Commit Graph

198 Commits

Author SHA1 Message Date
Akihiro Suda 9748b48742
Merge pull request #2229 from RenaudWasTaken/create-container
Add CreateRuntime, CreateContainer and StartContainer Hooks
2020-06-19 12:27:51 +09:00
Renaud Gaubert 861afa7509 Add integration tests for the new runc hooks
This patch adds a test based on real world usage of runc hooks
(libnvidia-container). We verify that mounting a library inside
a container and running ldconfig succeeds.

Signed-off-by: Renaud Gaubert <rgaubert@nvidia.com>
2020-06-19 02:39:20 +00:00
Mrunal Patel 406298fdf0
Merge pull request #2466 from kolyshkin/systemd-cpu-quota-period
cgroups/systemd: add setting CPUQuotaPeriod prop
2020-06-17 12:03:30 -07:00
Kir Kolyshkin e751a168dc cgroups/systemd: add setting CPUQuotaPeriod prop
For some reason, runc systemd drivers (both v1 and v2) never set
systemd unit property named `CPUQuotaPeriod` (known as
`CPUQuotaPeriodUSec` on dbus and in `systemctl show` output).

Set it, and add a check to all the integration tests. The check is less
than trivial because, when not set, the value is shown as "infinity" but
when set to the same (default) value, shown as "100ms", so in case we
expect 100ms (period = 100000 us), we have to _also_ check for
"infinity".

[v2: add systemd version checks since CPUQuotaPeriod requires v242+]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-06-16 15:48:06 -07:00
Mrunal Patel 82d2fa4eb0
Merge pull request #2453 from AkihiroSuda/vagrant-centos7
CI: add CentOS 7 (kernel 3.10, systemd 219)
2020-06-15 21:09:43 -07:00
Kir Kolyshkin 5b247e739c
Merge pull request #2338 from lifubang/systemdcgroupv2
fix path error in systemd when stopped

LGTMs: @mrunalp @AkihiroSuda
2020-06-15 18:01:13 -07:00
Akihiro Suda fdc48376d1
Merge pull request #2458 from kolyshkin/cpu-quota-II
Cpu quota fixes, try II
2020-06-12 07:46:56 +09:00
Akihiro Suda 262ef5631a
update.bats: support systemd <= 226
The infinity value was changed in systemd 227.

systemd >= 227: "infinity"
systemd <= 226: 18446744073709551615

e.g. 03a7b521e3 (diff-423c8c1eeb2ef5b08849c3c30b7e53aeR558)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-10 13:19:08 +09:00
Akihiro Suda 1f366c6a01
tests/rootless.sh: fix executing bats in non-root PATH
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-10 13:19:07 +09:00
Akihiro Suda 6246bb1110
spec.bats: avoid using `git -C`
`git -C` is not present in git 1.8.3.1 shipped in CentOS 7

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-10 13:19:07 +09:00
Mrunal Patel b2163040db
Merge pull request #2454 from AkihiroSuda/ci-fix-rt
test "update rt period and runtime": fix up runtime and period
2020-06-09 21:17:37 -07:00
Kir Kolyshkin 1b03e72554 tests/int/update: more cpu period/quota cases
Add four "corner case" tests that check that the CPU period/quota
can be set/updated even in case neither CPU quota nor CPU period
(were previously) set.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-06-09 17:38:24 -07:00
Kir Kolyshkin 1832bf0b88 tests/int/update: add cpu-quota -1 tests
Check that resetting cpu quota works.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-06-09 17:17:13 -07:00
Kir Kolyshkin 7c2b23497e tests/integration/update: enable cpu quota for v2
Also, enable tests of setting quota and period separately in case
systemd cgroup driver is used, as commit 32746fb334
("update: do not overwrite old cpu quota/period") made it possible
to do so.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-06-09 17:16:47 -07:00
lifubang 4be5435569 add integration test for ps/kill after the container stopped
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-06-06 08:57:10 +08:00
Aleksa Sarai 1b97c04f98
merge branch 'pr-2445'
John Hwang (1):
  Replace sed with jq for more readable json manipulation in tests

