Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cgroups: add pids controller support #58

Merged
merged 4 commits into from
Dec 19, 2015
Merged

cgroups: add pids controller support #58

merged 4 commits into from
Dec 19, 2015

Commits on Dec 19, 2015

  1. libcontainer: cgroups: add pids controller support 

    Add support for the pids cgroup controller to libcontainer, a recent
feature that is available in Linux 4.3+.

Unfortunately, due to the init process being written in Go, it can spawn
an an unknown number of threads due to blocked syscalls. This results in
the init process being unable to run properly, and thus small pids.max
configs won't work properly.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Dec 19, 2015
    Configuration menu
    Copy the full SHA
    37789f5 View commit details
    Browse the repository at this point in the history

  2. libcontainer: cgroups: don't Set in Apply 

    Apply and Set are two separate operations, and it doesn't make sense to
group the two together (especially considering that the bootstrap
process is added to the cgroup as well). The only exception to this is
the memory cgroup, which requires the configuration to be set before
processes can join.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Dec 19, 2015
    Configuration menu
    Copy the full SHA
    8a740d5 View commit details
    Browse the repository at this point in the history

  3. libcontainer: cgroups: loudly fail with Set 

    It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Dec 19, 2015
    Configuration menu
    Copy the full SHA
    88e6d48 View commit details
    Browse the repository at this point in the history

  4. libcontainer: set cgroup config late 

    Due to the fact that the init is implemented in Go (which seemingly
randomly spawns new processes and loves eating memory), most cgroup
configurations are required to have an arbitrary minimum dictated by the
init. This confuses users and makes configuration more annoying than it
should. An example of this is pids.max, where Go spawns multiple
processes that then cause init to violate the pids cgroup constraint
before the container can even start.

Solve this problem by setting the cgroup configurations as late as
possible, to avoid hitting as many of the resources hogged by the Go
init as possible. This has to be done before seccomp rules are applied,
as the parent and child must synchronise in order for the parent to
correctly set the configurations (and writes might be blocked by seccomp).

Signed-off-by: Aleksa Sarai <asarai@suse.com>
    @cyphar
    cyphar committed Dec 19, 2015
    Configuration menu
    Copy the full SHA
    14ed869 View commit details
    Browse the repository at this point in the history