libct: use manager.AddPid to add exec to cgroup

The main benefit here is when we are using a systemd cgroup driver,
we actually ask systemd to add a PID, rather than doing it ourselves.
This way, we can add rootless exec PID to a cgroup.

This requires newer opencontainers/cgroups and coreos/go-systemd.

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/moby/sys/user v0.4.0
 	github.com/moby/sys/userns v0.1.0
 	github.com/mrunalp/fileutils v0.5.1
-	github.com/opencontainers/cgroups v0.0.4
+	github.com/opencontainers/cgroups v0.0.5
 	github.com/opencontainers/runtime-spec v1.2.2-0.20250818071321-383cadbf08c0
 	github.com/opencontainers/selinux v1.12.0
 	github.com/seccomp/libseccomp-golang v0.11.1

go.sum

@@ -44,8 +44,8 @@ github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
 github.com/mrunalp/fileutils v0.5.1 h1:F+S7ZlNKnrwHfSwdlgNSkKo67ReVf8o9fel6C3dkm/Q=
 github.com/mrunalp/fileutils v0.5.1/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/opencontainers/cgroups v0.0.4 h1:XVj8P/IHVms/j+7eh8ggdkTLAxjz84ZzuFyGoE28DR4=
-github.com/opencontainers/cgroups v0.0.4/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs=
+github.com/opencontainers/cgroups v0.0.5 h1:DRITAqcOnY0uSBzIpt1RYWLjh5DPDiqUs4fY6Y0ktls=
+github.com/opencontainers/cgroups v0.0.5/go.mod h1:oWVzJsKK0gG9SCRBfTpnn16WcGEqDI8PAcpMGbqWxcs=
 github.com/opencontainers/runtime-spec v1.2.2-0.20250818071321-383cadbf08c0 h1:RLn0YfUWkiqPGtgUANvJrcjIkCHGRl3jcz/c557M28M=
 github.com/opencontainers/runtime-spec v1.2.2-0.20250818071321-383cadbf08c0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=

libcontainer/container_linux_test.go

@@ -32,6 +32,10 @@ func (m *mockCgroupManager) Apply(pid int) error {
 	return nil
 }
 
+func (m *mockCgroupManager) AddPid(_ string, _ int) error {
+	return nil
+}
+
 func (m *mockCgroupManager) Set(_ *cgroups.Resources) error {
 	return nil
 }

libcontainer/process_linux.go

@@ -247,6 +247,18 @@ func (p *setnsProcess) setFinalCPUAffinity() error {
 }
 
 func (p *setnsProcess) addIntoCgroupV1() error {
+	if sub, ok := p.process.SubCgroupPaths[""]; ok || len(p.process.SubCgroupPaths) == 0 {
+		// Either same sub-cgroup for all paths, or no sub-cgroup.
+		err := p.manager.AddPid(sub, p.pid())
+		if err != nil && !p.rootlessCgroups {
+			return fmt.Errorf("error adding pid %d to cgroups: %w", p.pid(), err)
+		}
+		return nil
+	}
+
+	// Per-controller sub-cgroup paths. Not supported by AddPid (or systemd),
+	// so we have to calculate and check all sub-cgroup paths, and write
+	// directly to cgroupfs.
 	paths := maps.Clone(p.manager.GetPaths())
 	for ctrl, sub := range p.process.SubCgroupPaths {
 		base, ok := paths[ctrl]
@@ -255,7 +267,7 @@ func (p *setnsProcess) addIntoCgroupV1() error {
 		}
 		cgPath := path.Join(base, sub)
 		if !strings.HasPrefix(cgPath, base) {
-			return fmt.Errorf("%s is not a sub cgroup path", sub)
+			return fmt.Errorf("bad sub cgroup path: %s", sub)
 		}
 		paths[ctrl] = cgPath
 	}
@@ -270,18 +282,10 @@ func (p *setnsProcess) addIntoCgroupV1() error {
 }
 