LGTMs: @kolyshkin @cyphar
Closes #2445
2020-06-06 06:13:29 +10:00
John Hwang 79fe41d3c1 Replace sed with jq for more readable json manipulation in tests
Signed-off-by: John Hwang <John.F.Hwang@gmail.com>
2020-06-03 18:35:47 -07:00
Akihiro Suda 10d1e1ed06 test "update rt period and runtime": fix up runtime and period
Fix #2046

Previously, the test was failing with EINVAL during writing 500001 to `/sys/fs/cgroup/cpu,cpuacct/runc-cgroups-integration-test/test-cgroup/cpu.rt_runtime_us`, because `/sys/fs/cgroup/cpu,cpuacct/runc-cgroups-integration-test/cpu.rt_runtime_us` was initialized with 0.

The issue had not been caught in Ubuntu 18.04 CI because it doesn't support rt.

Tested on Ubuntu 20.04.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-03 16:59:10 +09:00
Akihiro Suda 4ad326a37d silence "which: no criu"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-06-02 18:59:19 +09:00
Mrunal Patel dbe5acade3
Merge pull request #2439 from kolyshkin/int-noswap
integration tests fixes for no swap ctrl case
2020-05-31 10:06:08 -07:00
Akihiro Suda c91fe9aeba cgroup2: exec: join the cgroup of the init process on EBUSY
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-31 13:09:43 +09:00
Kir Kolyshkin ed1f14afb5 tests/int/events: skip oom test if no swap
In case swap cgroup control is not available, the "event oom" test gives
the following error:

> # not ok 30 events oom
> # (in test file tests/integration/events.bats, line 134)
> #   `[ "$status" -eq 0 ]' failed
> # <....>
> # runc run -d --console-socket /tmp/console.sock test_busybox (status=1):
> # time="2020-05-29T02:10:20Z" level=warning msg="signal: killed"
> # time="2020-05-29T02:10:20Z" level=error msg="container_linux.go:353: starting container process caused: process_linux.go:437: container init caused: process_linux.go:403: setting cgroup config for procHooks process caused: failed to write \"33554432\" to \"/sys/fs/cgroup/memory/test_busybox/memory.memsw.limit_in_bytes\": open /sys/fs/cgroup/memory/test_busybox/memory.memsw.limit_in_bytes: permission denied"

When I try to run the test without setting the swap limit, the shell
process is still getting killed, but the test hangs. I am not sure what
the reason is, but realistically this test is hard to perform without
the swap limit, so let's require cgroup swap for it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-30 14:48:02 -07:00
Kir Kolyshkin 755b1016ee test/int/update: simplify mem+swap presence check
For v2, mem+swap is always present. For v1, check it once and set a
variable which is used below.

This also removes CGROUP_MEMORY for v2 case since it's no longer used.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-30 14:47:28 -07:00
Kir Kolyshkin 8d94363343 test/int/update: simplify mem+swap checks
The "unlimited" value is the same for memory and memory+swap,
so let's use SYSTEM_MEM for both.

In fact, it was already used in one place to check swap, probably due to
a typo.

This also fixes the following failure on a cgroup v1 system without
mem+swap control (Ubuntu 19.04):

> # not ok 78 update cgroup v1/v2 common limits
> # (in test file tests/integration/update.bats, line 72)
> #   `SYSTEM_MEM_SWAP=$(cat "${CGROUP_MEMORY_BASE_PATH}/$MEM_SWAP")' failed

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-30 14:42:44 -07:00
Kir Kolyshkin a78e21b500 tests/int/delete.bats: fixups
1. __runc does not set $status, so the check is misleading.

2. Add set +eux to the nest.sh script so we can error out early, and see
   what is going on.

3. Doing "echo +io" > cgroup.controllers is giving an error on my
   machine ("sh: write error: Operation not supported"). It is probably
   fine to just enable pids controller.

