profile
viewpoint
Akihiro Suda AkihiroSuda NTT Tokyo, Japan https://akihirosuda.github.io/ Moby (former Docker Engine), BuildKit, and containerd maintainer. https://twitter.com/_AkihiroSuda_ ("AkihiroSuda" without underscores is NOT my Twitter)

PR opened moby/buildkit

CONTRIBUTING.md: fix broken link

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+2 -2

0 comment

1 changed file

pr created time in a minute

create barnchAkihiroSuda/buildkit_poc

branch : contributing-md-fix-link

created branch time in 2 minutes

issue closedmoby/buildkit

Docker build fails with volume mount error on Windows host when buildKit is enabled.

Description

docker build command fails with volume mount error output when buildKit is enabled.

Steps to reproduce the issue:

  1. Make sure to have Docker version >= 19.03
  2. Enable BuildKit by setting environment variable - DOCKER_BUILDKIT=1
  3. Create a ASP.NET project with docker support through visual studio (Or download Sample repro project
  4. Run command docker build -f "D:\source\repos\WebApplication4\WebApplication4\Dockerfile" --force-rm -t webapplication4:dev --target base "D:\source\repos\WebApplication4".
  5. Check the output of the build command.

Describe the results you received:

PS C:\Users\prsangli\source\repos\WebApplication4> docker build -f "C:\Users\prsangli\source\repos\WebApplication4\WebApplication4\Dockerfile" --force-rm -t webapplication4:dev --target base  "C:\Users\prsangli\source\repos\WebApplication4"                                                                                                                                                                                                            [+] Building 0.0s (2/2) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                                     0.0s
 => => transferring dockerfile: 32B                                                                                                                                                                                      0.0s
 => [internal] load .dockerignore                                                                                                                                                                                        0.0s
 => => transferring context: 35B                                                                                                                                                                                         0.0s
failed to solve with frontend dockerfile.v0: failed to read dockerfile: failed to mount C:\ProgramData\Docker\tmp\buildkit-mount414087051: [{Type:bind Source:C:\ProgramData\Docker\windowsfilter\lsbbs5t6dnt8eqc4ehyv38igy Options:[rbind ro]}]: invalid windows mount type: 'bind'

Describe the results you expected: The project builds successfully.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.2
 API version:       1.40
 Go version:        go1.12.8
 Git commit:        6a30dfc
 Built:             Thu Aug 29 05:26:49 2019
 OS/Arch:           windows/amd64
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          19.03.2
  API version:      1.40 (minimum version 1.24)
  Go version:       go1.12.8
  Git commit:       6a30dfc
  Built:            Thu Aug 29 05:39:49 2019
  OS/Arch:          windows/amd64
  Experimental:     true

Output of docker info:

Client:
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.3.0-5-g5b97415-tp-docker)
  app: Docker Application (Docker Inc., v0.8.0)

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 116
 Server Version: 19.03.2
 Storage Driver: windowsfilter (windows) lcow (linux)
  Windows:
  LCOW:
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics l2bridge l2tunnel nat null overlay transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: inactive
 Default Isolation: hyperv
 Kernel Version: 10.0 18362 (18362.1.amd64fre.19h1_release.190318-1202)
 Operating System: Windows 10 Enterprise Version 1903 (OS Build 18362.418)
 OSType: windows
 Architecture: x86_64
 CPUs: 12
 Total Memory: 31.85GiB
 Name: PRSANGLI-D1
 ID: N5KU:KGSR:E2K5:YXJ5:PXT4:CJ4D:PGLN:UWEE:7EPU:ONVV:VXDY:QT4M
 Docker Root Dir: C:\ProgramData\Docker
 Debug Mode: true
  File Descriptors: -1
  Goroutines: 72
  System Time: 2019-11-12T16:21:17.2515085-08:00
  EventsListeners: 3
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Additional environment details (AWS, VirtualBox, physical, etc.): Physical machine. Running docker commands through Containers Tools for Visual Studio.

closed time in 3 hours

pratiksanglikar

issue commentmoby/buildkit

Docker build fails with volume mount error on Windows host when buildKit is enabled.

Windows is not supported currently

pratiksanglikar

comment created time in 3 hours

pull request commentmoby/buildkit

cache: fix possible concurrent maps write on parent release

LGTM

tonistiigi

comment created time in 3 hours

pull request commentcontainerd/containerd

support cgroup2

I will update PR when containerd/cgroups reach feature-complete for memory stats

AkihiroSuda

comment created time in 12 hours

Pull request review commentcontainerd/cgroups

Added OOM notification for Memory controller

 func (c *Manager) freeze(path string, state State) error { 		time.Sleep(1 * time.Millisecond) 	} }++func (c *Manager) OOMEventFD() (uintptr, error) {+	fpath := filepath.Join(c.path, "memory.events")+	fd, err := syscall.InotifyInit()+	if err != nil {+		return 0, fmt.Errorf("Failed to create inotify fd")+	}+	defer syscall.Close(fd)+	wd, err := syscall.InotifyAddWatch(fd, fpath, unix.IN_MODIFY)+	if wd < 0 {+		return 0, fmt.Errorf("Failed to add inotify watch for %q", fpath)+	}+	defer syscall.InotifyRmWatch(fd, uint32(wd))++	return uintptr(fd), nil+}++func (c *Manager) EventChan() (<-chan Event, error) {+	fd, err := c.OOMEventFD()+	if err != nil {+		return nil, fmt.Errorf("Failed to create oom event fd")

errors.Errorf("failed to...")

Zyqsempai

comment created time in 13 hours

Pull request review commentcontainerd/cgroups

Added OOM notification for Memory controller

 func (c *Manager) freeze(path string, state State) error { 		time.Sleep(1 * time.Millisecond) 	} }++func (c *Manager) OOMEventFD() (uintptr, error) {+	fpath := filepath.Join(c.path, "memory.events")+	fd, err := syscall.InotifyInit()+	if err != nil {+		return 0, fmt.Errorf("Failed to create inotify fd")+	}+	defer syscall.Close(fd)+	wd, err := syscall.InotifyAddWatch(fd, fpath, unix.IN_MODIFY)+	if wd < 0 {+		return 0, fmt.Errorf("Failed to add inotify watch for %q", fpath)+	}+	defer syscall.InotifyRmWatch(fd, uint32(wd))++	return uintptr(fd), nil+}++func (c *Manager) EventChan() (<-chan Event, error) {+	fd, err := c.OOMEventFD()+	if err != nil {+		return nil, fmt.Errorf("Failed to create oom event fd")+	}+	ec := make(chan Event)+	go c.waitForOOMEvents(int(fd), ec)++	return ec, nil+}++func (c *Manager) waitForOOMEvents(fd int, ec chan<- Event) {+	for {+		buffer := make([]byte, syscall.SizeofInotifyEvent*10)+		bytesRead, err := syscall.Read(fd, buffer)+		if err != nil {+			log.Fatal(err)

continue loop on error?

