Commit Graph

77 Commits

Author SHA1 Message Date
rajasec 146218ab92 Removing unused variable for cgroup subsystem
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-06-12 12:35:49 +05:30
Christian Brauner a1f8e0f184 fail if path to devices subsystem is missing
The presence of the "devices" subsystem is a necessary condition for a
(privileged) container.

Signed-off-by: Christian Brauner <cbrauner@suse.com>
2016-06-08 16:44:15 +02:00
Qiang Huang 6fa490c664 Remove use_hierarchy check when set kernel memory
Kernel memory cannot be set in these circumstances (before kernel 4.6):
1. kernel memory is not initialized, and there are tasks in cgroup
2. kernel memory is not initialized, and use_hierarchy is enabled,
   and there are sub-cgroups

While we don't need to cover case 2 because when we set kernel
memory in runC, it's either:
- in Apply phase when we create the container, and in this case,
  set kernel memory would definitely be valid;
- or in update operation, and in this case, there would be tasks
  in cgroup, we only need to check if kernel memory is initialized
  or not.

Even if we want to check use_hierarchy, we need to check sub-cgroups
as well, but for here, we can just leave it aside.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-05-28 15:22:58 +08:00
Kenfe-Mickael Laventure 27814ee120 Allow updating kmem.limit_in_bytes if initialized at cgroup creation
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-05-06 08:05:15 -07:00
Michael Crosby 660029b476 Merge pull request #745 from AkihiroSuda/very-trivial-style-fix
Fix trivial style errors reported by `go vet` and `golint`
2016-04-12 13:33:00 -07:00
Akihiro Suda 1829531241 Fix trivial style errors reported by `go vet` and `golint`
No substantial code change.
Note that some style errors reported by `golint` are not fixed due to possible compatibility issues.

Signed-off-by: Akihiro Suda <suda.kyoto@gmail.com>
2016-04-12 08:13:16 +00:00
Qiang Huang 792251ae38 Fix problem when swap memory unsupported
When swap memory is unsupported, Docker will set
cgroup.Resources.MemorySwap as -1.

Fixes: https://github.com/docker/docker/pull/21937

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-12 15:08:10 +08:00
Qiang Huang d8b8f76c4f Fix problem when update memory and swap memory
Currently, if we start a container with:
`docker run -ti --name foo --memory 300M --memory-swap 500M busybox sh`

Then we want to update it with:
`docker update --memory 600M --memory-swap 800M foo`

It'll get error because we can't set memory to 600M with
the 500M limit of swap memory.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-03-28 10:48:29 +08:00
Qiang Huang 69f8a50081 Merge pull request #669 from mrunalp/fix_test
Fix the kmem TCP test
2016-03-22 09:45:13 +08:00
Michael Crosby e80b6b67e6 Merge pull request #651 from mrunalp/quota_validation
Add more information in the error messages when writing to a file
2016-03-21 17:53:49 -07:00
Mrunal Patel 73e48633a3 Fix the kmem TCP test
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-21 15:51:42 -07:00
Mrunal Patel 4d7929274d Merge pull request #644 from cyphar/fix-pids-max-unlimited
libcontainer: cgroups: deal with unlimited case for pids.max
2016-03-21 14:55:20 -07:00
Mrunal Patel 35541ebcd2 Add more information in the error messages when writing to a file
This is helpful to debug "invalid argument" errors when writing to cgroup files

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-03-21 09:27:24 -07:00
Aleksa Sarai f5e60cf775 libcontainer: cgroups: add statistics for kmem.tcp
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 22:04:02 +11:00
Aleksa Sarai 1448fe9568 libcontainer: cgroups: add support for kmem.tcp limits
Kernel TCP memory has its own special knobs inside the cgroup.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-20 22:03:52 +11:00
Aleksa Sarai a6d5179f60 libcontainer: cgroups: add tests for pids.max == "max"
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-18 08:46:24 +11:00
Aleksa Sarai 087b953dc5 libcontainer: cgroups: deal with unlimited case for pids.max
Make sure we don't error out collecting statistics for cases where
pids.max == "max". In that case, we can use a limit of 0 which means
"unlimited".

