// Copyright (C) The Arvados Authors. All rights reserved. // // SPDX-License-Identifier: AGPL-3.0 package crunchrun import ( "bytes" "errors" "fmt" "io/fs" "os" "os/exec" "regexp" "strconv" "sync" ) // Return the current process's cgroup for the given subsystem. // // If the host has cgroups v2 and not v1 (i.e., unified mode), return // the current process's cgroup. func findCgroup(fsys fs.FS, subsystem string) (string, error) { subsys := []byte(subsystem) cgroups, err := fs.ReadFile(fsys, "proc/self/cgroup") if err != nil { return "", err } for _, line := range bytes.Split(cgroups, []byte("\n")) { toks := bytes.SplitN(line, []byte(":"), 4) if len(toks) < 3 { continue } if len(toks[1]) == 0 && string(toks[0]) == "0" { // cgroups v2: "0::$PATH" // // In "hybrid" mode, this entry is last, so we // use it when the specified subsystem doesn't // match a cgroups v1 entry. // // In "unified" mode, this is the only entry, // so we use it regardless of which subsystem // was specified. return string(toks[2]), nil } for _, s := range bytes.Split(toks[1], []byte(",")) { // cgroups v1: "7:cpu,cpuacct:/user.slice" if bytes.Compare(s, subsys) == 0 { return string(toks[2]), nil } } } return "", fmt.Errorf("subsystem %q not found in /proc/self/cgroup", subsystem) } var ( // After calling checkCgroupSupport, cgroupSupport indicates // support for singularity resource limits. // // E.g., cgroupSupport["memory"]==true if systemd is installed // and configured such that singularity can use the "memory" // cgroup controller to set resource limits. cgroupSupport map[string]bool cgroupSupportLock sync.Mutex ) // checkCgroupSupport should be called before looking up strings like // "memory" and "cpu" in cgroupSupport. func checkCgroupSupport(logf func(string, ...interface{})) { cgroupSupportLock.Lock() defer cgroupSupportLock.Unlock() if cgroupSupport != nil { return } cgroupSupport = make(map[string]bool) if os.Getuid() != 0 { xrd := os.Getenv("XDG_RUNTIME_DIR") if xrd == "" || os.Getenv("DBUS_SESSION_BUS_ADDRESS") == "" { logf("not running as root, and empty XDG_RUNTIME_DIR or DBUS_SESSION_BUS_ADDRESS -- singularity resource limits are not supported") return } if fi, err := os.Stat(xrd + "/systemd"); err != nil || !fi.IsDir() { logf("not running as root, and %s/systemd is not a directory -- singularity resource limits are not supported", xrd) return } version, err := exec.Command("systemd-run", "--version").CombinedOutput() if match := regexp.MustCompile(`^systemd (\d+)`).FindSubmatch(version); err != nil || match == nil { logf("not running as root, and could not get systemd version -- singularity resource limits are not supported") return } else if v, _ := strconv.ParseInt(string(match[1]), 10, 64); v < 224 { logf("not running as root, and systemd version %s < minimum 224 -- singularity resource limits are not supported", match[1]) return } } mount, err := cgroupMount() if err != nil { logf("no cgroup support: %s", err) return } cgroup, err := findCgroup(os.DirFS("/"), "") if err != nil { logf("cannot find cgroup: %s", err) return } controllers, err := os.ReadFile(mount + cgroup + "/cgroup.controllers") if err != nil { logf("cannot read cgroup.controllers file: %s", err) return } for _, controller := range bytes.Split(bytes.TrimRight(controllers, "\n"), []byte{' '}) { cgroupSupport[string(controller)] = true } } // Return the cgroup2 mount point, typically "/sys/fs/cgroup". func cgroupMount() (string, error) { mounts, err := os.ReadFile("/proc/mounts") if err != nil { return "", err } for _, mount := range bytes.Split(mounts, []byte{'\n'}) { toks := bytes.Split(mount, []byte{' '}) if len(toks) > 2 && bytes.Equal(toks[0], []byte("cgroup2")) { return string(toks[1]), nil } } return "", errors.New("cgroup2 mount not found") }