Zyqsempai

comment created time in 13 hours

Pull request review commentcontainerd/cgroups

Added OOM notification for Memory controller

 func (c *Manager) freeze(path string, state State) error { 		time.Sleep(1 * time.Millisecond) 	} }++func (c *Manager) OOMEventFD() (uintptr, error) {+	fpath := filepath.Join(c.path, "memory.events")+	fd, err := syscall.InotifyInit()+	if err != nil {+		return 0, fmt.Errorf("Failed to create inotify fd")+	}+	defer syscall.Close(fd)+	wd, err := syscall.InotifyAddWatch(fd, fpath, unix.IN_MODIFY)+	if wd < 0 {+		return 0, fmt.Errorf("Failed to add inotify watch for %q", fpath)+	}+	defer syscall.InotifyRmWatch(fd, uint32(wd))++	return uintptr(fd), nil+}++func (c *Manager) EventChan() (<-chan Event, error) {+	fd, err := c.OOMEventFD()+	if err != nil {+		return nil, fmt.Errorf("Failed to create oom event fd")+	}+	ec := make(chan Event)+	go c.waitForOOMEvents(int(fd), ec)++	return ec, nil+}++func (c *Manager) waitForOOMEvents(fd int, ec chan<- Event) {

not specific to OOM

Zyqsempai

comment created time in 13 hours

pull request commentmoby/moby

Fix misspellings of "successfully" in error msgs

Please submit PR to https://github.com/containerd/go-runc and then run https://github.com/LK4D4/vndr with updated vendor.conf

dnnr

comment created time in 14 hours

startedopencontainers/runc

started time in 15 hours

pull request commentcontainerd/cgroups

Added OOM notification for Memory controller

Yes, but I agree it is not now

Zyqsempai

comment created time in 17 hours

Pull request review commentcontainerd/cgroups

Added OOM notification for Memory controller

 func (c *Manager) freeze(path string, state State) error { 		time.Sleep(1 * time.Millisecond) 	} }++func (c *Manager) OOMEventFD(rootPath string) (uintptr, error) {+	fpath := filepath.Join(rootPath, "memory.events")

you can use c.path

Zyqsempai

comment created time in 19 hours

Pull request review commentcontainerd/cgroups

Added OOM notification for Memory controller

 func (c *Manager) freeze(path string, state State) error { 		time.Sleep(1 * time.Millisecond) 	} }++func (c *Manager) OOMEventFD(rootPath string) (uintptr, error) {

We should also have function like

const (
  EventLow
  EventHigh
  EventMax
  EventOOM
  EventOOMKill
)

func (*Manager) EventChan() (<-chan Event, error)
Zyqsempai

comment created time in 19 hours

pull request commentcontainerd/cgroups

Added OOM notification for Memory controller

in case if we receive inotify event, create new separate file for oom's only, and return that file fd.

Does kernel have this feature? Seems not https://facebookmicrosites.github.io/cgroup2/docs/memory-controller.html

Zyqsempai

comment created time in 19 hours

Pull request review commentcontainerd/cgroups

Added OOM notification for Memory controller

 func (c *Manager) freeze(path string, state State) error { 		time.Sleep(1 * time.Millisecond) 	} }++func (c *Manager) OOMEventFD(rootPath string) (uintptr, error) {

This should be called EventsFD, because the FD is not only for OOM

Zyqsempai

comment created time in 19 hours

PR opened moby/buildkit

examples/kubernetes: use Parallel mode for StatefulSet

Parallel mode releaxes the pod creation order constraint.

https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#parallel-pod-management

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+3 -1

0 comment

3 changed files

pr created time in 19 hours

create barnchAkihiroSuda/buildkit_poc

branch : statefulset-parallel

created branch time in 19 hours

issue openedmoby/buildkit

buildctl should support showing on-going builds

created time in 20 hours

pull request commentdocker/buildx

new driver: kubernetes

added new (hacky) commit: kubernetes: show Kubernetes Pods as buildx "Nodes" in docker buildx inspect

$ k get pods
NAME                     READY   STATUS    RESTARTS   AGE
kube0-75897b8444-dnfhg   1/1     Running   0          2m
kube0-75897b8444-dsfht   1/1     Running   0          2m
kube0-75897b8444-ghthr   1/1     Running   0          2m

$ k get pods
NAME                     READY   STATUS    RESTARTS   AGE
kube0-75897b8444-dnfhg   1/1     Running   0          2m
kube0-75897b8444-dsfht   1/1     Running   0          2m
kube0-75897b8444-ghthr   1/1     Running   0          2m
AkihiroSuda

comment created time in 20 hours

push eventAkihiroSuda/buildx

Xiang Dai

commit sha 427c19d65c8ce4bbc03b78c75985a271e68993bb

Update README.md Comment that with docker 19.03-, can not use buildx as docker plugin.

view details

Tõnis Tiigi

commit sha 43edd6b77e197b9abb25ed4db2d0a5f5c1299b6d

Merge pull request #162 from daixiang0/patch-1 Update README.md

view details

Sune Keller

commit sha fd44accc79ee5c2d8826da3790b12c87d3568024

Support environment variables in docker-container driver Fixes #169 Signed-off-by: Sune Keller <absukl@almbrand.dk>

view details

Tõnis Tiigi

commit sha 714f181d8134f7ac75404e6422bf20bd18776413

Merge pull request #170 from sirlatrom/169-docker-container-driver-envs Support environment variables in docker-container driver

view details

Tonis Tiigi

commit sha eb1aabe9e343b87b04144e4397a162de78247ddd

imagetools: avoid printing newline on raw mode Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tõnis Tiigi

commit sha 6aba19193ab6fe70e77a3ca68528475059fe951c

Merge pull request #182 from tonistiigi/raw-newline imagetools: avoid printing newline on raw mode

view details

Solomon Hykes

commit sha d7adb9ef6e8d89e4f2e4214609acd1859141eb38

Clarify documentation structure Move a paragraph in README to clarify where it fits in the structure. - Before the move, the paragraph seems to apply to the `--output=local` section when in fact it applies to the entire `--output` section. This is especially confusing for the sentence "if just the path is specified as a value, `buildx` will use the local exporter with this path as the destination". - After the move, it is clear that the paragraph applies to `--output`

view details

Tõnis Tiigi

commit sha 8e92bfc8f0485d27c2d10582fb5377599fc621ad

Merge pull request #188 from shykes/patch-1 Clarify documentation structure

view details

Akihiro Suda

commit sha c7e253f10006527bed198149979236bc56bb16e3

new driver: kubernetes Tested with `kind` and GKE. Note: "nodes" shown in `docker buildx ls` are unrelated to Kubernetes "nodes". Probably buildx should come up with an alternative term. Usage: $ kind create cluster $ export KUBECONFIG="$(kind get kubeconfig-path --name="kind")" $ docker buildx create --driver kubernetes --driver-opt replicas=3 --use $ docker buildx build -t foo --load . `--load` loads the image into the local Docker. Driver opts: - `image=IMAGE` - Sets the container image to be used for running buildkit. - `namespace=NS` - Sets the Kubernetes namespace. Defaults to the current namespace. - `replicas=N` - Sets the number of `Pod` replicas. Defaults to 1. - `rootless=(true|false)` - Run the container as a non-root user without `securityContext.privileged`. Defaults to false. - `loadbalance=(sticky|random)` - Load-balancing strategy. If set to "sticky", the pod is chosen using the hash of the context path. Defaults to "sticky" Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha bab60779cf4df24e73b5692e98f61a80555d1537

kubernetes: show Kubernetes Pods as buildx "Nodes" in `docker buildx inspect` Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 20 hours

issue openeddocker/buildx

add `--bootstrap` to `--create`

From user's point of view, bootstrapping might be considered as a part of create rather than inspect.

So docker buildx create should support --bootstrap as well as docker buildx inspect.

created time in 20 hours

pull request commentopencontainers/runc

cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error

@dqminh @hqhq @cyphar @mrunalp PTAL?

AkihiroSuda

comment created time in a day

push eventAkihiroSuda/containerd-cgroups

Michael Crosby

commit sha 7209a8dfde2726fa544906fc061605e43e798b1d

Add v2 io support Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

view details

Michael Crosby

commit sha 684eefa15a1bae5f170f96cb7dddfc3c4abf599c

Add mapping to stats struct Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

view details

Phil Estes

commit sha 4baafdb2bf451498eae2a8b3620cff8755b4628c

Merge pull request #112 from crosbymichael/io Add v2 io support

view details

Akihiro Suda

commit sha f067ba87e5b52cb6447c6aa9bb468621eba6def9

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha ce1f241e8fa9ab1ac0f47542ed666de46718f116

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha eea08db2fe2613a7d033f3297b0a6f253f98d14a

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 2a6ed9833ae261863634200b824884f70309e3bb

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 42f43d754af927322a6adfbd278204e106f0e32e

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 4 days

issue commentktock/remote-snapshotter

Make unionfs pluggable

that's not my comment

ktock

comment created time in 4 days

issue commentktock/remote-snapshotter

Make unionfs pluggable

How will btrfs work with this?

ktock

comment created time in 4 days

issue commentcontainerd/cgroups

cgroup2: check list for v2 controller implementations

Do we need devices controller for CRI and Moby?

