Move all cgroup adoption helpers to its own pkg

Author: reboss

Dockerfile

@@ -183,7 +183,7 @@ FROM base AS gowinres
 ARG GOWINRES_VERSION=v0.3.1
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
-        GOBIN=/build/ GO111MODULE=on go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
+        GOBIN=/build/ GO111MODULE=on GOINSECURE=proxy.golang.org go install "github.com/tc-hib/go-winres@${GOWINRES_VERSION}" \
      && /build/go-winres --help
 
 # containerd

api/server/router/container/container_routes.go

@@ -8,14 +8,12 @@ import (
 	"net/http"
 	"runtime"
 	"strconv"
-	"strings"
-	"os"
 
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/docker/api/server/httpstatus"
 	"github.com/docker/docker/api/server/httputils"
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/pkg/ctxkey"
+	"github.com/docker/docker/pkg/cgroups"
 	"github.com/docker/docker/api/types/backend"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
@@ -477,65 +475,6 @@ func (s *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 	return httputils.WriteJSON(w, http.StatusOK, resp)
 }
 
-// deriveParentFromProc finds the deepest ".slice" in the caller's cgroup path
-// and returns it as a systemd slice path, e.g. "user.slice/user-1000.slice".
-func deriveParentFromProc(mode string, pc *ctxkey.PeerCred) (string, error) {
-	if pc == nil || pc.PID == 0 {
-		return "", fmt.Errorf("no peer credentials")
-	}
-	data, err := os.ReadFile(fmt.Sprintf("/proc/%d/cgroup", pc.PID))
-	if err != nil {
-		return "", fmt.Errorf("read cgroup: %w", err)
-	}
-	// On cgroup v2, there is one line like: "0::/user.slice/user-1000.slice/session-6.scope"
-	// On cgroup v1, systemd is "name=systemd:/user.slice/user-1000.slice/session-6.scope"
-	lines := strings.Split(string(data), "\n")
-	var path string
-	for _, ln := range lines {
-		if ln == "" {
-			continue
-		}
-		parts := strings.SplitN(ln, ":", 3)
-		if len(parts) < 3 {
-			continue
-		}
-		controller, cgPath := parts[1], parts[2]
-		if controller == "" || controller == "name=systemd" || controller == "" /* v2 */ {
-			path = cgPath
-			// prefer v2 line if present; break on first match
-			if strings.HasPrefix(ln, "0::") {
-				break
-			}
-		}
-	}
-	if path == "" {
-		return "", fmt.Errorf("no cgroup path found")
-	}
-	// Extract slice segments ending with ".slice"
-	segs := strings.Split(strings.TrimPrefix(path, "/"), "/")
-	var slices []string
-	for _, s := range segs {
-		if strings.HasSuffix(s, ".slice") {
-			slices = append(slices, s)
-		}
-	}
-	if len(slices) == 0 {
-		// Fallback to uid mapping
-		return fmt.Sprintf("user.slice/user-%d.slice", pc.UID), nil
-	}
-	// Build "slice path" up to the deepest slice (exclude scopes/services)
-	// e.g., user.slice/user-1000.slice
-	var b strings.Builder
-	for i, s := range slices {
-		if i > 0 {
-			b.WriteString("/")
-		}
-		b.WriteString(s)
-	}
-	return b.String(), nil
-}
-
-
 func (s *containerRouter) postContainersCreate(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
 	if err := httputils.ParseForm(r); err != nil {
 		return err
@@ -559,14 +498,14 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	    logrus.Info("initialized empty HostConfig")
 	}
 
-	if cred, ok := r.Context().Value(ctxkey.PeerCredKey).(*ctxkey.PeerCred); ok && cred != nil {
+	if cred, ok := r.Context().Value(cgroups.PeerCredKey).(*cgroups.PeerCred); ok && cred != nil {
 		logrus.WithFields(logrus.Fields{
 			"pid": cred.PID,
 			"uid": cred.UID,
 			"gid": cred.GID,
 		}).Debug("retrieved peer credentials from context")
 
