Allow some configuration

Author: MikailBag

minion-cli/src/main.rs

@@ -108,7 +108,13 @@ fn main() {
         eprintln!("Error: {}", err);
         std::process::exit(1);
     }
-    let backend = minion::erased::setup();
+    let backend = match minion::erased::setup() {
+        Ok(b) => b,
+        Err(err) => {
+            eprintln!("Backend initialization failed: {}", err);
+            std::process::exit(1);
+        }
+    };
 
     let sandbox = backend
         .new_sandbox(minion::SandboxOptions {

minion-ffi/src/lib.rs

@@ -17,8 +17,8 @@ pub enum ErrorCode {
     /// - something was expected to be unique, but wasn't, and so on
     /// these errors usually imply bug exists in caller code
     InvalidInput,
-    /// unknown error
-    Unknown,
+    /// Minion error
+    Minion,
 }
 
 /// Get string description of given `error_code`, returned by minion-ffi previously.
@@ -29,7 +29,7 @@ pub extern "C" fn minion_describe_status(error_code: ErrorCode) -> *const u8 {
     match error_code {
         ErrorCode::Ok => b"ok\0".as_ptr(),
         ErrorCode::InvalidInput => b"invalid input\0".as_ptr(),
-        ErrorCode::Unknown => b"unknown error\0".as_ptr(),
+        ErrorCode::Minion => b"minion error\0".as_ptr(),
     }
 }
 
@@ -69,7 +69,11 @@ pub unsafe extern "C" fn minion_lib_init() -> ErrorCode {
 #[no_mangle]
 #[must_use]
 pub extern "C" fn minion_backend_create(out: &mut *mut Backend) -> ErrorCode {
-    let backend = Backend(minion::erased::setup());
+    let backend = match minion::erased::setup() {
+        Ok(b) => b,
+        Err(_) => return ErrorCode::Minion,
+    };
+    let backend = Backend(backend);
     let backend = Box::new(backend);
     *out = Box::into_raw(backend);
     ErrorCode::Ok
@@ -119,7 +123,7 @@ pub unsafe extern "C" fn minion_sandbox_check_cpu_tle(
             }
             ErrorCode::Ok
         }
-        Err(_) => ErrorCode::Unknown,
+        Err(_) => ErrorCode::Minion,
     }
 }
 
@@ -137,15 +141,15 @@ pub unsafe extern "C" fn minion_sandbox_check_real_tle(
             }
             ErrorCode::Ok
         }
-        Err(_) => ErrorCode::Unknown,
+        Err(_) => ErrorCode::Minion,
     }
 }
 
 #[no_mangle]
 pub extern "C" fn minion_sandbox_kill(sandbox: &Sandbox) -> ErrorCode {
     match sandbox.0.kill() {
         Ok(_) => ErrorCode::Ok,
-        Err(_) => ErrorCode::Unknown,
+        Err(_) => ErrorCode::Minion,
     }
 }
 
@@ -352,7 +356,7 @@ pub unsafe extern "C" fn minion_cp_wait(
             }
             ErrorCode::Ok
         }
-        Result::Err(_) => ErrorCode::Unknown,
+        Result::Err(_) => ErrorCode::Minion,
     }
 }
 
@@ -389,7 +393,7 @@ pub unsafe extern "C" fn minion_cp_exitcode(
             }
             ErrorCode::Ok
         }
-        Result::Err(_) => ErrorCode::Unknown,
+        Result::Err(_) => ErrorCode::Minion,
     }
 }
 

minion-tests/src/worker.rs

@@ -14,7 +14,7 @@ pub fn main(test_cases: &[&'static dyn TestCase]) {
         .unwrap();
 
     let tempdir = tempfile::TempDir::new().expect("cannot create temporary dir");
-    let backend = minion::erased::setup();
+    let backend = minion::erased::setup().expect("backend creation failed");
     let opts = minion::SandboxOptions {
         cpu_time_limit: test_case.time_limit(),
         real_time_limit: test_case.real_time_limit(),

src/erased.rs

@@ -132,6 +132,8 @@ impl<B: crate::Backend> Backend for B {
 pub type ChildProcessOptions = crate::ChildProcessOptions<Box<dyn Sandbox>>;
 
