From 2f69e11b1a5a344cdcabbbc146eab41c68192b0a Mon Sep 17 00:00:00 2001 From: Kenfe-Mickael Laventure Date: Mon, 9 May 2016 08:53:43 -0700 Subject: [PATCH 1/2] Vendor in runc d49ece5a83da3dcb820121d6850e2b61bd0a5fbe Signed-off-by: Kenfe-Mickael Laventure --- Dockerfile | 2 +- hack/vendor.sh | 2 +- .../runc/libcontainer/apparmor/apparmor.go | 3 +- .../runc/libcontainer/cgroups/fs/memory.go | 49 +++++++++++++++++-- .../cgroups/systemd/apply_systemd.go | 16 ++---- .../runc/libcontainer/system/sysconfig.go | 4 ++ 6 files changed, 57 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3ac9450..7c172c3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,7 +36,7 @@ RUN set -x \ && rm -rf "$SECCOMP_PATH" # Install runc -ENV RUNC_COMMIT 9c89737e6e117a8be5a4980bc9795fe1a2b1028e +ENV RUNC_COMMIT d49ece5a83da3dcb820121d6850e2b61bd0a5fbe RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/hack/vendor.sh b/hack/vendor.sh index 0aabd0c..4df2035 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -14,7 +14,7 @@ clone git github.com/docker/go-units 5d2041e26a699eaca682e2ea41c8f891e1060444 clone git github.com/godbus/dbus e2cf28118e66a6a63db46cf6088a35d2054d3bb0 clone git github.com/golang/glog 23def4e6c14b4da8ac2ed8007337bc5eb5007998 clone git github.com/golang/protobuf 8d92cf5fc15a4382f8964b08e1f42a75c0591aa3 -clone git github.com/opencontainers/runc 89c3c97a8482f3a57cd4bb683df1a7b2c61405d8 +clone git github.com/opencontainers/runc d49ece5a83da3dcb820121d6850e2b61bd0a5fbe clone git github.com/opencontainers/runtime-spec f955d90e70a98ddfb886bd930ffd076da9b67998 clone git github.com/rcrowley/go-metrics eeba7bd0dd01ace6e690fa833b3f22aaec29af43 clone git github.com/satori/go.uuid f9ab0dce87d815821e221626b772e3475a0d2749 diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go b/vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go index 22c17f5..82ed1a6 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/apparmor/apparmor.go @@ -7,6 +7,7 @@ package apparmor // #include import "C" import ( + "fmt" "io/ioutil" "os" "unsafe" @@ -32,7 +33,7 @@ func ApplyProfile(name string) error { cName := C.CString(name) defer C.free(unsafe.Pointer(cName)) if _, err := C.aa_change_onexec(cName); err != nil { - return err + return fmt.Errorf("apparmor failed to apply profile: %s", err) } return nil } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go index 6b4a9ea..43a9dda 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go @@ -5,6 +5,7 @@ package fs import ( "bufio" "fmt" + "math" "os" "path/filepath" "strconv" @@ -12,6 +13,7 @@ import ( "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" + "github.com/opencontainers/runc/libcontainer/system" ) type MemoryGroup struct { @@ -33,7 +35,7 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) { } } // We have to set kernel memory here, as we can't change it once - // processes have been attached. + // processes have been attached to the cgroup. if err := s.SetKernelMemory(path, d.config); err != nil { return err } @@ -55,9 +57,44 @@ func (s *MemoryGroup) Apply(d *cgroupData) (err error) { } func (s *MemoryGroup) SetKernelMemory(path string, cgroup *configs.Cgroup) error { - // This has to be done separately because it has special constraints (it - // can't be done after there are processes attached to the cgroup). - if cgroup.Resources.KernelMemory > 0 { + // This has to be done separately because it has special + // constraints (it can only be initialized before setting up a + // hierarchy or adding a task to the cgroups. However, if + // sucessfully initialized, it can be updated anytime afterwards) + if cgroup.Resources.KernelMemory != 0 { + kmemInitialized := false + // Is kmem.limit_in_bytes already set? + kmemValue, err := getCgroupParamUint(path, "memory.kmem.limit_in_bytes") + if err != nil { + return err + } + switch system.GetLongBit() { + case 32: + kmemInitialized = uint32(kmemValue) != uint32(math.MaxUint32) + case 64: + kmemInitialized = kmemValue != uint64(math.MaxUint64) + } + + if !kmemInitialized { + // If hierarchy is set, we can't change the limit + usesHierarchy, err := getCgroupParamUint(path, "memory.use_hierarchy") + if err != nil { + return err + } + if usesHierarchy != 0 { + return fmt.Errorf("cannot initialize kmem.limit_in_bytes if use_hierarchy is already set") + } + + // If there's already tasks in the cgroup, we can't change the limit either + tasks, err := getCgroupParamString(path, "tasks") + if err != nil { + return err + } + if tasks != "" { + return fmt.Errorf("cannot initialize kmem.limit_in_bytes after task have joined this cgroup") + } + } + if err := writeFile(path, "memory.kmem.