-		if parent, err := deriveParentFromProc("syetemd", cred); err == nil {
+		if parent, err := cgroups.DeriveParentFromProc(cred); err == nil {
 			hostConfig.CgroupParent = parent
 			logrus.WithFields(logrus.Fields{
 				"pid":           cred.PID,

cmd/dockerd/daemon.go

@@ -13,8 +13,6 @@ import (
 	"strings"
 	"sync"
 	"time"
-	"syscall"
-	"golang.org/x/sys/unix"
 
 
 	containerddefaults "github.com/containerd/containerd/defaults"
@@ -24,7 +22,7 @@ import (
 	"github.com/docker/docker/api/server/middleware"
 	"github.com/docker/docker/api/server/router"
 	"github.com/docker/docker/api/server/router/build"
-	"github.com/docker/docker/pkg/ctxkey"
+	"github.com/docker/docker/pkg/cgroups"
 	checkpointrouter "github.com/docker/docker/api/server/router/checkpoint"
 	"github.com/docker/docker/api/server/router/container"
 	distributionrouter "github.com/docker/docker/api/server/router/distribution"
@@ -85,37 +83,6 @@ func NewDaemonCli() *DaemonCli {
 	}
 }
 
-func getPeerCred(c net.Conn) (*ctxkey.PeerCred, error) {
-	sc, ok := c.(syscall.Conn)
-	if !ok {
-		return nil, fmt.Errorf("not a syscall.Conn")
-	}
-
-	raw, err := sc.SyscallConn()
-	if err != nil {
-		return nil, fmt.Errorf("SyscallConn: %w", err)
-	}
-
-	var cred *ctxkey.PeerCred
-	var ctrlErr error
-
-	// Control runs a function with the underlying FD.
-	if err := raw.Control(func(fd uintptr) {
-		ucred, err := unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
-		if err != nil {
-			ctrlErr = err
-			return
-		}
-		cred = &ctxkey.PeerCred{PID: int(ucred.Pid), UID: int(ucred.Uid), GID: int(ucred.Gid)}
-	}); err != nil {
-		return nil, fmt.Errorf("raw.Control: %w", err)
-	}
-	if ctrlErr != nil {
-		return nil, fmt.Errorf("getsockopt SO_PEERCRED: %w", ctrlErr)
-	}
-	return cred, nil
-}
-
 func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 	if cli.Config, err = loadDaemonCliConfig(opts); err != nil {
 		return err
@@ -221,14 +188,14 @@ func (cli *DaemonCli) start(opts *daemonOptions) (err error) {
 	httpServer := &http.Server{
 		ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
 		ConnContext: func(ctx context.Context, c net.Conn) context.Context {
-			if cred, err := getPeerCred(c); err == nil && cred != nil {
+			if cred, err := cgroups.GetPeerCred(c); err == nil && cred != nil {
 				logrus.WithFields(logrus.Fields{
 					"pid": cred.PID,
 					"uid": cred.UID,
 					"gid": cred.GID,
 					"remoteAddr": c.RemoteAddr().String(),
 				}).Info("accepted new connection with peer credentials")
-				return context.WithValue(ctx, ctxkey.PeerCredKey, cred)
+				return context.WithValue(ctx, cgroups.PeerCredKey, cred)
 			} else if err != nil {
 				logrus.WithError(err).Error("getPeerCred error")
 			}

