Even if libcontainer does not create the directories for the cpuset
cgroup we should ensure that they are properly populated with the
parent's cpus and mems values. Some systems create the directory
structures but do not correctly populate the values and causes our
implementation to fail.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
As related to #639, this at least makes the "nsinit" consumer of
libcontainer initialize the value to "-1" and also allows the user to
specify a setting for the container.
This is an analog to Docker PR docker/docker#14030.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Even if cpu cgroup controller is enabled it's still possible that
cpu.shares doesn't exist.
This is the case when the kernel config has CONFIG_CGROUP_SCHED
enabled but CONFIG_FAIR_GROUP_SCHED disabled. Then docker fails to
start containers even --cpu-shares isn't specified.
$ sudo docker run -i -t ubuntu:14.04
Error response from daemon: Cannot start container 5600ae87eb9d0eca49f6bcee012247d6b4beb49c426d6cf17e2456279f9311f6: [8] System error: open /sys/fs/cgroup/cpu/docker/5600ae87eb9d0eca49f6bcee012247d6b4beb49c426d6cf17e2456279f9311f6/cpu.shares: no such file or directory
Signed-off-by: Zefan Li <lizefan@huawei.com>
Currently we can't start container with kmem limit, because we
set kmem limit after processes joined to cgroup, we'll get device
busy error in this case.
Fix it by moving set before join.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
It tests only changed files from commit.
We can't expect vet fixes from all projects from vendor directory.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
It sped up this function x10 times(because of not using Ssprintf).
It was one of two major performance drawbacks in docker, because we're parsing
this file pretty often.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
This parses group file only once to process a list of groups instead of parsing
once for each group. Also added an unit test for GetAdditionalGroupsPath
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
For consistency with similar changes required by go lang sources, convert the
C library dup2() calls to dup3().
The go language syscall.Dup2() routine is not available on all CPU
architectures, so yscall.Dup2() calls were converted to syscall.Dup3().
Signed-off-by: Geoff Levand <geoff@infradead.org>
Convert syscall.Dup2 calls to syscall.Dup3. The dup2 syscall is depreciated
and is not available on some architectures. Fixes build errors like these when
building for arm64:
console_linux.go: undefined: syscall.Dup2
Signed-off-by: Geoff Levand <geoff@infradead.org>
It totally fixes leftover ".scope" fails. Of course it's just
workaround, real issue seems to be in go-systemd library or in systemd
itself.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
add seccomp feature which is not use third-party
add multi arch surport
add test case
all code use golang
this pr is relate to #511 because I close it and find it can not be reopen
Signed-off-by: Yang Shukui <yangshukui@huawei.com>
Antonio Murdaca
Alexander Morozov
Michael Crosby
Daniel, Dao Quang Minh
Phil Estes
Mrunal Patel
Rohit Jnagal
Zefan Li
Qiang Huang
Alexander Morozov
unclejack
Benoit Sigoure
Mrunal Patel
Arnaud Porterie
Michael Chase-Salerno
Raghavendra K T
Victor Marmol
Geoff Levand
Dan Walsh
yangshukui
yangshukui
Alexey Guskov