AkihiroSuda

comment created time in 4 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha e96a9d934d4d97a70178221ee2c5cd80c862e66b

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 7d03313ac5d94492401cabab2abaf84783ddf937

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha f083f360455f15fcfca9075bf23282fe48210474

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 4c8efa071b44897ad9dfaf8632fa21234bf0c20b

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

issue openedcontainers/crun

`crun --version` should show git commit

created time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha d843d96767cf2844b9aa85d6eccca8f6d54c31c7

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 9bd4642b5206fa93d495f4e243933c1c9cb4527e

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

issue openedcontainers/crun

Clarify how to report vulnerabilities

How to report vulnerabilities should be clarified in the document.

created time in 5 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha dba1d2e89f943a69bb85c7dbca1879b1c3cbb825

.travis.yml: add cgroup v2 Vagrant box Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 5 days

PR opened containerd/cgroups

.travis.yml: add cgroup v2 Vagrant box

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+33 -0

0 comment

3 changed files

pr created time in 5 days

create barnchAkihiroSuda/containerd-cgroups

branch : v2-travis

created branch time in 5 days

pull request commentcontainerd/containerd

Update to Golang 1.13.1

needs rebase

thaJeztah

comment created time in 5 days

Pull request review commentcontainerd/containerd

ctr: add --runc-binary --runc-systemd-cgroup

 import ( 	"github.com/containerd/containerd/contrib/seccomp" 	"github.com/containerd/containerd/oci" 	"github.com/containerd/containerd/platforms"+	"github.com/containerd/containerd/runtime/v2/runc/options" 	"github.com/opencontainers/runtime-spec/specs-go" 	"github.com/pkg/errors" 	"github.com/urfave/cli" ) -var platformRunFlags []cli.Flag+var platformRunFlags = []cli.Flag{+	cli.StringFlag{+		Name:  "runc-binary",+		Usage: "specify runc-compatible binary",

So the shim name is "io.containerd.runc.v2"

AkihiroSuda

comment created time in 5 days

Pull request review commentcontainerd/containerd

ctr: add --runc-binary --runc-systemd-cgroup

 import ( 	"github.com/containerd/containerd/contrib/seccomp" 	"github.com/containerd/containerd/oci" 	"github.com/containerd/containerd/platforms"+	"github.com/containerd/containerd/runtime/v2/runc/options" 	"github.com/opencontainers/runtime-spec/specs-go" 	"github.com/pkg/errors" 	"github.com/urfave/cli" ) -var platformRunFlags []cli.Flag+var platformRunFlags = []cli.Flag{+	cli.StringFlag{+		Name:  "runc-binary",+		Usage: "specify runc-compatible binary",

runc CLI spec is out of OCI

AkihiroSuda

comment created time in 5 days

issue commentopencontainers/runc

cgroup2: does not work with rootless podman

cgroupfs is being fixed in https://github.com/opencontainers/runc/pull/2169

AkihiroSuda

comment created time in 5 days

PR opened containerd/containerd

ctr: add --runc-binary --runc-systemd-cgroup

from https://github.com/containerd/containerd/pull/3799

+31 -2

0 comment

1 changed file

pr created time in 5 days

create barnchAkihiroSuda/containerd

branch : ctr-shim2-runc-flags

created branch time in 5 days

pull request commentdocker/go-connections

tlsconfig: remove support for tls.VersionSSL30

@alrs Please sign the commit with git commit -s https://github.com/moby/moby/blob/master/docs/contributing/set-up-git.md#task-2-set-your-signature-and-an-upstream-remote

alrs

comment created time in 5 days

pull request commentdocker/go-connections

tlsconfig: remove support for tls.VersionSSL30

commit needs sign

alrs

comment created time in 5 days

pull request commentdocker/go-connections

tlsconfig: remove support for tls.VersionSSL30

CI failure seems unrelated?

#!/bin/bash -eo pipefail
go get -d github.com/Microsoft/go-winio &&
go build ./...
# golang.org/x/sys/windows
/home/circleci/.go_workspace/src/golang.org/x/sys/windows/dll_windows.go:21:6: missing function body for "syscall_loadlibrary"
/home/circleci/.go_workspace/src/golang.org/x/sys/windows/dll_windows.go:24:6: missing function body for "syscall_getprocaddress"
Exited with code 2
alrs

comment created time in 5 days

Pull request review commentcontainerd/cgroups

Add v2 io support

 func (c *Manager) Procs(recursive bool) ([]uint64, error) { 	return processes, err } -func (c *Manager) Stat() (map[string]uint64, error) {+var singleValueFiles = []string{+	"pids.current",+	"pids.max",

can be another PR, but we need memory.current and memory.swap.current? https://facebookmicrosites.github.io/cgroup2/docs/memory-controller.html

crosbymichael

comment created time in 5 days

issue commentdocker-library/docker

dind-rootless: failed to start up dind rootless in k8s due to max_user_namespaces

Add user.max_user_namespaces=28633 to /etc/sysctl.conf (or /etc/sysctl.d) and run sudo sysctl -p

https://github.com/moby/moby/blob/master/docs/rootless.md#rhelcentos-7

hxin19

comment created time in 6 days

issue commentmoby/moby

docker run: support specifying rootfs directory directly

The rootfs path should be specified instead of the image name. Same as podman.

AkihiroSuda

comment created time in 6 days

pull request commentopencontainers/runc

cgroup2: split fs2 from fs

Test script:

#!/bin/sh
x(){
    echo + "$@"
    "$@"
}

for runtime in /usr/local/bin/crun /usr/local/sbin/runc; do
    echo "=== RUNTIME $runtime ==="
    for manager in cgroupfs systemd; do
        echo "= MANAGER $manager ="
        x sudo podman --runtime=$runtime --cgroup-manager=$manager run -d --name tmp -v /:/host --device /dev/sda1 --cgroupns=host --pids-limit=10 alpine top
        x sudo podman exec tmp cat /proc/self/cgroup
        x sudo podman exec tmp sh -c 'echo should be 10; cat /sys/fs/cgroup$(cat /proc/self/cgroup | sed -e s/0:://g)/pids.max'
        x sudo podman exec tmp sh -c 'echo should fail; hexdump -C /host/dev/sda | head -n 1'
        x sudo podman exec tmp sh -c 'echo should succeed; hexdump -C /host/dev/sda1 | head -n 1'
        x sudo podman rm -f tmp
    done
    echo "= MANAGER cgroupfs (rootless) ="
    x podman --runtime=$runtime --cgroup-manager=cgroupfs run --rm --cgroupns=host alpine cat /proc/self/cgroup
    # runc+systemd+rootless is not supported yet (#2163)
done

result (working as expected):