pkg/cgroups/cgroups.go

@@ -0,0 +1,135 @@
+package cgroups
+
+import (
+	"os"
+	"fmt"
+	"strings"
+	"net"
+	"syscall"
+        "golang.org/x/sys/unix"
+)
+
+// PeerCredKey is used as the context key for storing peer credentials.
+var PeerCredKey = &struct{}{}
+
+type PeerCred struct {
+	PID int
+	UID int
+	GID int
+}
+
+func GetPeerCred(c net.Conn) (*PeerCred, error) {
+    sc, ok := c.(syscall.Conn)
+    if !ok {
+        return nil, fmt.Errorf("not a syscall.Conn")
+    }
+
+    raw, err := sc.SyscallConn()
+    if err != nil {
+        return nil, fmt.Errorf("SyscallConn: %w", err)
+    }
+
+    var cred *PeerCred
+    var ctrlErr error
+
+    // Control runs a function with the underlying FD.
+    if err := raw.Control(func(fd uintptr) {
+        ucred, err := unix.GetsockoptUcred(int(fd), unix.SOL_SOCKET, unix.SO_PEERCRED)
+        if err != nil {
+            ctrlErr = err
+            return
+        }
+        cred = &PeerCred{PID: int(ucred.Pid), UID: int(ucred.Uid), GID: int(ucred.Gid)}
+    }); err != nil {
+        return nil, fmt.Errorf("raw.Control: %w", err)
+    }
+    if ctrlErr != nil {
+        return nil, fmt.Errorf("getsockopt SO_PEERCRED: %w", ctrlErr)
+    }
+    return cred, nil
+}
+
+func DeriveParentFromProcCgroupfs(pc *PeerCred) (string, error) {
+    if pc == nil || pc.PID == 0 {
+        return "", fmt.Errorf("no peer credentials")
+    }
+
+    data, err := os.ReadFile(fmt.Sprintf("/proc/%d/cgroup", pc.PID))
+    if err != nil {
+        return "", fmt.Errorf("read cgroup: %w", err)
+    }
+
+    var path string
+    for _, ln := range strings.Split(string(data), "\n") {
+        if ln == "" { continue }
+        parts := strings.SplitN(ln, ":", 3)
+        if len(parts) < 3 { continue }
+        if strings.HasPrefix(ln, "0::") {
+            path = parts[2]
+            break
+        }
+        if parts[1] == "cpu" { path = parts[2] }
+    }
+    if path == "" {
+        return "", fmt.Errorf("no cgroup path found")
+    }
+    return path, nil
+}
+
+// deriveParentFromProc finds the deepest ".slice" in the caller's cgroup path
+// and returns it as a systemd slice path, e.g. "user.slice/user-1000.slice".
+func DeriveParentFromProc(pc *PeerCred) (string, error) {
+    if pc == nil || pc.PID == 0 {
+        return "", fmt.Errorf("no peer credentials")
+    }
+    data, err := os.ReadFile(fmt.Sprintf("/proc/%d/cgroup", pc.PID))
+    if err != nil {
+        return "", fmt.Errorf("read cgroup: %w", err)
+    }
+    // On cgroup v2, there is one line like: "0::/user.slice/user-1000.slice/session-6.scope"
+    // On cgroup v1, systemd is "name=systemd:/user.slice/user-1000.slice/session-6.scope"
+    lines := strings.Split(string(data), "\n")
+    var path string
+    for _, ln := range lines {
+        if ln == "" {
+            continue
+        }
+        parts := strings.SplitN(ln, ":", 3)
+        if len(parts) < 3 {
+            continue
+        }
+        controller, cgPath := parts[1], parts[2]
+        if controller == "" || controller == "name=systemd" || controller == "" /* v2 */ {
+            path = cgPath
+            // prefer v2 line if present; break on first match
+            if strings.HasPrefix(ln, "0::") {
+                break
+            }
+        }
+    }
+    if path == "" {
+        return "", fmt.Errorf("no cgroup path found")
+    }
+    // Extract slice segments ending with ".slice"
+    segs := strings.Split(strings.TrimPrefix(path, "/"), "/")
+    var slices []string
+    for _, s := range segs {
+        if strings.HasSuffix(s, ".slice") {
+            slices = append(slices, s)
+        }
+    }
+    if len(slices) == 0 {
+        // Fallback to uid mapping
+        return fmt.Sprintf("user.slice/user-%d.slice", pc.UID), nil
+    }
+    // Build "slice path" up to the deepest slice (exclude scopes/services)
+    // e.g., user.slice/user-1000.slice
+    var b strings.Builder
+    for i, s := range slices {
+        if i > 0 {
+            b.WriteString("/")
+        }
+        b.WriteString(s)
+    }
+    return b.String(), nil
+}