4. Add status check for runc exec nest.sh

5. Remove the second check for cgroup.threads contents -- it was already
   checked earlier (the output of nest.sh script).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-28 11:48:16 -07:00
Mrunal Patel 4f0bdafc8a
Merge pull request #2412 from lifubang/removecgpath
remove cgroup path recursively in cgroup v2
2020-05-27 15:50:14 -07:00
Kir Kolyshkin be5467872d cgroupv1: minimal fix for cpu quota regression
This is a quick-n-dirty fix the regression introduced by commit
06d7c1d, which made it impossible to only set CpuQuota
(without the CpuPeriod). It partially reverts the above commit,
and adds a test case.

The proper fix will follow.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-26 11:02:16 -07:00
lifubang 82fa194179 remove cgroup path recursively in cgroup v2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-05-26 23:35:20 +08:00
Akihiro Suda 1f737eebaa
Merge pull request #2426 from kolyshkin/mem-swap-unlim
Fix some cases of swap setting
2020-05-26 14:48:59 +09:00
Akihiro Suda 7673bee6bf
Merge pull request #2395 from lifubang/updateCgroupv2
Partially revert "CreateCgroupPath: only enable needed controllers"
2020-05-25 13:56:23 +09:00
Kir Kolyshkin 3c6e8ac4d2 cgroupv2: set mem+swap to max if mem set to max
... and mem+swap is not explicitly set otherwise.

This ensures compatibility with cgroupv1 controller which interprets
things this way.

With this fixed, we can finally enable swap tests for cgroupv2.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-22 21:32:16 -07:00
lifubang 275157193c add testcase for enable all supported controllers in cgroupv2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-05-21 12:17:54 +08:00
Kir Kolyshkin 59897367c4 cgroups/systemd: allow to set -1 as pids.limit
Currently, both systemd cgroup drivers (v1 and v2) only set
"TasksMax" unit property if the value > 0, so there is no
way to update the limit to -1 / unlimited / infinity / max.

Since systemd driver is backed by fs driver, and both fs and fs2
set the limit of -1 properly, it works, but systemd still has
the old value:

 # runc --systemd-cgroup update $CT --pids-limit 42
 # systemctl show runc-$CT.scope | grep TasksMax
 TasksMax=42
 # cat /sys/fs/cgroup/system.slice/runc-$CT.scope/pids.max
 42

 # ./runc --systemd-cgroup update $CT --pids-limit -1
 # systemctl show runc-$CT.scope | grep TasksMax=
 TasksMax=42
 # cat /sys/fs/cgroup/system.slice/runc-xx77.scope/pids.max
 max

Fix by changing the condition to allow -1 as a valid value.

NOTE other negative values are still being ignored by systemd drivers
(as it was done before). I am not sure whether this is correct, or
should we return an error.

A test case is added.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-20 13:20:04 -07:00
Kir Kolyshkin 95413ecdb0 tests/int/update: add cgroupv1 systemd CPU checks
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-20 13:19:03 -07:00
Kir Kolyshkin 06d7c1d261 systemd+cgroupv1: fix updating CPUQuotaPerSecUSec
1. do not allow to set quota without period or period without quota, as we
   won't be able to calculate new value for CPUQuotaPerSecUSec otherwise.

2. do not ignore setting quota to -1 when a period is not set.

3. update the test case accordingly.

Note that systemd value checks will be added in the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-20 13:17:18 -07:00
Kir Kolyshkin 7abd93d156 tests/integration/update.bats: more systemd checks
1. add missing checks for systemd's MemoryMax / MemoryLimit.

2. add checks for systemd's MemoryLow and MemorySwapMax.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-20 13:16:50 -07:00
Kir Kolyshkin 4fc9fa05da tests/int: simplify check_systemd_value use
...so it will be easier to write more tests

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-20 13:15:11 -07:00
Mrunal Patel 825e91ada6
Merge pull request #2341 from kolyshkin/test-cpt-lazy
runc checkpoint: fix --status-fd to accept fd
2020-05-18 10:43:24 -07:00
Akihiro Suda 3f1e886991
Merge pull request #2391 from cyphar/devices-cgroup
cgroup: devices: major cleanups and minimal transition rules
2020-05-14 09:57:06 +09:00
lifubang fe0669b26d don't enable threaded mode by default
Because in threaded mode, we can't enable the memory controller -- it isn't thread-aware.

Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-05-13 16:27:36 +08:00
Aleksa Sarai ba6eb28229
tests: add integration test for paused-and-updated containers
Such containers should remain paused after the update. This has
historically been true, but this helps ensure that the systemd cgroup
changes (freezing the container during SetUnitProperties) don't break
this behaviour.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-13 17:44:11 +10:00
Aleksa Sarai 4438eaa5e4
tests: add integration test for devices transition rules
Unfortunately, runc update doesn't support setting devices rules
directly so we have to trigger it by modifying a different rule (which
happens to trigger a devices update).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-13 17:44:11 +10:00
Kir Kolyshkin ca1d135bd4 runc checkpoint: fix --status-fd to accept fd
1. The command `runc checkpoint --lazy-server --status-fd $FD` actually
accepts a file name as an $FD. Make it accept a file descriptor,
like its name implies and the documentation states.

In addition, since runc itself does not use the result of CRIU status
fd, remove the code which relays it, and pass the FD directly to CRIU.

Note 1: runc should close this file descriptor itself after passing it
to criu, otherwise whoever waits on it might wait forever.

Note 2: due to the way criu swrk consumes the fd (it reopens
/proc/$SENDER_PID/fd/$FD), runc can't close it as soon as criu swrk has
started. There is no good way to know when criu swrk has reopened the
fd, so we assume that as soon as we have received something back, the
fd is already reopened.

2. Since the meaning of --status-fd has changed, the test case using
it needs to be fixed as well.

Modify the lazy migration test to remove "sleep 2", actually waiting
for the the lazy page server to be ready.

While at it,

 - remove the double fork (using shell's background process is
   sufficient here);

 - check the exit code for "runc checkpoint" and "criu lazy-pages";

 - remove the check for no errors in dump.log after restore, as we
   are already checking its exit code.

[v2: properly close status fd after spawning criu]
[v3: move close status fd to after the first read]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-05-11 15:36:50 -07:00
Akihiro Suda bf15cc99b1 cgroup v2: support rootless systemd
Tested with both Podman (master) and Moby (master), on Ubuntu 19.10 .

$ podman --cgroup-manager=systemd run -it --rm --runtime=runc \
  --cgroupns=host --memory 42m --cpus 0.42 --pids-limit 42 alpine
/ # cat /proc/self/cgroup
0::/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope
/ # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/memory.max
44040192
/ # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/cpu.max
42000 100000
/ # cat /sys/fs/cgroup/user.slice/user-1001.slice/user@1001.service/user.slice/libpod-132ff0d72245e6f13a3bbc6cdc5376886897b60ac59eaa8dea1df7ab959cbf1c.scope/pids.max
42

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-08 12:39:20 +09:00
lifubang 657407ff23 fix runc events error in cgroup v2
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-05-07 22:18:46 +08:00
Akihiro Suda 60c647e3b8 fs2: fix cgroup.subtree_control EPERM on rootless + add CI
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-04-27 13:30:15 +09:00
Kir Kolyshkin b19f9cecfe
Merge pull request #2343 from lifubang/updateSystemdScope
fix data inconsistency when using runc update in systemd driven cgroup
2020-04-24 23:34:19 -07:00
lifubang 10ba72a61f add integration test for runc update with systemd
Signed-off-by: lifubang <lifubang@acmcoder.com>
2020-04-24 16:58:29 +08:00
Kir Kolyshkin 32d52a0fab tests/checkpoint: enable for Fedora 31 / cgroup v2
With the fix in the previous commit and criu patched with support for
cgroupv2, these tests should now pass.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-22 11:40:28 -07:00
Kir Kolyshkin 00a2844ab4 tests/checkpoint: add simple c/r test for cgroupns
Same test as the first one, just with cgroupns enabled.

Since in case of cgroupv2 `runc spec` enables cgroupns,
this case was already tested by the first checkpoint test,
so skip it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2020-04-22 11:06:24 -07:00