 /// Returns backend instance
-pub fn setup() -> Box<dyn Backend> {
-    Box::new(crate::linux::LinuxBackend::new())
+pub fn setup() -> crate::Result<Box<dyn Backend>> {
+    Ok(Box::new(crate::linux::LinuxBackend::new(
+        crate::linux::Settings::new(),
+    )?))
 }

src/linux.rs

@@ -1,3 +1,4 @@
+mod cgroup;
 pub mod check;
 pub mod ext;
 mod jail_common;
@@ -10,7 +11,7 @@ pub use crate::linux::sandbox::LinuxSandbox;
 use crate::{
     linux::{
         pipe::{LinuxReadPipe, LinuxWritePipe},
-        util::{get_last_error, Handle, Pid},
+        util::{get_last_error, Fd, Pid},
     },
     Backend, ChildProcess, ChildProcessOptions, InputSpecification, InputSpecificationData,
     OutputSpecification, OutputSpecificationData, SandboxOptions, WaitOutcome,
@@ -20,7 +21,9 @@ use std::{
     ffi::CString,
     fs,
     os::unix::io::IntoRawFd,
+    path::PathBuf,
     sync::atomic::{AtomicI64, Ordering},
+    sync::Arc,
     time::Duration,
 };
 
@@ -98,7 +101,7 @@ impl ChildProcess for LinuxChildProcess {
     }
 }
 
-fn handle_input_io(spec: InputSpecification) -> crate::Result<(Option<Handle>, Handle)> {
+fn handle_input_io(spec: InputSpecification) -> crate::Result<(Option<Fd>, Fd)> {
     match spec.0 {
         InputSpecificationData::Pipe => {
             let mut h_read = 0;
@@ -109,22 +112,22 @@ fn handle_input_io(spec: InputSpecification) -> crate::Result<(Option<Handle>, H
             Ok((Some(h_write), f))
         }
         InputSpecificationData::Handle(rh) => {
-            let h = rh as Handle;
+            let h = rh as Fd;
             Ok((None, h))
         }
         InputSpecificationData::Empty => {
             let file = fs::File::create("/dev/null")?;
             let file = file.into_raw_fd();
             Ok((None, file))
         }
-        InputSpecificationData::Null => Ok((None, -1 as Handle)),
+        InputSpecificationData::Null => Ok((None, -1 as Fd)),
     }
 }
 
-fn handle_output_io(spec: OutputSpecification) -> crate::Result<(Option<Handle>, Handle)> {
+fn handle_output_io(spec: OutputSpecification) -> crate::Result<(Option<Fd>, Fd)> {
     match spec.0 {
-        OutputSpecificationData::Null => Ok((None, -1 as Handle)),
-        OutputSpecificationData::Handle(rh) => Ok((None, rh as Handle)),
+        OutputSpecificationData::Null => Ok((None, -1 as Fd)),
+        OutputSpecificationData::Handle(rh) => Ok((None, rh as Fd)),
         OutputSpecificationData::Pipe => {
             let mut h_read = 0;
             let mut h_write = 0;
@@ -223,17 +226,46 @@ fn spawn(mut options: ChildProcessOptions<LinuxSandbox>) -> crate::Result<LinuxC
     }
 }
 
