Merge pull request lxc#3412 from brauner/2020-05-15/clone3

clone3: add infrastructure and switch container creation to it

configure.ac

@@ -622,7 +622,10 @@ AC_CHECK_HEADER([ifaddrs.h],
 AC_HEADER_MAJOR
 
 # Check for some syscalls functions
-AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create move_mount open_tree])
+AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr faccessat gettid memfd_create move_mount open_tree execveat clone3])
+AC_CHECK_TYPES([struct clone_args], [], [], [[#include <linux/sched.h>]])
+AC_CHECK_MEMBERS([struct clone_args.set_tid],[],[],[[#include <linux/sched.h>]])
+AC_CHECK_MEMBERS([struct clone_args.cgroup],[],[],[[#include <linux/sched.h>]])
 
 # Check for strerror_r() support. Defines:
 # - HAVE_STRERROR_R if available
@@ -761,7 +764,7 @@ AX_CHECK_COMPILE_FLAG([-Wstringop-overflow], [CFLAGS="$CFLAGS -Wstringop-overflo
 AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"],,[])
 
-CFLAGS="$CFLAGS -Wvla -std=gnu11"
+CFLAGS="$CFLAGS -Wvla -std=gnu11 -fms-extensions"
 if test "x$enable_werror" = "xyes"; then
 	CFLAGS="$CFLAGS -Werror"
 fi

src/include/fexecve.c

@@ -29,7 +29,7 @@
 #include <fcntl.h>
 #include "config.h"
 #include "macro.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 
 int fexecve(int fd, char *const argv[], char *const envp[])
 {

src/lxc/Makefile.am

@@ -27,7 +27,7 @@ noinst_HEADERS = api_extensions.h \
 		 memory_utils.h \
 		 monitor.h \
 		 namespace.h \
-		 raw_syscalls.h \
+		 process_utils.h \
 		 rexec.h \
 		 start.h \
 		 state.h \
@@ -128,7 +128,7 @@ liblxc_la_SOURCES = af_unix.c af_unix.h \
 		    network.c network.h \
 		    monitor.c monitor.h \
 		    parse.c parse.h \
-		    raw_syscalls.c raw_syscalls.h \
+		    process_utils.c process_utils.h \
 		    ringbuf.c ringbuf.h \
 		    rtnl.c rtnl.h \
 		    state.c state.h \
@@ -384,7 +384,7 @@ init_lxc_SOURCES = cmd/lxc_init.c \
 		   initutils.c initutils.h \
 		   memory_utils.h \
 		   parse.c parse.h \
-		   raw_syscalls.c raw_syscalls.h \
+		   process_utils.c process_utils.h \
 		   syscall_numbers.h \
 		   string_utils.c string_utils.h
 
@@ -395,7 +395,7 @@ lxc_monitord_SOURCES = cmd/lxc_monitord.c \
 		       log.c log.h \
 		       mainloop.c mainloop.h \
 		       monitor.c monitor.h \
-		       raw_syscalls.c raw_syscalls.h \
+		       process_utils.c process_utils.h \
 		       syscall_numbers.h \
 		       utils.c utils.h
 lxc_user_nic_SOURCES = cmd/lxc_user_nic.c \
@@ -404,7 +404,7 @@ lxc_user_nic_SOURCES = cmd/lxc_user_nic.c \
 		       memory_utils.h \
 		       network.c network.h \
 		       parse.c parse.h \
-		       raw_syscalls.c raw_syscalls.h \
+		       process_utils.c process_utils.h \
 		       syscall_numbers.h \
 		       file_utils.c file_utils.h \
 		       string_utils.c string_utils.h \

src/lxc/af_unix.c

@@ -18,7 +18,7 @@
 #include "log.h"
 #include "macro.h"
 #include "memory_utils.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "utils.h"
 
 #ifndef HAVE_STRLCPY

src/lxc/attach.c

@@ -40,7 +40,7 @@
 #include "mainloop.h"
 #include "memory_utils.h"
 #include "namespace.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "syscall_wrappers.h"
 #include "terminal.h"
 #include "utils.h"

src/lxc/cgroups/cgfsng.c

@@ -1149,7 +1149,7 @@ static int mkdir_eexist_on_last(const char *dir, mode_t mode)
 
 		ret = mkdir(makeme, mode);
 		if (ret < 0 && ((errno != EEXIST) || (orig_len == cur_len)))
-			return log_error_errno(-1, errno, "Failed to create directory \"%s\"", makeme);
+			return log_warn_errno(-1, errno, "Failed to create directory \"%s\"", makeme);
 	} while (tmp != dir);
 
 	return 0;
@@ -1179,9 +1179,9 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
 
 		ret = mkdir_eexist_on_last(limit_path, 0755);
 		if (ret < 0)
-			return log_error_errno(false, errno,
-			                       "Failed to create %s limiting cgroup",
-			                       limit_path);
+			return log_debug_errno(false,
+					      errno, "Failed to create %s limiting cgroup",
+					      limit_path);
 
 		h->cgfd_limit = lxc_open_dirfd(limit_path);
 		if (h->cgfd_limit < 0)
@@ -1208,7 +1208,7 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
 		 * directory for us to ensure correct initialization.
 		 */
 		if (ret_cpuset != 1 || cgroup_tree)
-			return log_error_errno(false, errno, "Failed to create %s cgroup", path);
+			return log_debug_errno(false, errno, "Failed to create %s cgroup", path);
 	}
 
 	if (payload) {
@@ -1351,7 +1351,7 @@ __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops,
 				               monitor_cgroup, false, NULL))
 				continue;
 
