Create subcontainer cgroups for compatibility

Tools (e.g. cAdvisor) watches for changes inside /sys/fs/cgroup to detect when containers are created and deleted. With gVisor, container cgroups were not created because the containers are not visible to the host. This change enables the creation of [empty] subcontainer cgroups that can be used by tools to detect creation/deletion of subcontainers. This change required a new annotation to be added so that the shim can communicate the pod cgroup path to runsc, so pod and container cgroups can be identified, Fixes #6500 PiperOrigin-RevId: 402392291
author: Fabricio Voznika <fvoznika@google.com> 2021-10-11 14:27:41 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-10-11 14:30:14 -0700
commit: b9176535cea01e35f819edf312d0f5e7da3e8ffd (patch)
tree: f1329ec66dbe3aff7262fcfbe14de357d152b175 /pkg
parent: 125fae59beb2a054061fab4cc300994b753e127a (diff)
2 files changed, 23 insertions, 17 deletions
diff --git a/pkg/shim/service.go b/pkg/shim/service.go
index 24e3b7a82..0980d964e 100644
--- a/pkg/shim/service.go
+++ b/pkg/shim/service.go
@@ -77,6 +77,8 @@ const (
 	// shimAddressPath is the relative path to a file that contains the address
 	// to the shim UDS. See service.shimAddress.
 	shimAddressPath = "address"
+
+	cgroupParentAnnotation = "dev.gvisor.spec.cgroup-parent"
 )
 
 // New returns a new shim service that can be used via GRPC.
@@ -952,7 +954,7 @@ func newInit(path, workDir, namespace string, platform stdio.Platform, r *proc.C
 	if err != nil {
 		return nil, fmt.Errorf("update volume annotations: %w", err)
 	}
-	updated = updateCgroup(spec) || updated
+	updated = setPodCgroup(spec) || updated
 
 	if updated {
 		if err := utils.WriteSpec(r.Bundle, spec); err != nil {
@@ -980,12 +982,13 @@ func newInit(path, workDir, namespace string, platform stdio.Platform, r *proc.C
 	return p, nil
 }
 
-// updateCgroup updates cgroup path for the sandbox to make the sandbox join the
-// pod cgroup and not the pause container cgroup. Returns true if the spec was
-// modified. Ex.:
-//   /kubepods/burstable/pod123/abc => kubepods/burstable/pod123
+// setPodCgroup searches for the pod cgroup path inside the container's cgroup
+// path. If found, it's set as an annotation in the spec. This is done so that
+// the sandbox joins the pod cgroup. Otherwise, the sandbox would join the pause
+// container cgroup. Returns true if the spec was modified. Ex.:
+//   /kubepods/burstable/pod123/container123 => kubepods/burstable/pod123
 //
-func updateCgroup(spec *specs.Spec) bool {
+func setPodCgroup(spec *specs.Spec) bool {
 	if !utils.IsSandbox(spec) {
 		return false
 	}
@@ -1009,7 +1012,10 @@ func updateCgroup(spec *specs.Spec) bool {
 			if spec.Linux.CgroupsPath == path {
 				return false
 			}
-			spec.Linux.CgroupsPath = path
+			if spec.Annotations == nil {
+				spec.Annotations = make(map[string]string)
+			}
+			spec.Annotations[cgroupParentAnnotation] = path
 			return true
 		}
 	}
diff --git a/pkg/shim/service_test.go b/pkg/shim/service_test.go
index 2d9f07e02..4b4410a58 100644
--- a/pkg/shim/service_test.go
+++ b/pkg/shim/service_test.go
@@ -40,12 +40,12 @@ func TestCgroupPath(t *testing.T) {
 		{
 			name: "no-container",
 			path: "foo/pod123",
-			want: "foo/pod123",
+			want: "",
 		},
 		{
 			name: "no-container-absolute",
 			path: "/foo/pod123",
-			want: "/foo/pod123",
+			want: "",
 		},
 		{
 			name: "double-pod",
@@ -70,7 +70,7 @@ func TestCgroupPath(t *testing.T) {
 		{
 			name: "no-pod",
 			path: "/foo/nopod123/container",
-			want: "/foo/nopod123/container",
+			want: "",
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
@@ -79,12 +79,12 @@ func TestCgroupPath(t *testing.T) {
 					CgroupsPath: tc.path,
 				},
 			}
-			updated := updateCgroup(&spec)
-			if spec.Linux.CgroupsPath != tc.want {
-				t.Errorf("updateCgroup(%q), want: %q, got: %q", tc.path, tc.want, spec.Linux.CgroupsPath)
+			updated := setPodCgroup(&spec)
+			if got := spec.Annotations[cgroupParentAnnotation]; got != tc.want {
+				t.Errorf("setPodCgroup(%q), want: %q, got: %q", tc.path, tc.want, got)
 			}
-			if shouldUpdate := tc.path != tc.want; shouldUpdate != updated {
-				t.Errorf("updateCgroup(%q)=%v, want: %v", tc.path, updated, shouldUpdate)
+			if shouldUpdate := len(tc.want) > 0; shouldUpdate != updated {
+				t.Errorf("setPodCgroup(%q)=%v, want: %v", tc.path, updated, shouldUpdate)
 			}
 		})
 	}
@@ -113,8 +113,8 @@ func TestCgroupNoUpdate(t *testing.T) {
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
-			if updated := updateCgroup(tc.spec); updated {
-				t.Errorf("updateCgroup(%+v), got: %v, want: false", tc.spec.Linux, updated)
+			if updated := setPodCgroup(tc.spec); updated {
+				t.Errorf("setPodCgroup(%+v), got: %v, want: false", tc.spec.Linux, updated)
 			}
 		})
 	}
author	Fabricio Voznika <fvoznika@google.com>	2021-10-11 14:27:41 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-10-11 14:30:14 -0700
commit	b9176535cea01e35f819edf312d0f5e7da3e8ffd (patch)
tree	f1329ec66dbe3aff7262fcfbe14de357d152b175 /pkg
parent	125fae59beb2a054061fab4cc300994b753e127a (diff)