summaryrefslogtreecommitdiffhomepage
path: root/runsc/cgroup
AgeCommit message (Collapse)Author
2021-03-06[op] Replace syscall package usage with golang.org/x/sys/unix in runsc/.Ayush Ranjan
The syscall package has been deprecated in favor of golang.org/x/sys. Note that syscall is still used in some places because the following don't seem to have an equivalent in unix package: - syscall.SysProcIDMap - syscall.Credential Updates #214 PiperOrigin-RevId: 361381490
2021-02-22Return nicer error message when cgroups v1 isn't availableFabricio Voznika
Updates #3481 Closes #5430 PiperOrigin-RevId: 358923208
2021-02-02Stub out basic `runsc events --stat` CPU functionalityKevin Krakauer
Because we lack gVisor-internal cgroups, we take the CPU usage of the entire pod and divide it proportionally according to sentry-internal usage stats. This fixes `kubectl top pods`, which gets a pod's CPU usage by summing the usage of its containers. Addresses #172. PiperOrigin-RevId: 355229833
2021-01-27Clean cgroupt mountinfo and add more test casesDaniel Dao
Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2021-01-26runsc: check for nested cgroup when generating croup pathsDaniel Dao
in nested container, we see paths from host in /proc/self/cgroup, so we need to re-process that path to get a relative path to be used inside the container. Without it, runsc generates ugly paths that may trip other cgroup watchers that expect clean paths. An example of ugly path is: ``` /sys/fs/cgroup/memory/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93/cgroupPath ``` Notice duplication of `docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93` `/proc/1/cgroup` looks like ``` 12:perf_event:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 11:blkio:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 10:freezer:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 9:hugetlb:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 8:devices:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 7:rdma:/ 6:pids:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 5:cpuset:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 4:cpu,cpuacct:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 3:memory:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 2:net_cls,net_prio:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 1:name=systemd:/docker/e383892b29290ae8005d535f2dadc4a583bb354d5bb1ba8c10bf900d92c4db93 0::/system.slice/containerd.service ``` This is not necessary when the parent container was created with cgroup namespace, but that setup is not very common right now. Signed-off-by: Daniel Dao <dqminh89@gmail.com>
2021-01-12Fix simple mistakes identified by goreportcard.Adin Scannell
These are primarily simplification and lint mistakes. However, minor fixes are also included and tests added where appropriate. PiperOrigin-RevId: 351425971
2020-11-18runsc: check whether cgroup exists or not for each controllerAndrei Vagin
We have seen a case when a memory cgroup exists but a perf_event one doesn't. Reported-by: syzbot+f31468b61d1a27e629dc@syzkaller.appspotmail.com Reported-by: syzbot+1f163ec0321768f1497e@syzkaller.appspotmail.com PiperOrigin-RevId: 343200070
2020-10-27Add more cgroup unit testsFabricio Voznika
PiperOrigin-RevId: 339380431
2020-10-19Fixes to cgroupsFabricio Voznika
There were a few problems with cgroups: - cleanup loop what breaking too early - parse of /proc/[pid]/cgroups was skipping "name=systemd" because "name=" was not being removed from name. - When no limits are specified, fillFromAncestor was not being called, causing a failure to set cpuset.mems Updates #4536 PiperOrigin-RevId: 337947356
2020-07-28Merge pull request #3102 from stripe:andrew/cgroup-eintrgVisor bot
PiperOrigin-RevId: 323638518
2020-07-13Merge pull request #2672 from amscanne:shim-integratedgVisor bot
PiperOrigin-RevId: 321053634
2020-07-01cgroup: retry file writes on EINTR errorsAndrew Dunham
2020-06-10Cgroup fixesFabricio Voznika
- Set hugetlb related fields - Add realtime scheduler related fields - Beef up unit tests Updates #2713 PiperOrigin-RevId: 315797979
2020-06-10Skip pids.max if value is zeroFabricio Voznika
LinuxPids.Limit is the only optional cgroup field in OCI that is not a pointer. If value is 0 or negative it should be skipped. PiperOrigin-RevId: 315791909
2020-05-28Move Cleanup to its own packageFabricio Voznika
PiperOrigin-RevId: 313663382
2020-05-20Add hugetlb and rdma cgroups to runscFabricio Voznika
Updates #2713 PiperOrigin-RevId: 312559463
2020-04-24Propagate PID limit from OCI to sandbox cgroupFabricio Voznika
Closes #2489 PiperOrigin-RevId: 308362434
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2019-12-15Set CPU number to CPU quotaAleksandr Razumov
When application is not cgroups-aware, it can spawn excessive threads which often defaults to CPU number. Introduce a opt-in flag that will set CPU number accordingly to CPU quota (if available). Fixes #1391
2019-09-03Impose order on test scripts.Adin Scannell