=== RUNTIME /usr/local/bin/crun ===
= MANAGER cgroupfs =
+ sudo podman --runtime=/usr/local/bin/crun --cgroup-manager=cgroupfs run -d --name tmp -v /:/host --device /dev/sda1 --cgroupns=host --pids-limit=10 alpine top
5bd05442b7b72d4dbe16a8ded0c1c8ac1b2a2a22ca1f50363f23d66f2371347e
+ sudo podman exec tmp cat /proc/self/cgroup
0::/libpod_parent/libpod-5bd05442b7b72d4dbe16a8ded0c1c8ac1b2a2a22ca1f50363f23d66f2371347e
+ sudo podman exec tmp sh -c echo should be 10; cat /sys/fs/cgroup$(cat /proc/self/cgroup | sed -e s/0:://g)/pids.max
should be 10
10
+ sudo podman exec tmp sh -c echo should fail; hexdump -C /host/dev/sda | head -n 1
should fail
hexdump: /host/dev/sda: Operation not permitted
hexdump: /host/dev/sda: Bad file descriptor
+ sudo podman exec tmp sh -c echo should succeed; hexdump -C /host/dev/sda1 | head -n 1
should succeed
00000000  eb 58 90 6d 6b 66 73 2e  66 61 74 00 02 08 20 00  |.X.mkfs.fat... .|
+ sudo podman rm -f tmp
5bd05442b7b72d4dbe16a8ded0c1c8ac1b2a2a22ca1f50363f23d66f2371347e
= MANAGER systemd =
+ sudo podman --runtime=/usr/local/bin/crun --cgroup-manager=systemd run -d --name tmp -v /:/host --device /dev/sda1 --cgroupns=host --pids-limit=10 alpine top
b7f24f4c38258791ba7a7cccc2967e4e8bd3141c9043fb9755888d06e13dbee6
+ sudo podman exec tmp cat /proc/self/cgroup
0::/machine.slice/libpod-b7f24f4c38258791ba7a7cccc2967e4e8bd3141c9043fb9755888d06e13dbee6.scope
+ sudo podman exec tmp sh -c echo should be 10; cat /sys/fs/cgroup$(cat /proc/self/cgroup | sed -e s/0:://g)/pids.max
should be 10
10
+ sudo podman exec tmp sh -c echo should fail; hexdump -C /host/dev/sda | head -n 1
should fail
hexdump: /host/dev/sda: Operation not permitted
hexdump: /host/dev/sda: Bad file descriptor
+ sudo podman exec tmp sh -c echo should succeed; hexdump -C /host/dev/sda1 | head -n 1
should succeed
00000000  eb 58 90 6d 6b 66 73 2e  66 61 74 00 02 08 20 00  |.X.mkfs.fat... .|
+ sudo podman rm -f tmp
b7f24f4c38258791ba7a7cccc2967e4e8bd3141c9043fb9755888d06e13dbee6
= MANAGER cgroupfs (rootless) =
+ podman --runtime=/usr/local/bin/crun --cgroup-manager=cgroupfs run --rm --cgroupns=host alpine cat /proc/self/cgroup
0::/user.slice/user-1001.slice/user@1001.service/user.slice/podman-40576.scope
=== RUNTIME /usr/local/sbin/runc ===
= MANAGER cgroupfs =
+ sudo podman --runtime=/usr/local/sbin/runc --cgroup-manager=cgroupfs run -d --name tmp -v /:/host --device /dev/sda1 --cgroupns=host --pids-limit=10 alpine top
d1ca9ac588f32ad168420348734ccf1323d8bdf37d8f1fcee33e0520fea40e28
+ sudo podman exec tmp cat /proc/self/cgroup
0::/libpod_parent/libpod-d1ca9ac588f32ad168420348734ccf1323d8bdf37d8f1fcee33e0520fea40e28
+ sudo podman exec tmp sh -c echo should be 10; cat /sys/fs/cgroup$(cat /proc/self/cgroup | sed -e s/0:://g)/pids.max
should be 10
10
+ sudo podman exec tmp sh -c echo should fail; hexdump -C /host/dev/sda | head -n 1
should fail
hexdump: /host/dev/sda: Operation not permitted
hexdump: /host/dev/sda: Bad file descriptor
+ sudo podman exec tmp sh -c echo should succeed; hexdump -C /host/dev/sda1 | head -n 1
should succeed
00000000  eb 58 90 6d 6b 66 73 2e  66 61 74 00 02 08 20 00  |.X.mkfs.fat... .|
+ sudo podman rm -f tmp
d1ca9ac588f32ad168420348734ccf1323d8bdf37d8f1fcee33e0520fea40e28
= MANAGER systemd =
+ sudo podman --runtime=/usr/local/sbin/runc --cgroup-manager=systemd run -d --name tmp -v /:/host --device /dev/sda1 --cgroupns=host --pids-limit=10 alpine top
e96d5cff6ac7a27cacd13bc24207c167e707b86bbdb42904a3b20659b3910ddf
+ sudo podman exec tmp cat /proc/self/cgroup
0::/machine.slice/libpod-e96d5cff6ac7a27cacd13bc24207c167e707b86bbdb42904a3b20659b3910ddf.scope
+ sudo podman exec tmp sh -c echo should be 10; cat /sys/fs/cgroup$(cat /proc/self/cgroup | sed -e s/0:://g)/pids.max
should be 10
10
+ sudo podman exec tmp sh -c echo should fail; hexdump -C /host/dev/sda | head -n 1
should fail
hexdump: /host/dev/sda: Operation not permitted
hexdump: /host/dev/sda: Bad file descriptor
+ sudo podman exec tmp sh -c echo should succeed; hexdump -C /host/dev/sda1 | head -n 1
should succeed
00000000  eb 58 90 6d 6b 66 73 2e  66 61 74 00 02 08 20 00  |.X.mkfs.fat... .|
+ sudo podman rm -f tmp
e96d5cff6ac7a27cacd13bc24207c167e707b86bbdb42904a3b20659b3910ddf
= MANAGER cgroupfs (rootless) =
+ podman --runtime=/usr/local/sbin/runc --cgroup-manager=cgroupfs run --rm --cgroupns=host alpine cat /proc/self/cgroup
0::/user.slice/user-1001.slice/user@1001.service/user.slice/podman-41213.scope
AkihiroSuda

comment created time in 6 days

PR opened opencontainers/runc

cgroup2: split fs2 from fs

split fs2 package from fs, as mixing up fs and fs2 is very likely to result in unmaintainable code.

Inspired by containerd/cgroups#109

Fix #2157

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+949 -897

0 comment

43 changed files

pr created time in 6 days

create barnchAkihiroSuda/runc

branch : split-fs

created branch time in 6 days

issue commentdocker/for-linux

File permission has a lot question marks

1.13.1 is ancient and unsupported.

liudonghua123

comment created time in 6 days

issue commentmoby/moby

docker run: support specifying rootfs directory directly

containerd already have this, only moby needs to be changed

AkihiroSuda

comment created time in 6 days

Pull request review commentcontainerd/cgroups

v2: restore VerifyGroupPath; v2: fix TestParseCgroupFromReader

 func PidGroupPath(pid int) (string, error) { 	p := fmt.Sprintf("/proc/%d/cgroup", pid) 	return parseCgroupFile(p) }++// VerifyGroupPath verifies the format of group path string g.+// The format is same as the third field in /proc/PID/cgroup.+// e.g. "/user.slice/user-1001.slice/session-1.scope"+//+// g must be a "clean" absolute path starts with "/", and must not contain "/sys/fs/cgroup" prefix.+//+// VerifyGroupPath doesn't verify whether g actually exists on the system.+func VerifyGroupPath(g string) error {+	if !strings.HasPrefix(g, "/") {+		return ErrInvalidGroupPath+	}+	if filepath.Clean(g) != g {+		return ErrInvalidGroupPath+	}+	if strings.HasPrefix(g, "/sys/fs/cgroup") {+		return ErrInvalidGroupPath+	}+	return nil+}

I feel it is less readable

AkihiroSuda

comment created time in 6 days

pull request commentopencontainers/runc

cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error

Anyway rootless cannot use eBPF device controller and the error is ignored

AkihiroSuda

comment created time in 6 days

Pull request review commentopencontainers/runc

Makefile: allow overriding `docker` command

 	    test unittest integration \ 	    cross localcross +DOCKER := docker

WDYT?

