tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Enable the memory_recursiveprot mount option

Browse source 
Enable the memory_recursiveprot mount option for v2 cgroups because the
v2 memcg documentation mentions the following: "Recursively apply
memory.min and memory.low protection to entire subtrees, without
requiring explicit downward propagation into leaf cgroups.  This allows
protecting entire subtrees from one another, while retaining free
competition within those subtrees. This should have been the default
behavior but is a mount-option to avoid regressing setups relying on the
original semantics (e.g. specifying bogusly high 'bypass' protection
values at higher tree levels)."

Source: https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v2.rst

Bug: 213617178
Test: Verified this change inside the Cuttlefish emulator.
Change-Id: Iecd86109d9ecb9d3354f9d28577b147edf7c50a8
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This commit is contained in:
Bart Van Assche 2022-02-04 18:04:32 +00:00
parent f1df9ba5c4
commit 4f2e62913d
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
libprocessgroup/setup/cgroup_map_write.cpp
View file

@ -263,8 +263,18 @@ static bool SetupCgroup(const CgroupDescriptor& descriptor) {
return false;
}
result = mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
nullptr);
// The memory_recursiveprot mount option has been introduced by kernel commit
// 8a931f801340 ("mm: memcontrol: recursive memory.low protection"; v5.7). Try first to
// mount with that option enabled. If mounting fails because the kernel is too old,
// retry without that mount option.
if (mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
"memory_recursiveprot") < 0) {
LOG(INFO) << "Mounting memcg with memory_recursiveprot failed. Retrying without.";
if (mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
nullptr) < 0) {
PLOG(ERROR) << "Failed to mount cgroup v2";
}
}
// selinux permissions change after mounting, so it's ok to change mode and owner now
if (!ChangeDirModeAndOwner(controller->path(), descriptor.mode(), descriptor.uid(),