Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroup: add PIDs cgroup controller support #446

Merged
merged 4 commits into from
Jan 12, 2016
Merged

cgroup: add PIDs cgroup controller support #446

merged 4 commits into from
Jan 12, 2016

Commits on Jan 11, 2016

  1. libcontainer: cgroups: add pids controller support 

    Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Jan 11, 2016
    Configuration menu
    Copy the full SHA
    db3159c View commit details
    Browse the repository at this point in the history

  2. libcontainer: cgroups: don't Set in Apply 

    Apply and Set are two separate operations, and it doesn't make sense to
group the two together (especially considering that the bootstrap
process is added to the cgroup as well). The only exception to this is
the memory cgroup, which requires the configuration to be set before
processes can join.

One of the weird cases to deal with is systemd. Systemd sets some of the
cgroup configuration options, but not all of them. Because memory is a
special case, we need to explicitly set memory in the systemd Apply().
Otherwise, the rest can be safely re-applied in .Set() as usual.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Jan 11, 2016
    Configuration menu
    Copy the full SHA
    f36ed4b View commit details
    Browse the repository at this point in the history

  3. libcontainer: cgroups: loudly fail with Set 

    It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Jan 11, 2016
    Configuration menu
    Copy the full SHA
    a954834 View commit details
    Browse the repository at this point in the history

  4. libcontainer: set cgroup config late 

    Due to the fact that the init is implemented in Go (which seemingly
randomly spawns new processes and loves eating memory), most cgroup
configurations are required to have an arbitrary minimum dictated by the
init. This confuses users and makes configuration more annoying than it
should. An example of this is pids.max, where Go spawns multiple
processes that then cause init to violate the pids cgroup constraint
before the container can even start.

Solve this problem by setting the cgroup configurations as late as
possible, to avoid hitting as many of the resources hogged by the Go
init as possible. This has to be done before seccomp rules are applied,
as the parent and child must synchronise in order for the parent to
correctly set the configurations (and writes might be blocked by seccomp).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Jan 11, 2016
    Configuration menu
    Copy the full SHA
    103853e View commit details
    Browse the repository at this point in the history