From 8c0ff7d90439572fdca598b252e7e076715043ae Mon Sep 17 00:00:00 2001
From: Mrunal Patel <mrunalp@gmail.com>
Date: Mon, 6 Mar 2017 15:08:46 -0800
Subject: [PATCH] Run conmon under cgroups (systemd)

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
---
 oci/oci.go                 | 16 +++++++++++++++-
 server/container_create.go |  2 +-
 server/sandbox_run.go      |  6 +++---
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/oci/oci.go b/oci/oci.go
index 83f8a72f..b3395236 100644
--- a/oci/oci.go
+++ b/oci/oci.go
@@ -103,7 +103,7 @@ func getOCIVersion(name string, args ...string) (string, error) {
 }
 
 // CreateContainer creates a container.
-func (r *Runtime) CreateContainer(c *Container) error {
+func (r *Runtime) CreateContainer(c *Container, cgroupParent string) error {
 	parentPipe, childPipe, err := newPipe()
 	if err != nil {
 		return fmt.Errorf("error creating socket pair: %v", err)
@@ -143,6 +143,16 @@ func (r *Runtime) CreateContainer(c *Container) error {
 	// We don't need childPipe on the parent side
 	childPipe.Close()
 
+	// Move conmon to specified cgroup
+	if cgroupParent != "" {
+		if r.cgroupManager == "systemd" {
+			logrus.Infof("Running conmon under slice %s and unitName %s", cgroupParent, createUnitName("ocid", c.name))
+			if err := utils.RunUnderSystemdScope(cmd.Process.Pid, cgroupParent, createUnitName("ocid", c.name)); err != nil {
+				logrus.Warnf("Failed to add conmon to sandbox cgroup: %v", err)
+			}
+		}
+	}
+
 	// Wait to get container pid from conmon
 	// TODO(mrunalp): Add a timeout here
 	var si *syncInfo
@@ -153,6 +163,10 @@ func (r *Runtime) CreateContainer(c *Container) error {
 	return nil
 }
 
+func createUnitName(prefix string, name string) string {
+	return fmt.Sprintf("%s-%s.scope", prefix, name)
+}
+
 // StartContainer starts a container.
 func (r *Runtime) StartContainer(c *Container) error {
 	c.opLock.Lock()
diff --git a/server/container_create.go b/server/container_create.go
index af31c364..06c172da 100644
--- a/server/container_create.go
+++ b/server/container_create.go
@@ -111,7 +111,7 @@ func (s *Server) CreateContainer(ctx context.Context, req *pb.CreateContainerReq
 		}
 	}()
 
-	if err = s.runtime.CreateContainer(container); err != nil {
+	if err = s.runtime.CreateContainer(container, sb.cgroupParent); err != nil {
 		return nil, err
 	}
 
diff --git a/server/sandbox_run.go b/server/sandbox_run.go
index 7a1882b0..234493f4 100644
--- a/server/sandbox_run.go
+++ b/server/sandbox_run.go
@@ -43,8 +43,8 @@ func (s *Server) privilegedSandbox(req *pb.RunPodSandboxRequest) bool {
 	return false
 }
 
-func (s *Server) runContainer(container *oci.Container) error {
-	if err := s.runtime.CreateContainer(container); err != nil {
+func (s *Server) runContainer(container *oci.Container, cgroupParent string) error {
+	if err := s.runtime.CreateContainer(container, cgroupParent); err != nil {
 		return err
 	}
 
@@ -389,7 +389,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 		}
 	}
 
-	if err = s.runContainer(container); err != nil {
+	if err = s.runContainer(container, sb.cgroupParent); err != nil {
 		return nil, err
 	}