In addition, change the name of the stats attribute (Max) to mirror the
name of the resources attribute in the spec (Limit) so that it's
consistent internally.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-18 08:46:24 +11:00
Aleksa Sarai 64286b443d libcontainer: cgroups: add tests for pids.max in PidsStats
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-13 14:16:38 +11:00
Aleksa Sarai 2b1e086f62 libcontainer: cgroups: add pids.max to PidsStats
In order to allow nice usage statistics (in terms of percentages and
other such data), add the value of pids.max to the PidsStats struct
returned from the pids cgroup controller.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2016-03-13 04:53:20 +11:00
Alexander Morozov e5906f7ed5 Fix race between Apply and GetStats
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-02-29 08:50:42 -08:00
Phil Estes 0b5581fd28 Handle memory swappiness as a pointer to handle default/unset case
This prior fix to set "-1" explicitly was lost, and it is simpler to use
the same pointer type from the OCI spec to handle nil pointer == -1 ==
unset case.

Also, as a nearly humorous aside, there was a test for MemorySwappiness
that was actually setting Memory, and it was passing because of this
bug (as it was always setting everyone's MemorySwappiness to zero!)

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2016-02-24 09:02:06 -06:00
Michael Crosby 47f16e89df Move the process outside of the systemd cgroup
If you don't move the process out of the named cgroup for systemd then
systemd will try to delete all the cgroups that the process is currently
in.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-19 11:26:46 -08:00
Mrunal Patel 2c489ce2d9 Merge pull request #564 from hallyn/2016-02-16/userns.devicecg
Do not set devices cgroup entries if in a user namespace
2016-02-17 09:25:24 +05:30
Serge Hallyn 655f8ea808 Do not set devices cgroup entries if in a user namespace
When in a non-initial user namespace you cannot update the devices
cgroup whitelist (or blacklist).  The kernel won't allow it.  So
detect that case and don't try.

This is a step to being able to run docker/runc containers inside a user
namespaced container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-16 19:39:43 -08:00
Mrunal Patel a86e44cf8f Merge pull request #556 from hqhq/hq_remove_unneeded_cleanup
Remove unneeded cgroups path removal
2016-02-17 08:31:35 +05:30
Qiang Huang 7b88f34d6e Remove unneeded cgroups path removal
It's handled in `destroy()`, no need to do this in
`Apply()`. I found this because systemd cgroup didn't
do this removal and it works well.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 11:22:13 +08:00
Aleksa Sarai 21dc85c4b8 libcontainer: cgroups: fs: add cgroup path safety unit tests
In order to avoid problems with security regressions going unnoticed,
add some unit tests that should make sure security regressions in cgroup
path safety cause tests to fail in runC.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai b8dc5213e8 libcontainer: cgroups: fs: fix path safety
Ensure that path safety is maintained, this essentially reapplies
c0cad6aa5e ("cgroups: fs: fix cgroup.Parent path sanitisation"), which
was accidentally removed in 256f3a8ebc ("Add support for CgroupsPath
field").

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai 90140a5688 libcontainer: cgroups: fs: fix innerPath
Fix m.Path legacy code to actually work.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Kenfe-Mickael Laventure 256f3a8ebc Add support for CgroupsPath field
Fixes #396

