cvmts: Add hackfix to CGroup.Self() for hybrid cgroups

systemd-nspawn, and probably other container runtimes, can sometimes mount a cgroupsv1 hierarchy in a cgroup namespace. This ends up infecting the host system, so we optionally allow that. We still will error out if we happen to be the one running in a legacy cgroupsv1 controller hierarchy, however. We still depend on unified/cgroupsv2.
2025-06-09 02:57:33 -04:00
parent c4c08ae830
commit bce2a0172a
1 changed files with 20 additions and 6 deletions
--- a/cvmts/src/util/cgroup.ts
+++ b/cvmts/src/util/cgroup.ts
@@ -104,13 +104,27 @@ export class CGroup {
 		if (!existsSync(kCgroupSelfPath)) throw new Error('This process is not in a CGroup.');
 		let res = readFileSync(kCgroupSelfPath, { encoding: 'utf-8' });

-		// Make sure the first/only line is a cgroups2 0::/path/to/cgroup entry.
-		// Legacy cgroups1 is not supported.
-		if (res[0] != '0') throw new Error('CGroup.Self() does not work with cgroups 1 systems. Please do not the cgroups 1.');
-		let cg_path = res.substring(3, res.indexOf('\n'));
+		for (let item of res.split('\n')) {
+			switch (item[0]) {
+				// This is techinically cgroupsv1. However, on a unified system
+				// `systemd-nspawn` by default will mount /sys/fs/cgroup/systemd in the container,
+				// and this leaks out slightly to the host with `1:name=systemd:/`.. for some reason.
+				// Therefore we can allow this. Other controllers not so much.
+				case '1':
+					continue;
+					break;
+				case '0': // cgroups2
+					let cg_path = item.substring(3);
+					let cg = new CGroup(path.join('/sys/fs/cgroup', cg_path));
+					return cg;
+					break;

-		let cg = new CGroup(path.join('/sys/fs/cgroup', cg_path));
+				// Legacy CGroups 1 is not supported.
+				default:
+					throw new Error('CGroup.Self() does not work with cgroups 1 systems. Please do not the cgroups 1.');
+			}
+		}

-		return cg;
+		throw new Error('1 2 3 5 4 6');
 	}
 }