00
|
|
|
if spec != nil && spec.Path != "" {
|
2019-06-17 03:56:20 +00:00
|
|
|
// Get a handle to the target network namespace
|
2019-09-30 15:50:22 +00:00
|
|
|
netns, err := ns.GetNS(spec.Path)
|
2019-06-17 03:56:20 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Start the container in the network namespace
|
|
|
|
|
return netns.Do(func(ns.NetNS) error {
|
2019-09-30 15:50:22 +00:00
|
|
|
return f()
|
2019-06-17 03:56:20 +00:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-30 15:50:22 +00:00
|
|
|
return f()
|
2019-06-17 03:56:20 +00:00
|
|
|
}
|