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-10 11:26:51 -08:00
Kenfe-Mickael Laventure dceeb0d0df Move pathClean to libcontainer/utils.CleanPath
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-09 16:21:58 -08:00
Michael Crosby 3baae2d525 Update runc for devices changes
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-08 13:15:12 -08:00
Kenfe-Mickael Laventure 7a12c92dbe Add limit value to memory stats
The value is populated with the content of `limit_in_bytes`.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-03 11:54:09 -08:00
Aleksa Sarai 75e38f94a0 cgroups: set memory cgroups in Set
Modify the memory cgroup code such that kmem is not managed by Set(), in
order to allow updating of memory constraints for containers by Docker.
This also removes the need to make memory a special case cgroup.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-22 07:46:43 +11:00
Mrunal Patel 41d9d26513 Add support for just joining in apply using cgroup paths
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-01-20 14:23:05 -05:00
Mrunal Patel 4c767d7046 Merge pull request #446 from cyphar/18-add-pids-controller
cgroup: add PIDs cgroup controller support
2016-01-11 16:56:00 -08:00
Aleksa Sarai a95483402e libcontainer: cgroups: loudly fail with Set
It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:35 +11:00
Aleksa Sarai f36ed4b174 libcontainer: cgroups: don't Set in Apply
Apply and Set are two separate operations, and it doesn't make sense to
group the two together (especially considering that the bootstrap
process is added to the cgroup as well). The only exception to this is
the memory cgroup, which requires the configuration to be set before
processes can join.

One of the weird cases to deal with is systemd. Systemd sets some of the
cgroup configuration options, but not all of them. Because memory is a
special case, we need to explicitly set memory in the systemd Apply().
Otherwise, the rest can be safely re-applied in .Set() as usual.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:35 +11:00
Aleksa Sarai db3159c9d9 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-12 10:06:32 +11:00
Alexander Morozov c0cad6aa5e Merge pull request #451 from cyphar/fix-infinite-recursion
cgroups: fs: fix cgroup.Parent path sanitisation
2016-01-11 08:52:26 -08:00
Aleksa Sarai bf899fef45 cgroups: fs: fix cgroup.Parent path sanitisation
Properly sanitise the --cgroup-parent path, to avoid potential issues
(as it starts creating directories and writing to files as root). In
addition, fix an infinite recursion due to incomplete base cases.

It might be a good idea to move pathClean to a separate library (which
deals with path safety concerns, so all of runC and Docker can take
advantage of it).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-01-11 23:10:35 +11:00
Jimmi Dyson 91c7024e52 Revert to non-recursive GetPids, add recursive GetAllPids
Signed-off-by: Jimmi Dyson <jimmidyson@gmail.com>
2016-01-08 19:42:25 +00:00
Mrunal Patel 4124ba9468 Revert "cgroups: add pids controller support"
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-19 07:48:48 -08:00
Aleksa Sarai 88e6d489f6 libcontainer: cgroups: loudly fail with Set
It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:47 +11:00
Aleksa Sarai 8a740d5391 libcontainer: cgroups: don't Set in Apply
Apply and Set are two separate operations, and it doesn't make sense to
group the two together (especially considering that the bootstrap
process is added to the cgroup as well). The only exception to this is
the memory cgroup, which requires the configuration to be set before
processes can join.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:47 +11:00
Aleksa Sarai 37789f5bf1 libcontainer: cgroups: add pids controller support
Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-19 11:30:38 +11:00
Mrunal Patel 55a49f2110 Move the cgroups setting into a Resources struct
This allows us to distinguish cases where a container
needs to just join the paths or also additionally
set cgroups settings. This will help in implementing
cgroupsPath support in the spec.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2015-12-16 15:53:31 -05:00
Qiang Huang 209c8d9979 Add some comments about cgroup
We fixed some bugs and introduced some code hard to be
understood, add some comments for them.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-11-05 19:12:53 +08:00
Qiang Huang 8c98ae27ac Refactor cgroupData
The former cgroup entry is confusing, separate it to parent
and name.
Rename entry `c` to `config`.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-11-05 19:12:53 +08:00
Qiang Huang a263afaf6c Rename parent and data
'parent' function is confusing with parent cgroup, it's actually
parent path, so rename it to parentPath.

The name 'data' is too common to be identified, rename it to cgroupData
which is exactly what it is.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-11-05 19:12:53 +08:00