+/// Allows some customization
+#[non_exhaustive]
+#[derive(Debug)]
+pub struct Settings {
+    /// All created cgroups will be children of specified group
+    /// Default value is "/minion"
+    pub cgroup_prefix: PathBuf,
+
+    /// If enabled, minion will ignore clone(MOUNT_NEWNS) error.
+    /// This flag has to be enabled for gVisor support.
+    pub allow_unsupported_mount_namespace: bool,
+}
+
+impl Default for Settings {
+    fn default() -> Self {
+        Settings {
+            cgroup_prefix: "/minion".into(),
+            allow_unsupported_mount_namespace: false,
+        }
+    }
+}
+
+impl Settings {
+    pub fn new() -> Settings {
+        Default::default()
+    }
+}
 #[derive(Debug)]
 pub struct LinuxBackend {
-    _priv: (),
+    settings: Settings,
+    cgroup_driver: Arc<cgroup::Driver>,
 }
 
 impl Backend for LinuxBackend {
     type Sandbox = LinuxSandbox;
     type ChildProcess = LinuxChildProcess;
     fn new_sandbox(&self, mut options: SandboxOptions) -> crate::Result<LinuxSandbox> {
         options.postprocess();
-        let sb = unsafe { LinuxSandbox::create(options)? };
+        let sb =
+            unsafe { LinuxSandbox::create(options, &self.settings, self.cgroup_driver.clone())? };
         Ok(sb)
     }
 
@@ -246,13 +278,11 @@ impl Backend for LinuxBackend {
 }
 
 impl LinuxBackend {
-    pub fn new() -> LinuxBackend {
-        LinuxBackend { _priv: () }
-    }
-}
-
-impl Default for LinuxBackend {
-    fn default() -> Self {
-        LinuxBackend::new()
+    pub fn new(settings: Settings) -> crate::Result<LinuxBackend> {
+        let cgroup_driver = Arc::new(cgroup::Driver::new(&settings)?);
+        Ok(LinuxBackend {
+            settings,
+            cgroup_driver,
+        })
     }
 }

