Move daemon process into sub-cgroup

The daemon process is now moved into a new sub-cgroup called nix-daemon when the
daemon starts. This is necessary to abide by the no-processes-in-inner-nodes
rule, because the service cgroup becomes an inner node when the child cgroups
for the build are created (see LocalDerivationGoal::startBuilder()).

See #9675
This commit is contained in:
Parker Hoyes 2024-08-26 13:50:22 +00:00
parent 1073a8effa
commit 46b3188045
4 changed files with 75 additions and 12 deletions

View File

@ -444,25 +444,22 @@ void LocalDerivationGoal::startBuilder()
#if __linux__
experimentalFeatureSettings.require(Xp::Cgroups);
/* If we're running from the daemon, then this will return the
root cgroup of the service. Otherwise, it will return the
current cgroup. */
auto rootCgroup = getRootCgroup();
auto cgroupFS = getCgroupFS();
if (!cgroupFS)
throw Error("cannot determine the cgroups file system");
auto ourCgroups = getCgroups("/proc/self/cgroup");
auto ourCgroup = ourCgroups[""];
if (ourCgroup == "")
throw Error("cannot determine cgroup name from /proc/self/cgroup");
auto ourCgroupPath = canonPath(*cgroupFS + "/" + ourCgroup);
if (!pathExists(ourCgroupPath))
throw Error("expected cgroup directory '%s'", ourCgroupPath);
auto rootCgroupPath = canonPath(*cgroupFS + "/" + rootCgroup);
if (!pathExists(rootCgroupPath))
throw Error("expected cgroup directory '%s'", rootCgroupPath);
static std::atomic<unsigned int> counter{0};
cgroup = buildUser
? fmt("%s/nix-build-uid-%d", ourCgroupPath, buildUser->getUID())
: fmt("%s/nix-build-pid-%d-%d", ourCgroupPath, getpid(), counter++);
? fmt("%s/nix-build-uid-%d", rootCgroupPath, buildUser->getUID())
: fmt("%s/nix-build-pid-%d-%d", rootCgroupPath, getpid(), counter++);
debug("using cgroup '%s'", *cgroup);

View File

@ -6,6 +6,7 @@
#include <chrono>
#include <cmath>
#include <mutex>
#include <regex>
#include <unordered_set>
#include <thread>
@ -144,4 +145,35 @@ CgroupStats destroyCgroup(const Path & cgroup)
return destroyCgroup(cgroup, true);
}
std::string getCurrentCgroup()
{
auto cgroupFS = getCgroupFS();
if (!cgroupFS)
throw Error("cannot determine the cgroups file system");
auto ourCgroups = getCgroups("/proc/self/cgroup");
auto ourCgroup = ourCgroups[""];
if (ourCgroup == "")
throw Error("cannot determine cgroup name from /proc/self/cgroup");
return ourCgroup;
}
static std::optional<std::string> rootCgroup;
static std::mutex rootCgroupMutex;
std::string getRootCgroup()
{
{
std::lock_guard<std::mutex> guard(rootCgroupMutex);
if (rootCgroup)
return *rootCgroup;
}
auto current = getCurrentCgroup();
std::lock_guard<std::mutex> guard(rootCgroupMutex);
if (rootCgroup)
return *rootCgroup;
rootCgroup = current;
return current;
}
}

View File

@ -25,4 +25,13 @@ struct CgroupStats
*/
CgroupStats destroyCgroup(const Path & cgroup);
std::string getCurrentCgroup();
/**
* Get the cgroup that should be used as the parent when creating new
* sub-cgroups. The first time this is called, the current cgroup will be
* returned, and then all subsequent calls will return the original cgroup.
*/
std::string getRootCgroup();
}

View File

@ -33,6 +33,10 @@
#include <grp.h>
#include <fcntl.h>
#if __linux__
#include "cgroup.hh"
#endif
#if __APPLE__ || __FreeBSD__
#include <sys/ucred.h>
#endif
@ -312,6 +316,27 @@ static void daemonLoop(std::optional<TrustedFlag> forceTrustClientOpt)
// Get rid of children automatically; don't let them become zombies.
setSigChldAction(true);
#if __linux__
if (settings.useCgroups) {
experimentalFeatureSettings.require(Xp::Cgroups);
// This also sets the root cgroup to the current one.
auto rootCgroup = getRootCgroup();
auto cgroupFS = getCgroupFS();
if (!cgroupFS)
throw Error("cannot determine the cgroups file system");
auto rootCgroupPath = canonPath(*cgroupFS + "/" + rootCgroup);
if (!pathExists(rootCgroupPath))
throw Error("expected cgroup directory '%s'", rootCgroupPath);
auto daemonCgroupPath = rootCgroupPath + "/nix-daemon";
// Create new sub-cgroup for the daemon.
if (mkdir(daemonCgroupPath.c_str(), 0755) != 0 && errno != EEXIST)
throw SysError("creating cgroup '%s'", daemonCgroupPath);
// Move daemon into the new cgroup.
writeFile(daemonCgroupPath + "/cgroup.procs", fmt("%d", getpid()));
}
#endif
// Loop accepting connections.
while (1) {