cri-o/oci/oci_linux.go

// +build linux

package oci

import (
	"fmt"
	"os"
	"path/filepath"
	"syscall"

	"github.com/containerd/cgroups"
	rspec "github.com/opencontainers/runtime-spec/specs-go"
	"golang.org/x/sys/unix"
)

func createContainerPlatform(c *Container, cgroupParent string, pid int) error {
	control, err := cgroups.New(cgroups.V1, cgroups.StaticPath(filepath.Join(cgroupParent, "/crio-conmon-"+c.id)), &rspec.LinuxResources{})
	if err != nil {
		return fmt.Errorf("Failed to add conmon to cgroupfs sandbox cgroup: %v", err)
	} else {
		// Here we should defer a crio-connmon- cgroup hierarchy deletion, but it will
		// always fail as conmon's pid is still there.
		// Fortunately, kubelet takes care of deleting this for us, so the leak will
		// only happens in corner case where one does a manual deletion of the container
		// through e.g. runc. This should be handled by implementing a conmon monitoring
		// routine that does the cgroup cleanup once conmon is terminated.
		if err := control.Add(cgroups.Process{Pid: pid}); err != nil {
			fmt.Errorf("Failed to add conmon to cgroupfs sandbox cgroup: %v", err)
		}
	}
	return nil
}

func sysProcAttrPlatform() *syscall.SysProcAttr {
	return &syscall.SysProcAttr{
		Setpgid: true,
	}
}

// newPipe creates a unix socket pair for communication
func newPipe() (parent *os.File, child *os.File, err error) {
	fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
	if err != nil {
		return nil, nil, err
	}
	return os.NewFile(uintptr(fds[1]), "parent"), os.NewFile(uintptr(fds[0]), "child"), nil
}