diff --git a/cgattach.cpp b/cgattach.cpp index 7919c92..9ae62a7 100644 --- a/cgattach.cpp +++ b/cgattach.cpp @@ -31,6 +31,14 @@ bool validate(string pid, string cgroup) { exit(EXIT_FAILURE); } +string get_cgroup2_mount_point(){ + char cgroup2_mount_point[100]; + FILE* fp = popen("findmnt -t cgroup2 -n |cut -d' ' -f 1", "r"); + fscanf(fp,"%s",&cgroup2_mount_point); + fclose(fp); + return cgroup2_mount_point; +} + int main(int argc, char *argv[]) { setuid(0); setgid(0); @@ -48,7 +56,8 @@ int main(int argc, char *argv[]) { string pid = string(argv[1]); string cgroup_target = string(argv[2]); validate(pid, cgroup_target); - string cgroup_mount_point = "/sys/fs/cgroup"; + // string cgroup_mount_point = "/sys/fs/cgroup"; + string cgroup_mount_point = get_cgroup2_mount_point(); string cgroup_target_path = cgroup_mount_point + cgroup_target; string cgroup_target_procs = cgroup_target_path + "/cgroup.procs"; diff --git a/cgroup-tproxy.sh b/cgroup-tproxy.sh index 20592ec..2cadbf7 100644 --- a/cgroup-tproxy.sh +++ b/cgroup-tproxy.sh @@ -3,14 +3,14 @@ print_help(){ cat << 'DOC' ############################################################################# # -# 1. For now, linux default using cgroup v1 for compatibility -# this script need cgroup v2, you need enable cgroup v2 in your system. +# 1. This script need cgroup v2 # # 2. Listening port is expected to accept iptables TPROXY, while REDIRECT # will not work in this script, because REDIRECT only support tcp/ipv4 # -# 3. TPROXY need root or cap_net_admin capability whatever process is listening on port -# v2ray as example: sudo setcap cap_net_admin+ep /usr/lib/v2ray/v2ray +# 3. TPROXY need root or special capability whatever process is listening on port +# v2ray as example: +# sudo setcap "cap_net_bind_service=+ep cap_net_admin=+ep" /usr/lib/v2ray/v2ray # # 4. this script will proxy anything running in specific cgroup # @@ -51,11 +51,10 @@ make_newin=0x02 ## cgroup things # cgroup_mount_point=$(findmnt -t cgroup,cgroup2 -n -J|jq '.filesystems[0].target') # cgroup_type=$(findmnt -t cgroup,cgroup2 -n -J|jq '.filesystems[0].fstype') -cgroup_mount_point="/sys/fs/cgroup" +cgroup_mount_point=$(findmnt -t cgroup2 -n |cut -d' ' -f 1) cgroup_type="cgroup2" cgroup_procs_file="cgroup.procs" -set -x ## parse parameter for i in "$@" do diff --git a/readme.md b/readme.md index f5d0d0b..222768c 100644 --- a/readme.md +++ b/readme.md @@ -29,18 +29,14 @@ It aslo supports global transparent proxy. See [Global transparent proxy](#globa - cgroup2 - Why cgroup v2? Because simple, elegant and intuitive. - - For now, linux default using cgroup v1 for compatibility, this project need cgroup v2, you need disable cgroup v1 and enable cgroup v2 in your system. see [Disabling v1 cgroups](https://wiki.archlinux.org/index.php/Cgroups#Disabling_v1_cgroups). - - - `findmnt -t cgroup,cgroup2` to find out your cgroup version + Both cgroup and cgroup2 are enable in linux by default. So you don't have to do anything about this. - `systemd-cgls` to see the cgroup hierarchical tree. + - Why cgroup v2? Because simple, elegant and intuitive. - TPROXY A process listening on port (e.g. 12345) to accept iptables TPROXY, for example v2ray's dokodemo-door in tproxy mode. - - Why not REDIRECT? Because REDIRECT only supports tcp and ipv4. + - Why not REDIRECT? Because REDIRECT only supports tcp and ipv4. ## How to install