runc exec: use CLONE_INTO_CGROUP when available

It makes sense to make runc exec benefit from clone2(CLONE_INTO_CGROUP),
if it is available. Since it requires a recent kernel and might not work,
implement a fallback to older way of joining the cgroup.

Based on work done in
 - https://go-review.googlesource.com/c/go/+/417695
 - coreos/go-systemd#458
 - opencontainers/cgroups#26
 - #4822

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

libcontainer/process_linux.go

@@ -16,6 +16,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"syscall"
 	"time"
 
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -310,18 +311,106 @@ func (p *setnsProcess) addIntoCgroupV2() error {
 }
 
 func (p *setnsProcess) addIntoCgroup() error {
+	if p.cmd.SysProcAttr.UseCgroupFD {
+		// We've used cgroupfd successfully, so the process is
+		// already in the proper cgroup, nothing to do here.
+		return nil
+	}
 	if cgroups.IsCgroup2UnifiedMode() {
 		return p.addIntoCgroupV2()
 	}
 	return p.addIntoCgroupV1()
 }
 
+// prepareCgroupFD sets up p.cmd to use clone3 with CLONE_INTO_CGROUP
+// to join cgroup early, in p.cmd.Start. Returns an *os.File which
+// must be closed by the caller after p.Cmd.Start return.
+func (p *setnsProcess) prepareCgroupFD() (*os.File, error) {
+	if !cgroups.IsCgroup2UnifiedMode() {
+		return nil, nil
+	}
+
+	base := p.manager.Path("")
+	if base == "" { // No cgroup to join.
+		return nil, nil
+	}
+	sub := ""
+	if p.process.SubCgroupPaths != nil {
+		sub = p.process.SubCgroupPaths[""]
+	}
+	cgroup := path.Join(base, sub)
+	if !strings.HasPrefix(cgroup, base) {
+		return nil, fmt.Errorf("bad sub cgroup path: %s", sub)
+	}
+
+	fd, err := os.OpenFile(cgroup, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
+	if err != nil {
+		if p.rootlessCgroups {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("can't open cgroup: %w", err)
+	}
+
+	logrus.Debugf("using CLONE_INTO_CGROUP %q", cgroup)
+	if p.cmd.SysProcAttr == nil {
+		p.cmd.SysProcAttr = &syscall.SysProcAttr{}
+	}
+	p.cmd.SysProcAttr.UseCgroupFD = true
+	p.cmd.SysProcAttr.CgroupFD = int(fd.Fd())
+
+	return fd, nil
+}
+
+// shouldRetryWithoutCgroupFD tells if the error returned from p.cmd.Start
+// could be caused by using cgroupfd.
+func (p *setnsProcess) shouldRetryWithoutCgroupFD(err error) bool {
+	if err == nil || !p.cmd.SysProcAttr.UseCgroupFD {
+		return false
+	}
+	logrus.Debugf("exec with CLONE_INTO_CGROUP failed: %v", err)
+
+	switch {
+	// Cgroup in which a domain controller is enabled.
+	case errors.Is(err, unix.EBUSY):
+		return true
+	// The cgroup is in the domain invalid state.
+	case errors.Is(err, unix.EOPNOTSUPP):
+		return true
+	// Rootless with no direct access to cgroup.
+	case p.rootlessCgroups && errors.Is(err, unix.EACCES):
+		return true
+	// No clone3 syscall (kernels < v5.3).
+	case errors.Is(err, unix.ENOSYS):
+		return true
+	// No CLONE_INTO_CGROUP flag support (kernels v5.3 to v5.7).
+	case errors.Is(err, unix.E2BIG):
+		return true
+	}
+
+	return false
+}
+
 func (p *setnsProcess) start() (retErr error) {
 	defer p.comm.closeParent()
 
+	fd, err := p.prepareCgroupFD()
+	if err != nil {
+		return err
+	}
+
 	// Get the "before" value of oom kill count.
 	oom, _ := p.manager.OOMKillCount()
-	err := p.startWithCPUAffinity()
+
+	err = p.startWithCPUAffinity()
+	if fd != nil {
+		fd.Close()
+	}
+	if p.shouldRetryWithoutCgroupFD(err) {
+		// SysProcAttr.CgroupFD is never used when UseCgroupFD is unset.
+		p.cmd.SysProcAttr.UseCgroupFD = false
+		err = p.startWithCPUAffinity()
+	}
+
 	// Close the child-side of the pipes (controlled by child).
 	p.comm.closeChild()
 	if err != nil {

tests/integration/exec.bats

@@ -282,7 +282,7 @@ function check_exec_debug() {
 	# Check we can't join non-existing subcgroup.
 	runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" adding pid "*"o such file or directory"* ]]
+	[[ "$output" == *" cgroup"*"o such file or directory"* ]]
 
 	# Check we can join top-level cgroup (implicit).
 	runc exec test_busybox grep '^0::/$' /proc/self/cgroup