 func (p *setnsProcess) addIntoCgroupV2() error {
-	base := p.manager.Path("")
-	sub := ""
-	if p.process.SubCgroupPaths != nil {
-		sub = p.process.SubCgroupPaths[""]
-	}
-	cgPath := path.Join(base, sub)
-	if !strings.HasPrefix(cgPath, base) {
-		return fmt.Errorf("%s is not a sub cgroup path", sub)
-	}
-
-	if err := cgroups.WriteCgroupProc(cgPath, p.pid()); err != nil && !p.rootlessCgroups {
-		// On cgroup v2 + nesting + domain controllers, WriteCgroupProc may fail with EBUSY.
+	sub := p.process.SubCgroupPaths[""]
+	err := p.manager.AddPid(sub, p.pid())
+	if err != nil && !p.rootlessCgroups {
+		// On cgroup v2 + nesting + domain controllers, adding to initial cgroup may fail with EBUSY.
 		// https://github.com/opencontainers/runc/issues/2356#issuecomment-621277643
 		// Try to join the cgroup of InitProcessPid, unless sub-cgroup is explicitly set.
 		if p.initProcessPid != 0 && sub == "" {
@@ -290,8 +294,8 @@ func (p *setnsProcess) addIntoCgroupV2() error {
 			if initCgErr == nil {
 				if initCgPath, ok := initCg[""]; ok {
 					initCgDirpath := filepath.Join(fs2.UnifiedMountpoint, initCgPath)
-					logrus.Debugf("adding pid %d to cgroup %s failed (%v), attempting to join %s",
-						p.pid(), cgPath, err, initCgDirpath)
+					logrus.Debugf("adding pid %d to cgroup failed (%v), attempting to join %s",
+						p.pid(), err, initCgDirpath)
 					// NOTE: initCgDirPath is not guaranteed to exist because we didn't pause the container.
 					err = cgroups.WriteCgroupProc(initCgDirpath, p.pid())
 				}

tests/integration/exec.bats

@@ -226,17 +226,17 @@ function check_exec_debug() {
 	# Check we can't join parent cgroup.
 	runc exec --cgroup ".." test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" .. is not a sub cgroup path"* ]]
+	[[ "$output" == *"bad sub cgroup path"* ]]
 
 	# Check we can't join non-existing subcgroup.
 	runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+	[[ "$output" == *" adding pid "*"o such file or directory"* ]]
 
 	# Check we can't join non-existing subcgroup (for a particular controller).
 	runc exec --cgroup cpu:nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+	[[ "$output" == *" adding pid "*"o such file or directory"* ]]
 
 	# Check we can't specify non-existent controller.
 	runc exec --cgroup whaaat:/ test_busybox true
@@ -277,12 +277,12 @@ function check_exec_debug() {
 	# Check we can't join parent cgroup.
 	runc exec --cgroup ".." test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" .. is not a sub cgroup path"* ]]
+	[[ "$output" == *"bad sub cgroup path"* ]]
 
 	# Check we can't join non-existing subcgroup.
 	runc exec --cgroup nonexistent test_busybox cat /proc/self/cgroup
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" adding pid "*"/nonexistent/cgroup.procs: no such file "* ]]
+	[[ "$output" == *" adding pid "*"o such file or directory"* ]]
 
 	# Check we can join top-level cgroup (implicit).
 	runc exec test_busybox grep '^0::/$' /proc/self/cgroup
@@ -318,7 +318,7 @@ function check_exec_debug() {
 	# Check that --cgroup / disables the init cgroup fallback.
 	runc exec --cgroup / test_busybox true
 	[ "$status" -ne 0 ]
-	[[ "$output" == *" adding pid "*" to cgroups"*"/cgroup.procs: device or resource busy"* ]]
+	[[ "$output" == *" adding pid "*" to cgroups"*"evice or resource busy"* ]]
 
 	# Check that explicit --cgroup foobar works.
 	runc exec --cgroup foobar test_busybox grep '^0::/foobar$' /proc/self/cgroup