Skip to content

CgroupsPath in runC #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ashahab-altiscale wants to merge 2 commits into from
Closed

CgroupsPath in runC #399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2363d45
CgroupsPath in runC
ashahab-altiscale Oct 11, 2015
f115082
Removed ExternalCgroups from cgroups struct
ashahab-altiscale Dec 10, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions libcontainer/cgroups/fs/devices.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package fs
import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"os"
)

type DevicesGroup struct {
Expand All @@ -15,12 +16,25 @@ func (s *DevicesGroup) Name() string {
}

func (s *DevicesGroup) Apply(d *cgroupData) error {
path, err := d.path("devices")
if err != nil {
return err
}
externalCgroup := false
if _, err = os.Stat(path); err == nil {
externalCgroup = true
}

dir, err := d.join("devices")

if err != nil {
// We will return error even it's `not found` error, devices
// cgroup is hard requirement for container's security.
return err
}
if externalCgroup {
return nil
}

if err := s.Set(dir, d.config); err != nil {
return err
Expand Down
3 changes: 3 additions & 0 deletions spec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,6 +437,9 @@ func createCgroupConfig(name string, spec *specs.LinuxRuntimeSpec, devices []*co
if err != nil {
return nil, err
}
if spec.Linux.CgroupsPath != "" {
Copy link
Contributor

@mrunalp mrunalp Dec 14, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use a combination of parent and the name to derive the path. So, you need to handle the parent as well and make sure it is correct.

Copy link
Contributor

@LK4D4 LK4D4 Dec 15, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it was like this before. We used path as Name in docker for cgroup-parent.

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Dec 15, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, @LK4D4 @mrunalp and I have discussed this, and the current behavior in runc(if operator provides parent, it will append parent to Name) should be sufficient.

name = spec.Linux.CgroupsPath
}
Copy link
Contributor

@hqhq hqhq Nov 16, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I don't understand your PR, why set cgroupsPath to name? cgroupsPath should be a relative or absolute path, not just a cgroup name.

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Nov 17, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hqhq Cgroups path is expected to be a path relative to the cgroups mount: https://github.com/opencontainers/specs/blob/master/runtime_config_linux.go#L29

Copy link
Contributor

@hqhq hqhq Nov 17, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashahab-altiscale I think the problem here is name should not identify a cgroup, because it should just be the name, not the full path.
In the code, cgroup path can be affected by parent besides name, though it won't happen in real life for now because we only support parent for Docker and Docker don't use cgroupsPath. But that'll be tricky if we want to expand these features in the future.

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Nov 17, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove parent as you and @LK4D4 discussed. CgroupsPath must not be a full path, but relative to cgroup mount on host. That's what I interpret from spec.

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Nov 17, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, since cgroupsPath does not support split hierarchy, would parent be ever different than what this line retrieves: https://github.com/opencontainers/runc/blob/master/spec.go#L436

Copy link
Contributor

@hqhq hqhq Nov 18, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the confusing, here all cgroup path I mentioned are relative to cgroup mount point, and full path I meat absolute path including cgroup name, like /web/apache/apache1, here I think what name should be is apache1, not the entire /web/apache/apache1.

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Nov 18, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand now, thanks for explanation. However, this name can also be a
path, since it gets appended to the cgroup mount.
On Nov 18, 2015 12:16 AM, "Qiang Huang" notifications@github.com wrote:

In spec.go
#399 (comment):

@@ -438,6 +438,9 @@ func createCgroupConfig(name string, spec _specs.LinuxRuntimeSpec, devices []_co
if err != nil {
return nil, err
}

  • if spec.Linux.CgroupsPath != "" {
  •   name = spec.Linux.CgroupsPath
  • }

Sorry for the confusing, here all cgroup path I mentioned are relative to
cgroup mount point, and full path I meat absolute path including cgroup
name, like /web/apache/apache1, here I think what name should be is
apache1, not the entire /web/apache/apache1.


Reply to this email directly or view it on GitHub
https://github.com/opencontainers/runc/pull/399/files#r45170849.

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Nov 18, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hqhq I just tested this with cgroupsPath with test1/test2/test3 as a cgroupsPath, and the behavior is as expected. I have test1/test2/test3 cgroup created before starting runc.
When I do runc start it appropriately joins and modifies test3 cgroup.
Do you have other comments on my approach?

Copy link
Contributor Author

@ashahab-altiscale ashahab-altiscale Nov 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mrunalp @crosbymichael Any feedback on this? This will allow me to launch containers inside userns containers.

c := &configs.Cgroup{
Name: name,
Parent: myCgroupPath,
Expand Down