The simple test script has gotten out of control. Shard this script into different pieces and attempt to impose order on overall test structure. This change helps lay some of the foundations for future improvements. * The runsc/test directories are moved into just test/. * The runsc/test/testutil package is split into logical pieces. * The scripts/ directory contains new top-level targets. * Each test is now responsible for building targets it requires. * The install functionality is moved into `runsc` itself for simplicity. * The existing kokoro run_tests.sh file now just calls all (can be split). After this change is merged, I will create multiple distinct workflows for Kokoro, one for each of the scripts currently targeted by `run_tests.sh` today, which should dramatically reduce the time-to-run for the Kokoro tests, and provides a better foundation for further improvements to the infrastructure. PiperOrigin-RevId: 267081397
2019-06-13Update canonical repository.Adin Scannell
This can be merged after: https://github.com/google/gvisor-website/pull/77 or https://github.com/google/gvisor-website/pull/78 PiperOrigin-RevId: 253132620
2019-04-29Change copyright notice to "The gVisor Authors"Michael Pratt
Based on the guidelines at https://opensource.google.com/docs/releasing/authors/. 1. $ rg -l "Google LLC" | xargs sed -i 's/Google LLC.*/The gVisor Authors./' 2. Manual fixup of "Google Inc" references. 3. Add AUTHORS file. Authors may request to be added to this file. 4. Point netstack AUTHORS to gVisor AUTHORS. Drop CONTRIBUTORS. Fixes #209 PiperOrigin-RevId: 245823212 Change-Id: I64530b24ad021a7d683137459cafc510f5ee1de9
2019-02-25Fix cgroup when path is relativeFabricio Voznika
This can happen when 'docker run --cgroup-parent=' flag is set. PiperOrigin-RevId: 235645559 Change-Id: Ieea3ae66939abadab621053551bf7d62d412e7ee
2019-01-31Remove license commentsMichael Pratt
Nothing reads them and they can simply get stale. Generated with: $ sed -i "s/licenses(\(.*\)).*/licenses(\1)/" **/BUILD PiperOrigin-RevId: 231818945 Change-Id: Ibc3f9838546b7e94f13f217060d31f4ada9d4bf0
2019-01-18Scrub runsc error messagesFabricio Voznika
Removed "error" and "failed to" prefix that don't add value from messages. Adjusted a few other messages. In particular, when the container fail to start, the message returned is easier for humans to read: $ docker run --rm --runtime=runsc alpine foobar docker: Error response from daemon: OCI runtime start failed: <path> did not terminate sucessfully: starting container: starting root container [foobar]: starting sandbox: searching for executable "foobar", cwd: "/", $PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin": no such file or directory Closes #77 PiperOrigin-RevId: 230022798 Change-Id: I83339017c70dae09e4f9f8e0ea2e554c4d5d5cd1
2019-01-09Restore to original cgroup after sandbox and gofer processes are createdFabricio Voznika
The original code assumed that it was safe to join and not restore cgroup, but Container.Run will not exit after calling start, making cgroup cleanup fail because there were still processes inside the cgroup. PiperOrigin-RevId: 228529199 Change-Id: I12a48d9adab4bbb02f20d71ec99598c336cbfe51
2018-12-28Simplify synchronization between runsc and sandbox processFabricio Voznika
Make 'runsc create' join cgroup before creating sandbox process. This removes the need to synchronize platform creation and ensure that sandbox process is charged to the right cgroup from the start. PiperOrigin-RevId: 227166451 Change-Id: Ieb4b18e6ca0daf7b331dc897699ca419bc5ee3a2
2018-10-26Order feature strings by blockMichael Pratt
PiperOrigin-RevId: 218894181 Change-Id: I97d0c74175f4aa528363f768a0a85d6953ea0bfd
2018-10-25Uninstall() should not fail if a cgroup directory doesn't existAndrei Vagin
It can be occurred if two controllers are mounted together or if Uninstall() is called on a error path. PiperOrigin-RevId: 218723886 Change-Id: I69d7a3c0685a7da38527ea8b7b301dbe96268285
2018-10-23Track paths and provide a rename hook.Adin Scannell
This change also adds extensive testing to the p9 package via mocks. The sanity checks and type checks are moved from the gofer into the core package, where they can be more easily validated. PiperOrigin-RevId: 218296768 Change-Id: I4fc3c326e7bf1e0e140a454cbacbcc6fd617ab55
2018-10-21Updated cleanup code to be more explicit about ignoring errors.Ian Lewis
Errors are shown as being ignored by assigning to the blank identifier. PiperOrigin-RevId: 218103819 Change-Id: I7cc7b9d8ac503a03de5504ebdeb99ed30a531cf2
2018-10-19Use correct company name in copyright headerIan Gudger
PiperOrigin-RevId: 217951017 Change-Id: Ie08bf6987f98467d07457bcf35b5f1ff6e43c035
2018-10-17Make removing cgroups retry up to 5 seconds.Nicolas Lacasse
Sometimes if we try to remove the cgroup directory too soon after killing the sandbox we EBUSY. This CL adds a retry (up to 5 seconds) for removing. Deflakes ChrootTest. PiperOrigin-RevId: 217526909 Change-Id: I749bb172117e2298c9888ecad094072393b94810
2018-10-11Sandbox cgroup testsFabricio Voznika
Verify that cgroup is being properly set. PiperOrigin-RevId: 216736137 Change-Id: I0e27fd604eca67e7dd2e3548dc372ca9cc416309
2018-10-10Add sandbox to cgroupFabricio Voznika
Sandbox creation uses the limits and reservations configured in the OCI spec and set cgroup options accordinly. Then it puts both the sandbox and gofer processes inside the cgroup. It also allows the cgroup to be pre-configured by the caller. If the cgroup already exists, sandbox and gofer processes will join the cgroup but it will not modify the cgroup with spec limits. PiperOrigin-RevId: 216538209 Change-Id: If2c65ffedf55820baab743a0edcfb091b89c1019