-			ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->monitor_full_path ?: "(null)");
+			DEBUG("Failed to create cgroup \"%s\"", ops->hierarchies[i]->monitor_full_path ?: "(null)");
 			for (int j = 0; j < i; j++)
 				cgroup_tree_leaf_remove(ops->hierarchies[j], false);
 
@@ -1361,7 +1361,7 @@ __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops,
 	} while (ops->hierarchies[i] && idx > 0 && idx < 1000 && suffix);
 
 	if (idx == 1000 || (!suffix && idx != 0))
-		return ret_set_errno(false, ERANGE);
+		return log_error_errno(false, ERANGE, "Failed to create monitor cgroup");
 
 	ops->monitor_cgroup = move_ptr(monitor_cgroup);
 	return log_info(true, "The monitor process uses \"%s\" as cgroup", ops->monitor_cgroup);
@@ -1455,7 +1455,7 @@ __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops,
 					       limiting_cgroup))
 				continue;
 
-			ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->container_full_path ?: "(null)");
+			DEBUG("Failed to create cgroup \"%s\"", ops->hierarchies[i]->container_full_path ?: "(null)");
 			for (int j = 0; j < i; j++)
 				cgroup_tree_leaf_remove(ops->hierarchies[j], true);
 
@@ -1465,7 +1465,7 @@ __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops,
 	} while (ops->hierarchies[i] && idx > 0 && idx < 1000 && suffix);
 
 	if (idx == 1000 || (!suffix && idx != 0))
-		return ret_set_errno(false, ERANGE);
+		return log_error_errno(false, ERANGE, "Failed to create container cgroup");
 
 	ops->container_cgroup = move_ptr(container_cgroup);
 	INFO("The container process uses \"%s\" as cgroup", ops->container_cgroup);

src/lxc/cmd/lxc_init.c

@@ -28,7 +28,7 @@
 #include "initutils.h"
 #include "memory_utils.h"
 #include "parse.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "string_utils.h"
 
 /* option keys for long only options */

src/lxc/cmd/lxc_monitord.c

@@ -28,7 +28,7 @@
 #include "log.h"
 #include "mainloop.h"
 #include "monitor.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "utils.h"
 
 #define CLIENTFDS_CHUNK 64

src/lxc/cmd/lxc_user_nic.c

@@ -36,7 +36,7 @@
 #include "memory_utils.h"
 #include "network.h"
 #include "parse.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "string_utils.h"
 #include "syscall_wrappers.h"
 #include "utils.h"

src/lxc/conf.c

@@ -51,7 +51,7 @@
 #include "namespace.h"
 #include "network.h"
 #include "parse.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "ringbuf.h"
 #include "start.h"
 #include "storage.h"
@@ -3245,7 +3245,7 @@ static bool verify_start_hooks(struct lxc_conf *conf)
 
 static bool execveat_supported(void)
 {
-	lxc_raw_execveat(-1, "", NULL, NULL, AT_EMPTY_PATH);
+	execveat(-1, "", NULL, NULL, AT_EMPTY_PATH);
 	if (errno == ENOSYS)
 		return false;
 

src/lxc/execute.c

@@ -14,7 +14,7 @@
 #include "config.h"
 #include "log.h"
 #include "start.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "utils.h"
 
 lxc_log_define(execute, start);
@@ -66,7 +66,7 @@ static int execute_start(struct lxc_handler *handler, void* data)
 	NOTICE("Exec'ing \"%s\"", my_args->argv[0]);
 
 	if (my_args->init_fd >= 0)
-		lxc_raw_execveat(my_args->init_fd, "", argv, environ, AT_EMPTY_PATH);
+		execveat(my_args->init_fd, "", argv, environ, AT_EMPTY_PATH);
 	else
 		execvp(argv[0], argv);
 	SYSERROR("Failed to exec %s", argv[0]);

src/lxc/lsm/apparmor.c

@@ -19,7 +19,7 @@
 #include "log.h"
 #include "lsm.h"
 #include "parse.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "utils.h"
 
 lxc_log_define(apparmor, lsm);

src/lxc/lxccontainer.c

@@ -49,7 +49,7 @@
 #include "namespace.h"
 #include "network.h"
 #include "parse.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "start.h"
 #include "state.h"
 #include "storage.h"

src/lxc/namespace.c

@@ -21,33 +21,6 @@
 
 lxc_log_define(namespace, lxc);
 