AkihiroSuda

comment created time in 6 days

push eventAkihiroSuda/runc

Akihiro Suda

commit sha faf1e44ea9d001535f228ce570e56e18d3dece06

cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error Fix #2167 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 6 days

push eventAkihiroSuda/runc

Akihiro Suda

commit sha 3c535eccb63f7cffea86fa544dbcc66afe6dd8a2

cgroup2: ebpf: increase RLIM_MEMLIMIT to avoid BPF_PROG_LOAD error Fix #2167 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 6 days

issue commentopencontainers/runc

cgroup2: procHooks: failed to load program: operation not permitted

PR https://github.com/opencontainers/runc/pull/2168

AkihiroSuda

comment created time in 6 days

PR opened opencontainers/runc

cgroup2: ebpf: increase RLIM_INFINITY to avoid BPF_PROG_LOAD error

Fix #2167

Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp

+7 -0

0 comment

1 changed file

pr created time in 6 days

create barnchAkihiroSuda/runc

branch : ebpf-fix-rlimit

created branch time in 6 days

issue commentopencontainers/runc

cgroup2: procHooks: failed to load program: operation not permitted

I found the issue.

systemd decreases ulimit -l from 65536 to 64.

crun doesn't this this because it increases the value by itself https://github.com/containers/crun/blob/4a46e90445beeb67117dff4999d9bba9994f4233/src/libcrun/ebpf.c#L305-L309

AkihiroSuda

comment created time in 6 days

issue commentopencontainers/runc

cgroup2: procHooks: failed to load program: operation not permitted

Hmm, docker+runc works when I start dockerd manually on terminal, but fails when it is started via systemd 🤔

$ sudo cat /lib/systemd/system/docker.service 
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/local/bin/dockerd -H fd://
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

$ systemd --version
systemd 242 (242)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 19.10
Release:        19.10
Codename:       eoan
AkihiroSuda

comment created time in 6 days

pull request commentdocker/docker.github.io

Add "Run the Docker daemon as a non-root user (Rootless mode)"

addressed comments, thanks

AkihiroSuda

comment created time in 6 days

push eventAkihiroSuda/docker.github.io

Bruno Pasquini Baptista Affonso

commit sha 51c63a7e7eda76503cff428dcd37341f1bfd9f5c

Update README.md Remove Extra Whitespace.

view details

Paulo Gomes

commit sha 04b5f87b2886aeccc21639923fb35a78a8032a2e

Remove socket from blocked syscalls Socket syscalls are no longer blocked on the default profile for a while now. More information: https://github.com/moby/moby/commit/dcf2632945b87acedeea989a5aa36c084a20ae88#diff-0ebf5796a57d68894d5550c407061035

view details

Paulo Gomes

commit sha d32f93ca93262668ae913a1b572e8ff3392a7b83

Remove reference to socket and socketcall

view details

Arko Dasgupta

commit sha c90f67c29577be0c1cbfcc3c7369e874902fceb6

FIx Type for HitlessServiceUpdate

view details

Adrian Plata

commit sha ebbc999a64f0e601cdab000d0b490e3145187d6e

adding read time skip (#9732) Signed-off-by: Adrian Plata <adrian.plata@docker.com>

view details

lena-larionova

commit sha cf588eb2fd5ab2444f38c24d266d9a8ed6338a56

Updating pull/push mirroring screenshots to DTR 2.7 (#9727) * Updating the images to DTR 2.7 and some formatting edits Signed-off-by: Lena Larionova <lena.larionova@docker.com> * Minor phrasing change

view details

lena-larionova

commit sha cc7199585525262f0372e65e9e90548a1975d272

Cancelling or downgrading a subscription (#9733) * added doc for cancelling or downgrading a subscription Signed-off-by: Lena Larionova <lena.larionova@docker.com> * Changes from feedback Signed-off-by: Lena Larionova <lena.larionova@docker.com>

view details

Usha Mandya

commit sha 0823ae8baedbc6e6aaa97137359b7807c3d8bc0e

update Mac FAQs (#9596) update Mac FAQs

view details

Usha Mandya

commit sha ca38a3eacf92f22772bb7155b6fca8dd1fdcbd77

ENGDOCS-231: update the intro statement (#9735) ENGDOCS-231:update the intro statement

view details

Traci Morrison

commit sha 3021e6f870252edde4a85ba44f43d82dc065f47a

Add vSphere Volumes section

view details

Traci Morrison

commit sha 9c2afdb24af63cac162f2affa8ca2ce9520423b6

Add information on Swarm operations roles

view details

lena-larionova

commit sha c0d28a9292e70deb752eea73d02ad1b106e743b9

Removing hrefs from codeblocks (#9750) Signed-off-by: Lena Larionova <lena.larionova@docker.com>

view details

Usha Mandya

commit sha 845c0d52e361dc1cc69c3e6b0a9bde4dd1bfae24

Engdocs-232: add links to EULA and DPA

view details

Traci Morrison

commit sha b096619101738209185448f80eff18b827c70659

Merge pull request #9711 from traci-morrison/use-vsphere-volumes [WIP] Add vSphere Volumes section

view details

Traci Morrison

commit sha e119f68a8725e85312fb1197e7e60f44125cb5d6

Merge pull request #9716 from traci-morrison/swarm-ops-roles [WIP] Add information on Swarm operations roles

view details

Usha Mandya

commit sha 13e226f2ac538ecba80abb85ab0c8435f31d18f2

Merge pull request #9755 from usha-mandya/engdocs-232 DDE: Added links to EULA and DPA

view details

Traci Morrison

commit sha f538fdaa6743db9a71bb387752f7c2e6a40b53d4

Change note on workloads on managers

view details

Traci Morrison

commit sha 069155a205a7707547f865a932e6135caf5b2a46

Add note on DTR node mixed mode

view details

Traci Morrison

commit sha f83911384c261a0e26380aeb5be4931b0e4cdb54

Add the Network option

view details

David Yu

commit sha 5d32d52d35c62784cc3c730ad918cfe59cee994d

Removing IBM Z references Removing IBM Z references

view details

push time in 6 days

pull request commentcontainerd/cgroups

Simpler v2 cgroup interface

follow-up: https://github.com/containerd/cgroups/pull/110

crosbymichael

comment created time in 6 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha 29ec75e6255b2ae35307600f57feafa0c0563a6f

update go.mod Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha a4f92d6967edd0fc3b8e7a302e77a9fd3032d2db

.travis.yml: run test for all packages Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 6 days

push eventAkihiroSuda/containerd-cgroups

Akihiro Suda

commit sha eabaeffe3b078f6873c0122d877bf1b6ba70c371

update go.mod Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha 244e24053d42e26b1c92842a74353fa99d2ee912

.travis.yml: run test for all packages Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 6 days

PR opened containerd/cgroups

v2: restore VerifyGroupPath; v2: fix TestParseCgroupFromReader

restore VerifyGroupPath removed in https://github.com/containerd/cgroups/pull/109#discussion_r343218221

Also fixes failing test

    --- FAIL: TestParseCgroupFromReader (0.00s)
        utils_test.go:34: expected
    "/user.slice/user-1001.slice/session-1.scope", got ""
        utils_test.go:37: invalid cgroup entry: "2:cpuset:/foo"
+32 -7

0 comment

4 changed files

pr created time in 6 days

create barnchAkihiroSuda/containerd-cgroups

branch : v2-verifypath

created branch time in 6 days

issue commentcontainers/libpod

slirp4netns socket path can get too long in tmp_path

Maybe we should support abstract sockets and/or FD

duritong

comment created time in 6 days

issue commentmoby/moby

Big guys, how do you switch the cpu container to a gpu container? Request help.

you should ask nvidia

zhoulei232

comment created time in 6 days

push eventmoby/moby

Sam Whited

commit sha 0c9b232bf5263ab896637b394308510c4cfbd45d

Remove unused GlobalFlags Signed-off-by: Sam Whited <sam@samwhited.com>

view details

Akihiro Suda

commit sha 65523469c7e6f100230ba500c1d28516ea6bd384

Merge pull request #40187 from SamWhited/remove_global_args Remove unused GlobalFlags

view details

push time in 6 days

PR merged moby/moby

Remove unused GlobalFlags area/testing kind/refactor status/2-code-review

Remove the daemon's GlobalFlags field which appears to be a leftover from before there were options and is unused.

