pkg/cgroups: use DBUS session when rootless

use the DBUS user session when running in rootless mode. Closes: https://github.com/containers/libpod/issues/3801 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-07-02 08:47:43 +08:00 · 2019-08-14 11:21:26 +02:00
parent a734b53357
commit 9873901469
3 changed files with 85 additions and 22 deletions
--- a/libpod/util_linux.go
+++ b/libpod/util_linux.go
@ -48,6 +48,9 @@ func makeSystemdCgroup(path string) error {
 		return err
 	}

+	if rootless.IsRootless() {
+		return controller.CreateSystemdUserUnit(path, rootless.GetRootlessUID())
+	}
 	return controller.CreateSystemdUnit(path)
 }

@ -57,6 +60,14 @@ func deleteSystemdCgroup(path string) error {
 	if err != nil {
 		return err
 	}
+	if rootless.IsRootless() {
+		conn, err := cgroups.GetUserConnection(rootless.GetRootlessUID())
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		return controller.DeleteByPathConn(path, conn)
+	}

 	return controller.DeleteByPath(path)
 }
--- a/pkg/cgroups/cgroups.go
+++ b/pkg/cgroups/cgroups.go
@ -10,6 +10,8 @@ import (
 	"strconv"
 	"strings"

+	systemdDbus "github.com/coreos/go-systemd/dbus"
+	"github.com/godbus/dbus"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@ -352,7 +354,56 @@ func (c *CgroupControl) CreateSystemdUnit(path string) error {
 	if !c.systemd {
 		return fmt.Errorf("the cgroup controller is not using systemd")
 	}
-	return systemdCreate(path)
+
+	conn, err := systemdDbus.New()
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	return systemdCreate(path, conn)
+}
+
+// GetUserConnection returns an user connection to D-BUS
+func GetUserConnection(uid int) (*systemdDbus.Conn, error) {
+	return systemdDbus.NewConnection(func() (*dbus.Conn, error) {
+		return dbusAuthConnection(uid, dbus.SessionBusPrivate)
+	})
+}
+
+// CreateSystemdUserUnit creates the systemd cgroup for the specified user
+func (c *CgroupControl) CreateSystemdUserUnit(path string, uid int) error {
+	if !c.systemd {
+		return fmt.Errorf("the cgroup controller is not using systemd")
+	}
+
+	conn, err := GetUserConnection(uid)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	return systemdCreate(path, conn)
+}
+
+func dbusAuthConnection(uid int, createBus func(opts ...dbus.ConnOption) (*dbus.Conn, error)) (*dbus.Conn, error) {
+	conn, err := createBus()
+	if err != nil {
+		return nil, err
+	}
+
+	methods := []dbus.Auth{dbus.AuthExternal(strconv.Itoa(uid))}
+
+	err = conn.Auth(methods)
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	if err := conn.Hello(); err != nil {
+		return nil, err
+	}
+
+	return conn, nil
 }

 // Delete cleans a cgroup
@ -386,10 +437,11 @@ func rmDirRecursively(path string) error {
 	return nil
 }

-// DeleteByPath deletes the specified cgroup path
-func (c *CgroupControl) DeleteByPath(path string) error {
+// DeleteByPathConn deletes the specified cgroup path using the specified
+// dbus connection if needed.
+func (c *CgroupControl) DeleteByPathConn(path string, conn *systemdDbus.Conn) error {
 	if c.systemd {
-		return systemdDestroy(path)
+		return systemdDestroyConn(path, conn)
 	}
 	if c.cgroup2 {
 		return rmDirRecursively(filepath.Join(cgroupRoot, c.path))
@ -413,6 +465,19 @@ func (c *CgroupControl) DeleteByPath(path string) error {
 	return lastError
 }

+// DeleteByPath deletes the specified cgroup path
+func (c *CgroupControl) DeleteByPath(path string) error {
+	if c.systemd {
+		conn, err := systemdDbus.New()
+		if err != nil {
+			return err
+		}
+		defer conn.Close()
+		return c.DeleteByPathConn(path, conn)
+	}
+	return c.DeleteByPathConn(path, nil)
+}
+
 // Update updates the cgroups
 func (c *CgroupControl) Update(resources *spec.LinuxResources) error {
 	for _, h := range handlers {
--- a/pkg/cgroups/systemd.go
+++ b/pkg/cgroups/systemd.go
@ -9,13 +9,7 @@ import (
 	"github.com/godbus/dbus"
 )

-func systemdCreate(path string) error {
-	c, err := systemdDbus.New()
-	if err != nil {
-		return err
-	}
-	defer c.Close()
-
+func systemdCreate(path string, c *systemdDbus.Conn) error {
 	slice, name := filepath.Split(path)
 	slice = strings.TrimSuffix(slice, "/")

@ -43,7 +37,7 @@ func systemdCreate(path string) error {
 		}

 		ch := make(chan string)
-		_, err = c.StartTransientUnit(name, "replace", properties, ch)
+		_, err := c.StartTransientUnit(name, "replace", properties, ch)
 		if err != nil {
 			lastError = err
 			continue
@ -55,7 +49,7 @@ func systemdCreate(path string) error {
 }

 /*
-   systemdDestroy is copied from containerd/cgroups/systemd.go file, that
+   systemdDestroyConn is copied from containerd/cgroups/systemd.go file, that
   has the following license:

   Copyright The containerd Authors.
@ -72,18 +66,11 @@ func systemdCreate(path string) error {
   See the License for the specific language governing permissions and
   limitations under the License.
 */
-
-func systemdDestroy(path string) error {
-	c, err := systemdDbus.New()
-	if err != nil {
-		return err
-	}
-	defer c.Close()
-
+func systemdDestroyConn(path string, c *systemdDbus.Conn) error {
 	name := filepath.Base(path)

 	ch := make(chan string)
-	_, err = c.StopUnit(name, "replace", ch)
+	_, err := c.StopUnit(name, "replace", ch)
 	if err != nil {
 		return err
 	}