-/*
- * Let's use the "standard stack limit" (i.e. glibc thread size default) for
- * stack sizes: 8MB.
- */
-#define __LXC_STACK_SIZE (8 * 1024 * 1024)
-pid_t lxc_clone(int (*fn)(void *), void *arg, int flags, int *pidfd)
-{
-	pid_t ret;
-	void *stack;
-
-	stack = malloc(__LXC_STACK_SIZE);
-	if (!stack) {
-		SYSERROR("Failed to allocate clone stack");
-		return -ENOMEM;
-	}
-
-#ifdef __ia64__
-	ret = __clone2(fn, stack, __LXC_STACK_SIZE, flags | SIGCHLD, arg, pidfd);
-#else
-	ret = clone(fn, stack + __LXC_STACK_SIZE, flags | SIGCHLD, arg, pidfd);
-#endif
-	if (ret < 0)
-		SYSERROR("Failed to clone (%#x)", flags);
-
-	return ret;
-}
-
 /* Leave the user namespace at the first position in the array of structs so
  * that we always attach to it first when iterating over the struct and using
  * setns() to switch namespaces. This especially affects lxc_attach(): Suppose

src/lxc/namespace.h

@@ -7,63 +7,6 @@
 #include <unistd.h>
 #include <sys/syscall.h>
 
-#ifndef CLONE_PARENT_SETTID
-#define CLONE_PARENT_SETTID 0x00100000
-#endif
-
-#ifndef CLONE_CHILD_CLEARTID
-#define CLONE_CHILD_CLEARTID 0x00200000
-#endif
-
-#ifndef CLONE_CHILD_SETTID
-#define CLONE_CHILD_SETTID 0x01000000
-#endif
-
-#ifndef CLONE_VFORK
-#define CLONE_VFORK 0x00004000
-#endif
-
-#ifndef CLONE_THREAD
-#define CLONE_THREAD 0x00010000
-#endif
-
-#ifndef CLONE_SETTLS
-#define CLONE_SETTLS 0x00080000
-#endif
-
-#ifndef CLONE_VM
-#define CLONE_VM 0x00000100
-#endif
-
-#ifndef CLONE_FILES
-#define CLONE_FILES 0x00000400
-#endif
-
-#ifndef CLONE_FS
-#  define CLONE_FS                0x00000200
-#endif
-#ifndef CLONE_NEWNS
-#  define CLONE_NEWNS             0x00020000
-#endif
-#ifndef CLONE_NEWCGROUP
-#  define CLONE_NEWCGROUP         0x02000000
-#endif
-#ifndef CLONE_NEWUTS
-#  define CLONE_NEWUTS            0x04000000
-#endif
-#ifndef CLONE_NEWIPC
-#  define CLONE_NEWIPC            0x08000000
-#endif
-#ifndef CLONE_NEWUSER
-#  define CLONE_NEWUSER           0x10000000
-#endif
-#ifndef CLONE_NEWPID
-#  define CLONE_NEWPID            0x20000000
-#endif
-#ifndef CLONE_NEWNET
-#  define CLONE_NEWNET            0x40000000
-#endif
-
 enum {
 	LXC_NS_USER,
 	LXC_NS_MNT,
@@ -82,39 +25,6 @@ extern const struct ns_info {
 	const char *env_name;
 } ns_info[LXC_NS_MAX];
 
-#if defined(__ia64__)
-int __clone2(int (*__fn) (void *__arg), void *__child_stack_base,
-             size_t __child_stack_size, int __flags, void *__arg, ...);
-#else
-int clone(int (*fn)(void *), void *child_stack,
-	int flags, void *arg, ...
-	/* pid_t *ptid, struct user_desc *tls, pid_t *ctid */ );
-#endif
-
-/**
- * lxc_clone() - create a new process
- *
- * - allocate stack:
- *   This function allocates a new stack the size of page and passes it to the
- *   kernel.
- *
- * - support all CLONE_*flags:
- *   This function supports all CLONE_* flags. If in doubt or not sufficiently
- *   familiar with process creation in the kernel and interactions with libcs
- *   this function should be used.
- *
- * - pthread_atfork() handlers depending on libc:
- *   Whether this function runs pthread_atfork() handlers depends on the
- *   corresponding libc wrapper. glibc currently does not run pthread_atfork()
- *   handlers but does not guarantee that they are not. Other libcs might or
- *   might not run pthread_atfork() handlers. If you require guarantees please
- *   refer to the lxc_raw_clone*() functions in raw_syscalls.{c,h}.
- *
- * - should call lxc_raw_getpid():
- *   The child should use lxc_raw_getpid() to retrieve its pid.
- */
-extern pid_t lxc_clone(int (*fn)(void *), void *arg, int flags, int *pidfd);
-
 extern int lxc_namespace_2_cloneflag(const char *namespace);
 extern int lxc_namespace_2_ns_idx(const char *namespace);
 extern int lxc_namespace_2_std_identifiers(char *namespaces);

src/lxc/network.c

@@ -36,7 +36,7 @@
 #include "memory_utils.h"
 #include "network.h"
 #include "nl.h"
-#include "raw_syscalls.h"
+#include "process_utils.h"
 #include "syscall_wrappers.h"
 #include "utils.h"