+7 -8

0 comment

1 changed file

SamWhited

pr closed time in 6 days

pull request commentmoby/buildkit

exporter: add canonical and dangling image naming

Could you update README?

tonistiigi

comment created time in 6 days

issue commentmoby/moby

Undefined error for `client.NewClientWithOpts` in Go SDK

go get github.com/docker/docker@master

erbesharat

comment created time in 6 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

+/*+   Copyright The containerd Authors.++   Licensed under the Apache License, Version 2.0 (the "License");+   you may not use this file except in compliance with the License.+   You may obtain a copy of the License at++       http://www.apache.org/licenses/LICENSE-2.0++   Unless required by applicable law or agreed to in writing, software+   distributed under the License is distributed on an "AS IS" BASIS,+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+   See the License for the specific language governing permissions and+   limitations under the License.+*/++package v2++import (+	"bufio"+	"fmt"+	"io/ioutil"+	"os"+	"path/filepath"+	"strconv"+	"strings"+	"time"++	"github.com/pkg/errors"+)++const (+	subtreeControl  = "cgroup.subtree_control"+	controllersFile = "cgroup.controllers"+)++type cgValuer interface {+	Values() []Value+}++// Resources for a cgroups v2 unified hierarchy+type Resources struct {+	CPU    *CPU+	Memory *Memory+	Pids   *Pids+}++// Values returns the raw filenames and values that+// can be written to the unified hierarchy+func (r *Resources) Values() (o []Value) {+	values := []cgValuer{+		r.CPU,+		r.Memory,+		r.Pids,+	}+	for _, v := range values {+		if v == nil {+			continue+		}+		o = append(o, v.Values()...)+	}+	return o+}++// Value of a cgroup setting+type Value struct {+	filename string+	value    interface{}+}++// write the value to the full, absolute path, of a unified hierarchy+func (c *Value) write(path string, perm os.FileMode) error {+	var data []byte+	switch t := c.value.(type) {+	case uint64:+		data = []byte(strconv.FormatUint(t, 10))+	case int64:+		data = []byte(strconv.FormatInt(t, 10))+	case []byte:+		data = t+	case string:+		data = []byte(t)+	default:+		return ErrInvalidFormat+	}+	return ioutil.WriteFile(+		filepath.Join(path, c.filename),+		data,+		perm,+	)+}++func writeValues(path string, values []Value) error {+	for _, o := range values {+		if err := o.write(path, defaultFilePerm); err != nil {+			return err+		}+	}+	return nil+}++func NewManager(mountpoint string, group string, resources *Resources) (*Manager, error) {+	if group == "" {+		return nil, ErrInvalidGroupPath+	}+	path := filepath.Join(mountpoint, group)+	if err := os.MkdirAll(path, defaultDirPerm); err != nil {+		return nil, err+	}+	if resources != nil {+		if err := writeValues(path, resources.Values()); err != nil {+			// clean up cgroup dir on failure+			os.Remove(path)+			return nil, err+		}+	}+	return &Manager{+		unifiedMountpoint: mountpoint,+		path:              path,+	}, nil+}++func LoadManager(mountpoint string, group string) (*Manager, error) {+	if group == "" {+		return nil, ErrInvalidGroupPath+	}+	path := filepath.Join(mountpoint, group)+	return &Manager{+		unifiedMountpoint: mountpoint,+		path:              path,+	}, nil+}++type Manager struct {+	unifiedMountpoint string+	path              string+}++func (c *Manager) ListControllers() ([]string, error) {+	f, err := os.Open(filepath.Join(c.path, controllersFile))+	if err != nil {+		return nil, err+	}+	defer f.Close()++	var (+		out []string+		s   = bufio.NewScanner(f)+	)+	s.Split(bufio.ScanWords)+	for s.Scan() {+		if err := s.Err(); err != nil {+			return nil, err+		}+		out = append(out, s.Text())+	}+	return out, nil+}++type ControllerToggle int++const (+	Enable ControllerToggle = iota + 1+	Disable+)++func toggleFunc(controllers []string, prefix string) []string {+	out := make([]string, len(controllers))+	for i, c := range controllers {+		out[i] = prefix + c+	}+	return out+}++func (c *Manager) ToggleControllers(controllers []string, t ControllerToggle) error {+	f, err := os.OpenFile(filepath.Join(c.path, subtreeControl), os.O_WRONLY, 0)+	if err != nil {+		return err+	}+	defer f.Close()+	switch t {+	case Enable:+		controllers = toggleFunc(controllers, "+")+	case Disable:+		controllers = toggleFunc(controllers, "-")+	}+	_, err = f.WriteString(strings.Join(controllers, " "))+	return err+}++func (c *Manager) NewChild(name string, resources *Resources) (*Manager, error) {+	if strings.HasPrefix(name, "/") {+		return nil, errors.New("name must be relative")+	}+	path := filepath.Join(c.path, name)+	if err := os.MkdirAll(path, defaultDirPerm); err != nil {+		return nil, err+	}+	if err := writeValues(path, resources.Values()); err != nil {+		// clean up cgroup dir on failure+		os.Remove(path)+		return nil, err+	}+	return &Manager{+		unifiedMountpoint: c.unifiedMountpoint,+		path:              path,+	}, nil+}++func (c *Manager) AddProc(pid uint64) error {+	v := Value{+		filename: cgroupProcs,+		value:    pid,+	}+	return writeValues(c.path, []Value{v})+}++func (c *Manager) Delete() error {+	return remove(c.path)+}++func (c *Manager) Procs(recursive bool) ([]uint64, error) {+	var processes []uint64+	err := filepath.Walk(c.path, func(p string, info os.FileInfo, err error) error {+		if err != nil {+			return err+		}+		if !recursive && info.IsDir() {+			if p == c.path {+				return nil+			}+			return filepath.SkipDir+		}+		_, name := filepath.Split(p)+		if name != cgroupProcs {+			return nil+		}+		procs, err := parseCgroupProcsFile(p)+		if err != nil {+			return err+		}+		processes = append(processes, procs...)+		return nil+	})+	return processes, err+}++func (c *Manager) Stat() (map[string]uint64, error) {+	controllers, err := c.ListControllers()+	if err != nil {+		return nil, err+	}+	out := make(map[string]uint64)+	for _, controller := range controllers {+		filename := fmt.Sprintf("%s.stat", controller)

Probably we should either add file name to key or return map[string]map[string]interface{}