src/linux/cgroup.rs

@@ -0,0 +1,127 @@
+/// Implements Cgroup Driver - high-level cgroup manager
+mod detect;
+mod v1;
+mod v2;
+
+use crate::linux::util::Fd;
+use std::{ffi::OsString, path::PathBuf};
+
+// used by crate::linux::check
+pub(in crate::linux) use detect::CgroupVersion;
+
+/// Information, sufficient for joining a cgroup.
+pub(in crate::linux) enum JoinHandle {
+    /// Fds of `tasks` file in each hierarchy.
+    V1(Vec<Fd>),
+    /// Fd of `cgroup.procs` file in cgroup dir.
+    V2(Fd),
+}
+
+impl JoinHandle {
+    fn with(&self, f: impl FnOnce(&mut dyn Iterator<Item = Fd>)) {
+        let mut slice_iter;
+        let mut once_iter;
+        let it: &mut dyn std::iter::Iterator<Item = Fd> = match &self {
+            Self::V1(handles) => {
+                slice_iter = handles.iter().copied();
+                &mut slice_iter
+            }
+            Self::V2(handle) => {
+                once_iter = std::iter::once(*handle);
+                &mut once_iter
+            }
+        };
+        f(it);
+    }
+    pub(super) fn join_self(&self) {
+        let my_pid = std::process::id();
+        let my_pid = format!("{}", my_pid);
+        self.with(|it| {
+            for fd in it {
+                nix::unistd::write(fd, my_pid.as_bytes()).expect("Couldn't join cgroup");
+            }
+        });
+    }
+}
+
+impl Drop for JoinHandle {
+    fn drop(&mut self) {
+        self.with(|it| {
+            for fd in it {
+                nix::unistd::close(fd).ok();
+            }
+        })
+    }
+}
+
+/// Abstracts all cgroups manipulations.
+/// Each Backend has exactly one Driver.
+#[derive(Debug)]
+pub(in crate::linux) struct Driver {
+    cgroupfs_path: PathBuf,
+    cgroup_prefix: Vec<OsString>,
+    version: detect::CgroupVersion,
+}
+
+/// Represents resource limits imposed on sandbox
+pub(in crate::linux) struct ResourceLimits {
+    pub(in crate::linux) pids_max: u32,
+    pub(in crate::linux) memory_max: u64,
+}
+
+impl Driver {
+    pub(in crate::linux) fn new(settings: &crate::linux::Settings) -> crate::Result<Driver> {
+        let cgroup_version = detect::CgroupVersion::detect();
+        let mut cgroup_prefix = Vec::new();
+        for comp in settings.cgroup_prefix.components() {
+            if let std::path::Component::Normal(n) = comp {
+                cgroup_prefix.push(n.to_os_string());
+            }
+        }
+        let cgroupfs_path = "/sys/fs/cgroup".into();
+        Ok(Driver {
+            version: cgroup_version,
+            cgroup_prefix,
+            cgroupfs_path,
+        })
+    }
+    pub(in crate::linux) fn create_group(
+        &self,
+        cgroup_id: &str,
+        limits: &ResourceLimits,
+    ) -> JoinHandle {
+        match CgroupVersion::detect() {
+            CgroupVersion::V1 => JoinHandle::V1(self.setup_cgroups_v1(limits, cgroup_id)),
+            CgroupVersion::V2 => JoinHandle::V2(self.setup_cgroups_v2(limits, cgroup_id)),
+        }
+    }
+
+    pub(in crate::linux) fn get_cpu_usage(&self, cgroup_id: &str) -> u64 {
+        match self.version {
+            CgroupVersion::V1 => self.get_cpu_usage_v1(cgroup_id),
+            CgroupVersion::V2 => self.get_cpu_usage_v2(cgroup_id),
+        }
+    }
+
+    pub(in crate::linux) fn get_memory_usage(&self, cgroup_id: &str) -> Option<u64> {
+        match self.version {
+            // memory cgroup v2 does not provide way to get peak memory usage.
+            // `memory.current` contains only current usage.
+            CgroupVersion::V2 => None,
+            CgroupVersion::V1 => Some(self.get_memory_usage_v1(cgroup_id)),
+        }
+    }
+    pub(in crate::linux) fn get_cgroup_tasks_file_path(&self, cgroup_id: &str) -> PathBuf {
+        match self.version {
+            CgroupVersion::V1 => self.get_cgroup_tasks_file_path_v1(cgroup_id),
+            CgroupVersion::V2 => self.get_cgroup_tasks_file_path_v2(cgroup_id),
+        }
+    }
+
+    pub(in crate::linux) fn drop_cgroup(&self, cgroup_id: &str, legacy_subsystems: &[&str]) {
+        match self.version {
+            CgroupVersion::V1 => self.drop_cgroup_v1(cgroup_id, legacy_subsystems),
+            CgroupVersion::V2 => self.drop_cgroup_v2(cgroup_id),
+        }
+    }
+}

src/linux/cgroup/detect.rs

@@ -0,0 +1,28 @@
+//! This module is responsible for CGroup version detection
+#[derive(Eq, PartialEq, Debug)]
+pub(in crate::linux) enum CgroupVersion {
+    /// Legacy
+    V1,
+    /// Unified
+    V2,
+}
+
+impl CgroupVersion {
+    pub(in crate::linux) fn detect() -> CgroupVersion {
+        let stat = nix::sys::statfs::statfs("/sys/fs/cgroup")
+            .expect("/sys/fs/cgroup is not root of cgroupfs");
+        let ty = stat.filesystem_type();
+        // man 2 statfs
+        match ty.0 {
+            0x0027_e0eb => return CgroupVersion::V1,
+            0x6367_7270 => return CgroupVersion::V2,
+            _ => (),
+        };
+        let p = std::path::Path::new("/sys/fs/cgroup");
+        if p.join("cgroup.subtree_control").exists() {
+            CgroupVersion::V2
+        } else {
+            CgroupVersion::V1
+        }
+    }
+}