Commit Graph

34 Commits

Author SHA1 Message Date
Kenfe-Mickael Laventure 256f3a8ebc Add support for CgroupsPath field
Fixes #396

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Kenfe-Mickael Laventure dceeb0d0df Move pathClean to libcontainer/utils.CleanPath
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-09 16:21:58 -08:00
Aleksa Sarai 75e38f94a0 cgroups: set memory cgroups in Set
Modify the memory cgroup code such that kmem is not managed by Set(), in
order to allow updating of memory constraints for containers by Docker.
This also removes the need to make memory a special case cgroup.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-22 07:46:43 +11:00
Mrunal Patel 41d9d26513 Add support for just joining in apply using cgroup paths
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-20 14:23:05 -05:00
Mrunal Patel 4c767d7046 Merge pull request #446 from cyphar/18-add-pids-controller
cgroup: add PIDs cgroup controller support
2016-01-11 16:56:00 -08:00
Aleksa Sarai a95483402e libcontainer: cgroups: loudly fail with Set
It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:35 +11:00
Aleksa Sarai f36ed4b174 libcontainer: cgroups: don't Set in Apply
Apply and Set are two separate operations, and it doesn't make sense to
group the two together (especially considering that the bootstrap
process is added to the cgroup as well). The only exception to this is
the memory cgroup, which requires the configuration to be set before
processes can join.

One of the weird cases to deal with is systemd. Systemd sets some of the
cgroup configuration options, but not all of them. Because memory is a
special case, we need to explicitly set memory in the systemd Apply().
Otherwise, the rest can be safely re-applied in .Set() as usual.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:35 +11:00
Aleksa Sarai db3159c9d9 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:32 +11:00
Alexander Morozov c0cad6aa5e Merge pull request #451 from cyphar/fix-infinite-recursion
cgroups: fs: fix cgroup.Parent path sanitisation
2016-01-11 08:52:26 -08:00
Aleksa Sarai bf899fef45 cgroups: fs: fix cgroup.Parent path sanitisation
Properly sanitise the --cgroup-parent path, to avoid potential issues
(as it starts creating directories and writing to files as root). In
addition, fix an infinite recursion due to incomplete base cases.

It might be a good idea to move pathClean to a separate library (which
deals with path safety concerns, so all of runC and Docker can take
advantage of it).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-11 23:10:35 +11:00
Jimmi Dyson 91c7024e52 Revert to non-recursive GetPids, add recursive GetAllPids
Signed-off-by: Jimmi Dyson <jimmidyson@gmail.com>
2016-01-08 19:42:25 +00:00
Mrunal Patel 4124ba9468 Revert "cgroups: add pids controller support"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-19 07:48:48 -08:00
Aleksa Sarai 88e6d489f6 libcontainer: cgroups: loudly fail with Set
It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:47 +11:00
Aleksa Sarai 8a740d5391 libcontainer: cgroups: don't Set in Apply
Apply and Set are two separate operations, and it doesn't make sense to
group the two together (especially considering that the bootstrap
process is added to the cgroup as well). The only exception to this is
the memory cgroup, which requires the configuration to be set before
processes can join.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:47 +11:00
Aleksa Sarai 37789f5bf1 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:38 +11:00
Mrunal Patel 55a49f2110 Move the cgroups setting into a Resources struct
This allows us to distinguish cases where a container
needs to just join the paths or also additionally
set cgroups settings. This will help in implementing
cgroupsPath support in the spec.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-16 15:53:31 -05:00
Qiang Huang 209c8d9979 Add some comments about cgroup
We fixed some bugs and introduced some code hard to be
understood, add some comments for them.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-11-05 19:12:53 +08:00
Qiang Huang 8c98ae27ac Refactor cgroupData
The former cgroup entry is confusing, separate it to parent
and name.
Rename entry `c` to `config`.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-11-05 19:12:53 +08:00
Qiang Huang a263afaf6c Rename parent and data
'parent' function is confusing with parent cgroup, it's actually
parent path, so rename it to parentPath.

The name 'data' is too common to be identified, rename it to cgroupData
which is exactly what it is.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-11-05 19:12:53 +08:00
Michael Crosby ba2ce3b25a Cgroup set order for systemd
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-10-19 13:32:45 -07:00
Michael Crosby 2554f49d5e Use array instead of map for cgroup subsystems
Also add cpuset as the first in the list to address issues setting the
pid in any cgroup before the cpuset is populated.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-10-15 15:24:53 -07:00
Michael Crosby 02fdc70837 Add Name() to cgroup subsystems
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-10-15 15:19:23 -07:00
Alexander Morozov 6dad176d01 Get PIDs from cgroups recursively
Also lookup cgroup for systemd is changed to "device" to be consistent
with fs implementation.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-10-13 10:19:01 -07:00
Qiang Huang f2ec7eff7e Rename FindCgroupMountpointAndSource
Rename it to FindCgroupMountpointAndRoot.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-09-09 09:29:11 +08:00
Mrunal Patel c20bda3f71 Merge pull request #206 from mountkin/ensure-cleanup
Ensure the cleanup jobs in the deferrer are executed on error
2015-08-18 14:16:31 -07:00
Shijiang Wei f0679089b9 Ensure the cleanup jobs in the deferrer are executed on error
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
2015-08-16 12:29:04 +08:00
Alexander Morozov 2b28b3c276 Always use cgroup root of current process
Because for host PID namespace /proc/1/cgroup can point to whole other
world of cgroups.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-08-11 18:04:59 -07:00
Alexander Morozov 5aa6005498 Revert "Fix cgroup parent searching"
This reverts commit 2f9052ca29.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-08-11 18:04:55 -07:00
Alexander Morozov 2f9052ca29 Fix cgroup parent searching
I had pretty convenient input data to miss this bug.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-08-10 14:30:05 -07:00
Kir Kolyshkin 6f82d4b544 Simplify and fix os.MkdirAll() usage
TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.

Quoting MkdirAll documentation:

> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.

This means two things:

1. If a directory to be created already exists, no error is
returned.

2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.

The above is a theory, based on quoted documentation and my UNIX
knowledge.

3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.

Because of #1, IsExist check after MkdirAll is not needed.

Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.

Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.

[1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go

Signed-off-by: Kir Kolyshkin <kir@openvz.org>
2015-07-29 18:03:27 -07:00
Alexander Morozov c0e18b96fb Fix subsystem path with abs parent
Sometimes subsystem can be mounted to path like "subsystem1,subsystem2",
so we need to handle this.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-07-20 11:48:58 -07:00
Alexander Morozov fc31076c23 Substract source mount from cgroup dir
This is needed because for nested containers cgroups. Without this patch
they creating unnecessary intermediate cgroup like:
/sys/fs/cgroup/memory/system.slice/docker-9409d9f0b68fb9e9d7d532d5b3f35e7c7f9cca1312af392ae3b28436f1f2998f.scope/system.slice/docker-9409d9f0b68fb9e9d7d532d5b3f35e7c7f9cca1312af392ae3b28436f1f2998f.scope/docker/908ebcc9c13584a14322ec070bd971e0de62f126c0cd95c079acdb99990ad3a3

It is because in /proc/self/cgroup we see paths from host, and they don't
exist in container.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-07-17 11:41:58 -07:00
Michael Crosby 080df7ab88 Update import paths for new repository
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-06-21 19:29:59 -07:00
Michael Crosby 8f97d39dd2 Move libcontainer into subdirectory
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-06-21 19:29:15 -07:00