crosbymichael

comment created time in 6 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

+/*+   Copyright The containerd Authors.++   Licensed under the Apache License, Version 2.0 (the "License");+   you may not use this file except in compliance with the License.+   You may obtain a copy of the License at++       http://www.apache.org/licenses/LICENSE-2.0++   Unless required by applicable law or agreed to in writing, software+   distributed under the License is distributed on an "AS IS" BASIS,+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+   See the License for the specific language governing permissions and+   limitations under the License.+*/++package v2++import (+	"bufio"+	"fmt"+	"io/ioutil"+	"os"+	"path/filepath"+	"strconv"+	"strings"+	"time"++	"github.com/pkg/errors"+)++const (+	subtreeControl  = "cgroup.subtree_control"+	controllersFile = "cgroup.controllers"+)++type cgValuer interface {+	Values() []Value+}++// Resources for a cgroups v2 unified hierarchy+type Resources struct {+	CPU    *CPU+	Memory *Memory+	Pids   *Pids+}++// Values returns the raw filenames and values that+// can be written to the unified hierarchy+func (r *Resources) Values() (o []Value) {+	values := []cgValuer{+		r.CPU,+		r.Memory,+		r.Pids,+	}+	for _, v := range values {+		if v == nil {+			continue+		}+		o = append(o, v.Values()...)+	}+	return o+}++// Value of a cgroup setting+type Value struct {+	filename string+	value    interface{}+}++// write the value to the full, absolute path, of a unified hierarchy+func (c *Value) write(path string, perm os.FileMode) error {+	var data []byte+	switch t := c.value.(type) {+	case uint64:+		data = []byte(strconv.FormatUint(t, 10))+	case int64:+		data = []byte(strconv.FormatInt(t, 10))+	case []byte:+		data = t+	case string:+		data = []byte(t)+	default:+		return ErrInvalidFormat+	}+	return ioutil.WriteFile(+		filepath.Join(path, c.filename),+		data,+		perm,+	)+}++func writeValues(path string, values []Value) error {+	for _, o := range values {+		if err := o.write(path, defaultFilePerm); err != nil {+			return err+		}+	}+	return nil+}++func NewManager(mountpoint string, group string, resources *Resources) (*Manager, error) {+	if group == "" {+		return nil, ErrInvalidGroupPath+	}+	path := filepath.Join(mountpoint, group)+	if err := os.MkdirAll(path, defaultDirPerm); err != nil {+		return nil, err+	}+	if resources != nil {+		if err := writeValues(path, resources.Values()); err != nil {+			// clean up cgroup dir on failure+			os.Remove(path)+			return nil, err+		}+	}+	return &Manager{+		unifiedMountpoint: mountpoint,+		path:              path,+	}, nil+}++func LoadManager(mountpoint string, group string) (*Manager, error) {+	if group == "" {+		return nil, ErrInvalidGroupPath+	}+	path := filepath.Join(mountpoint, group)+	return &Manager{+		unifiedMountpoint: mountpoint,+		path:              path,+	}, nil+}++type Manager struct {+	unifiedMountpoint string+	path              string+}++func (c *Manager) ListControllers() ([]string, error) {+	f, err := os.Open(filepath.Join(c.path, controllersFile))+	if err != nil {+		return nil, err+	}+	defer f.Close()++	var (+		out []string+		s   = bufio.NewScanner(f)+	)+	s.Split(bufio.ScanWords)+	for s.Scan() {+		if err := s.Err(); err != nil {+			return nil, err+		}+		out = append(out, s.Text())+	}+	return out, nil+}++type ControllerToggle int++const (+	Enable ControllerToggle = iota + 1+	Disable+)++func toggleFunc(controllers []string, prefix string) []string {+	out := make([]string, len(controllers))+	for i, c := range controllers {+		out[i] = prefix + c+	}+	return out+}++func (c *Manager) ToggleControllers(controllers []string, t ControllerToggle) error {+	f, err := os.OpenFile(filepath.Join(c.path, subtreeControl), os.O_WRONLY, 0)+	if err != nil {+		return err+	}+	defer f.Close()+	switch t {+	case Enable:+		controllers = toggleFunc(controllers, "+")+	case Disable:+		controllers = toggleFunc(controllers, "-")+	}+	_, err = f.WriteString(strings.Join(controllers, " "))+	return err+}++func (c *Manager) NewChild(name string, resources *Resources) (*Manager, error) {+	if strings.HasPrefix(name, "/") {+		return nil, errors.New("name must be relative")+	}+	path := filepath.Join(c.path, name)+	if err := os.MkdirAll(path, defaultDirPerm); err != nil {+		return nil, err+	}+	if err := writeValues(path, resources.Values()); err != nil {+		// clean up cgroup dir on failure+		os.Remove(path)+		return nil, err+	}+	return &Manager{+		unifiedMountpoint: c.unifiedMountpoint,+		path:              path,+	}, nil+}++func (c *Manager) AddProc(pid uint64) error {+	v := Value{+		filename: cgroupProcs,+		value:    pid,+	}+	return writeValues(c.path, []Value{v})+}++func (c *Manager) Delete() error {+	return remove(c.path)+}++func (c *Manager) Procs(recursive bool) ([]uint64, error) {+	var processes []uint64+	err := filepath.Walk(c.path, func(p string, info os.FileInfo, err error) error {+		if err != nil {+			return err+		}+		if !recursive && info.IsDir() {+			if p == c.path {+				return nil+			}+			return filepath.SkipDir+		}+		_, name := filepath.Split(p)+		if name != cgroupProcs {+			return nil+		}+		procs, err := parseCgroupProcsFile(p)+		if err != nil {+			return err+		}+		processes = append(processes, procs...)+		return nil+	})+	return processes, err+}++func (c *Manager) Stat() (map[string]uint64, error) {+	controllers, err := c.ListControllers()+	if err != nil {+		return nil, err+	}+	out := make(map[string]uint64)+	for _, controller := range controllers {+		filename := fmt.Sprintf("%s.stat", controller)

how will it work for other files such as pids.current?

crosbymichael

comment created time in 6 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

+/*+   Copyright The containerd Authors.++   Licensed under the Apache License, Version 2.0 (the "License");+   you may not use this file except in compliance with the License.+   You may obtain a copy of the License at++       http://www.apache.org/licenses/LICENSE-2.0++   Unless required by applicable law or agreed to in writing, software+   distributed under the License is distributed on an "AS IS" BASIS,+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+   See the License for the specific language governing permissions and+   limitations under the License.+*/++package main++import (+	"fmt"+	"os"++	v2 "github.com/containerd/cgroups/v2"+	"github.com/sirupsen/logrus"+	"github.com/urfave/cli"+)++func main() {+	app := cli.NewApp()+	app.Name = "cgctl"+	app.Version = "1"+	app.Usage = "cgroup v2 management tool"+	app.Flags = []cli.Flag{+		cli.BoolFlag{+			Name:  "debug",+			Usage: "enable debug output in the logs",+		},+		cli.StringFlag{+			Name:  "mountpoint",+			Usage: "cgroup mountpoint",+			Value: "/sys/fs/cgroup",+		},+	}+	app.Commands = []cli.Command{+		newCommand,+		delCommand,+		listCommand,+		statCommand,+	}+	app.Before = func(clix *cli.Context) error {+		if clix.GlobalBool("debug") {+			logrus.SetLevel(logrus.DebugLevel)+		}+		return nil+	}+	if err := app.Run(os.Args); err != nil {+		fmt.Fprintln(os.Stderr, err)+		os.Exit(1)+	}+}++var newCommand = cli.Command{+	Name:  "new",+	Usage: "create a new cgroup",+	Flags: []cli.Flag{+		cli.BoolFlag{+			Name:  "enable",+			Usage: "enable the controllers for the group",+		},+	},+	Action: func(clix *cli.Context) error {+		path := clix.Args().First()+		c, err := v2.NewManager(clix.GlobalString("mountpoint"), path, nil)+		if err != nil {+			return err+		}+		if clix.Bool("enable") {+			controllers, err := c.ListControllers()+			if err != nil {+				return err+			}+			if err := c.ToggleControllers(controllers, v2.Enable); err != nil {

When you have cpu in the top group /sys/fs/cgroup, cpu is enabled for /sys/fs/cgroup/foo, but not enabled for /sys/fs/cgroup/foo/bar.

root@suda-ws01:/sys/fs/cgroup# cat cgroup.controllers 
cpuset cpu io memory pids rdma
root@suda-ws01:/sys/fs/cgroup# mkdir foo
root@suda-ws01:/sys/fs/cgroup# cat foo/cgroup.controllers 
cpu io memory pids
root@suda-ws01:/sys/fs/cgroup# mkdir foo/bar
root@suda-ws01:/sys/fs/cgroup# cat foo/bar/cgroup.controllers 
root@suda-ws01:/sys/fs/cgroup#
crosbymichael

comment created time in 7 days

issue commentmoby/moby

docker run: support specifying rootfs directory directly

Yes, please, thanks :+1:

AkihiroSuda

comment created time in 7 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

 package v2 import ( 	"fmt" 	"path/filepath"-	"strings" ) -// GroupPath is a string that appears as the third field in /proc/PID/cgroup.-// e.g. "/user.slice/user-1001.slice/session-1.scope"-//-// GroupPath must not contain "/sys/fs/cgroup" prefix.-// GroupPath must be a absolute path starts with "/".-type GroupPath string- // NestedGroupPath will nest the cgroups based on the calling processes cgroup // placing its child processes inside its own path-func NestedGroupPath(suffix string) (GroupPath, error) {+func NestedGroupPath(suffix string) (string, error) { 	path, err := parseCgroupFile("/proc/self/cgroup") 	if err != nil { 		return "", err 	}-	return GroupPath(filepath.Join(string(path), suffix)), nil+	return filepath.Join(string(path), suffix), nil }  // PidGroupPath will return the correct cgroup paths for an existing process running inside a cgroup // This is commonly used for the Load function to restore an existing container-func PidGroupPath(pid int) (GroupPath, error) {+func PidGroupPath(pid int) (string, error) { 	p := fmt.Sprintf("/proc/%d/cgroup", pid) 	return parseCgroupFile(p) }--// VerifyGroupPath verifies the format of g.-// VerifyGroupPath doesn't verify whether g actually exists on the system.-func VerifyGroupPath(g GroupPath) error {