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemory, 10)); err != nil { return err } @@ -113,6 +150,10 @@ func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error { return err } + if err := s.SetKernelMemory(path, cgroup); err != nil { + return err + } + if cgroup.Resources.MemoryReservation != 0 { if err := writeFile(path, "memory.soft_limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil { return err diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go index 5365bc8..dbf760a 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go @@ -214,11 +214,9 @@ func (m *Manager) Apply(pid int) error { newProp("BlockIOWeight", uint64(c.Resources.BlkioWeight))) } - // We need to set kernel memory before processes join cgroup because - // kmem.limit_in_bytes can only be set when the cgroup is empty. - // And swap memory limit needs to be set after memory limit, only - // memory limit is handled by systemd, so it's kind of ugly here. - if c.Resources.KernelMemory > 0 { + // We have to set kernel memory here, as we can't change it once + // processes have been attached to the cgroup. + if c.Resources.KernelMemory != 0 { if err := setKernelMemory(c); err != nil { return err } @@ -469,11 +467,5 @@ func setKernelMemory(c *configs.Cgroup) error { return err } - if err := os.MkdirAll(path, 0755); err != nil { - return err - } - - // This doesn't get called by manager.Set, so we need to do it here. - s := &fs.MemoryGroup{} - return s.SetKernelMemory(path, c) + return os.MkdirAll(path, 0755) } diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go index b3a07cb..3e3d7e0 100644 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/system/sysconfig.go @@ -10,3 +10,7 @@ import "C" func GetClockTicks() int { return int(C.sysconf(C._SC_CLK_TCK)) } + +func GetLongBit() int { + return int(C.sysconf(C._SC_LONG_BIT)) +} From 1ebdf69a58f7787320ecf2c4586bc3bd28a712c3 Mon Sep 17 00:00:00 2001 From: Kenfe-Mickael Laventure Date: Mon, 9 May 2016 10:25:52 -0700 Subject: [PATCH 2/2] Use the new runtime update command to process UpdateResources requests Signed-off-by: Kenfe-Mickael Laventure --- runtime/container.go | 48 +++++++++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/runtime/container.go b/runtime/container.go index 23abe09..5865b76 100644 --- a/runtime/container.go +++ b/runtime/container.go @@ -1,6 +1,7 @@ package runtime import ( + "bytes" "encoding/json" "fmt" "io" @@ -260,23 +261,42 @@ func (c *container) RemoveProcess(pid string) error { return os.RemoveAll(filepath.Join(c.root, c.id, pid)) } +func u64Ptr(i uint64) *uint64 { return &i } + func (c *container) UpdateResources(r *Resource) error { - container, err := c.getLibctContainer() - if err != nil { + sr := ocs.Resources{ + Memory: &ocs.Memory{ + Limit: u64Ptr(uint64(r.Memory)), + Reservation: u64Ptr(uint64(r.MemoryReservation)), + Swap: u64Ptr(uint64(r.MemorySwap)), + Kernel: u64Ptr(uint64(r.KernelMemory)), + }, + CPU: &ocs.CPU{ + Shares: u64Ptr(uint64(r.CPUShares)), + Quota: u64Ptr(uint64(r.CPUQuota)), + Period: u64Ptr(uint64(r.CPUPeriod)), + Cpus: &r.CpusetCpus, + Mems: &r.CpusetMems, + }, + BlockIO: &ocs.BlockIO{ + Weight: &r.BlkioWeight, + }, + } + + srStr := bytes.NewBuffer(nil) + if err := json.NewEncoder(srStr).Encode(&sr); err != nil { return err } - config := container.Config() - config.Cgroups.Resources.CpuShares = r.CPUShares - config.Cgroups.Resources.BlkioWeight = r.BlkioWeight - config.Cgroups.Resources.CpuPeriod = r.CPUPeriod - config.Cgroups.Resources.CpuQuota = r.CPUQuota - config.Cgroups.Resources.CpusetCpus = r.CpusetCpus - config.Cgroups.Resources.CpusetMems = r.CpusetMems - config.Cgroups.Resources.KernelMemory = r.KernelMemory - config.Cgroups.Resources.Memory = r.Memory - config.Cgroups.Resources.MemoryReservation = r.MemoryReservation - config.Cgroups.Resources.MemorySwap = r.MemorySwap - return container.Set(config) + + args := c.runtimeArgs + args = append(args, "update", "-r", "-", c.id) + cmd := exec.Command(c.runtime, args...) + cmd.Stdin = srStr + b, err := cmd.CombinedOutput() + if err != nil { + return fmt.Errorf(string(b)) + } + return nil } func getRootIDs(s *specs.Spec) (int, int, error) {