this function can be kept

crosbymichael

comment created time in 7 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

+/*+   Copyright The containerd Authors.++   Licensed under the Apache License, Version 2.0 (the "License");+   you may not use this file except in compliance with the License.+   You may obtain a copy of the License at++       http://www.apache.org/licenses/LICENSE-2.0++   Unless required by applicable law or agreed to in writing, software+   distributed under the License is distributed on an "AS IS" BASIS,+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+   See the License for the specific language governing permissions and+   limitations under the License.+*/++package main++import (+	"fmt"+	"os"++	v2 "github.com/containerd/cgroups/v2"+	"github.com/sirupsen/logrus"+	"github.com/urfave/cli"+)++func main() {+	app := cli.NewApp()+	app.Name = "cgctl"+	app.Version = "1"+	app.Usage = "cgroup v2 management tool"+	app.Flags = []cli.Flag{+		cli.BoolFlag{+			Name:  "debug",+			Usage: "enable debug output in the logs",+		},+		cli.StringFlag{+			Name:  "mountpoint",+			Usage: "cgroup mountpoint",+			Value: "/sys/fs/cgroup",+		},+	}+	app.Commands = []cli.Command{+		newCommand,+		delCommand,+		listCommand,+		statCommand,+	}+	app.Before = func(clix *cli.Context) error {+		if clix.GlobalBool("debug") {+			logrus.SetLevel(logrus.DebugLevel)+		}+		return nil+	}+	if err := app.Run(os.Args); err != nil {+		fmt.Fprintln(os.Stderr, err)+		os.Exit(1)+	}+}++var newCommand = cli.Command{+	Name:  "new",+	Usage: "create a new cgroup",+	Flags: []cli.Flag{+		cli.BoolFlag{+			Name:  "enable",+			Usage: "enable the controllers for the group",+		},+	},+	Action: func(clix *cli.Context) error {+		path := clix.Args().First()+		c, err := v2.NewManager(clix.GlobalString("mountpoint"), path, nil)+		if err != nil {+			return err+		}+		if clix.Bool("enable") {+			controllers, err := c.ListControllers()+			if err != nil {+				return err+			}+			if err := c.ToggleControllers(controllers, v2.Enable); err != nil {

This needs to be done for the parent group?

crosbymichael

comment created time in 7 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

 import ( 	"strings" ) -// GroupPath is a string that appears as the third field in /proc/PID/cgroup.-// e.g. "/user.slice/user-1001.slice/session-1.scope"-//-// GroupPath must not contain "/sys/fs/cgroup" prefix.-// GroupPath must be a absolute path starts with "/".-type GroupPath string- // NestedGroupPath will nest the cgroups based on the calling processes cgroup // placing its child processes inside its own path-func NestedGroupPath(suffix string) (GroupPath, error) {+func NestedGroupPath(suffix string) (string, error) { 	path, err := parseCgroupFile("/proc/self/cgroup") 	if err != nil { 		return "", err 	}-	return GroupPath(filepath.Join(string(path), suffix)), nil+	return filepath.Join(string(path), suffix), nil }  // PidGroupPath will return the correct cgroup paths for an existing process running inside a cgroup // This is commonly used for the Load function to restore an existing container-func PidGroupPath(pid int) (GroupPath, error) {+func PidGroupPath(pid int) (string, error) { 	p := fmt.Sprintf("/proc/%d/cgroup", pid) 	return parseCgroupFile(p) }  // VerifyGroupPath verifies the format of g. // VerifyGroupPath doesn't verify whether g actually exists on the system.-func VerifyGroupPath(g GroupPath) error {+func VerifyGroupPath(g string) error { 	s := string(g)

I meant type casting can be removed. The function should be kept?

crosbymichael

comment created time in 7 days

issue openedopencontainers/runtime-spec

Add systemd cgroup path spec

https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#cgroups-path

The systemd cgroup path convention implemented in runc/crun should be added to the spec.

This convention is becoming important for cgroup v2, because rootless containers depends on systemd for cgroup delegation in most environments.

created time in 7 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

 import ( 	"strings" ) -// GroupPath is a string that appears as the third field in /proc/PID/cgroup.-// e.g. "/user.slice/user-1001.slice/session-1.scope"-//-// GroupPath must not contain "/sys/fs/cgroup" prefix.-// GroupPath must be a absolute path starts with "/".-type GroupPath string- // NestedGroupPath will nest the cgroups based on the calling processes cgroup // placing its child processes inside its own path-func NestedGroupPath(suffix string) (GroupPath, error) {+func NestedGroupPath(suffix string) (string, error) { 	path, err := parseCgroupFile("/proc/self/cgroup") 	if err != nil { 		return "", err 	}-	return GroupPath(filepath.Join(string(path), suffix)), nil+	return filepath.Join(string(path), suffix), nil }  // PidGroupPath will return the correct cgroup paths for an existing process running inside a cgroup // This is commonly used for the Load function to restore an existing container-func PidGroupPath(pid int) (GroupPath, error) {+func PidGroupPath(pid int) (string, error) { 	p := fmt.Sprintf("/proc/%d/cgroup", pid) 	return parseCgroupFile(p) }  // VerifyGroupPath verifies the format of g. // VerifyGroupPath doesn't verify whether g actually exists on the system.

I still think we need godoc to clarify what is the expected format. Probably we should add an example string like "/user.slice/user-1001.slice/session-1.scope"

crosbymichael

comment created time in 7 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

 import ( 	"strings" ) -// GroupPath is a string that appears as the third field in /proc/PID/cgroup.-// e.g. "/user.slice/user-1001.slice/session-1.scope"-//-// GroupPath must not contain "/sys/fs/cgroup" prefix.-// GroupPath must be a absolute path starts with "/".-type GroupPath string- // NestedGroupPath will nest the cgroups based on the calling processes cgroup // placing its child processes inside its own path-func NestedGroupPath(suffix string) (GroupPath, error) {+func NestedGroupPath(suffix string) (string, error) { 	path, err := parseCgroupFile("/proc/self/cgroup") 	if err != nil { 		return "", err 	}-	return GroupPath(filepath.Join(string(path), suffix)), nil+	return filepath.Join(string(path), suffix), nil }  // PidGroupPath will return the correct cgroup paths for an existing process running inside a cgroup // This is commonly used for the Load function to restore an existing container-func PidGroupPath(pid int) (GroupPath, error) {+func PidGroupPath(pid int) (string, error) { 	p := fmt.Sprintf("/proc/%d/cgroup", pid) 	return parseCgroupFile(p) }  // VerifyGroupPath verifies the format of g. // VerifyGroupPath doesn't verify whether g actually exists on the system.-func VerifyGroupPath(g GroupPath) error {+func VerifyGroupPath(g string) error { 	s := string(g)

can be removed

crosbymichael

comment created time in 7 days

Pull request review commentcontainerd/cgroups

Simpler v2 cgroup interface

+/*+   Copyright The containerd Authors.++   Licensed under the Apache License, Version 2.0 (the "License");+   you may not use this file except in compliance with the License.+   You may obtain a copy of the License at++       http://www.apache.org/licenses/LICENSE-2.0++   Unless required by applicable law or agreed to in writing, software+   distributed under the License is distributed on an "AS IS" BASIS,+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+   See the License for the specific language governing permissions and+   limitations under the License.+*/++package v2++import (+	"io/ioutil"+	"os"+	"path/filepath"+	"strconv"+	"strings"+	"time"++	"github.com/pkg/errors"+)++type cgValuer interface {+	Values() []Value+}++// Resources for a cgroups v2 unified hierarchy+type Resources struct {+	CPU    *CPU+	Memory *Memory+	Pids   *Pids+}++// Values returns the raw filenames and values that+// can be written to the unified hierarchy+func (r *Resources) Values() (o []Value) {+	values := []cgValuer{+		r.CPU,+		r.Memory,+		r.Pids,+	}+	for _, v := range values {+		if v == nil {+			continue+		}+		o = append(o, v.Values()...)+	}+	return o+}++// Value of a cgroup setting+type Value struct {+	filename string+	value    interface{}+}++// write the value to the full, absolute path, of a unified hierarchy+func (c *Value) write(path string, perm os.FileMode) error {+	var data []byte+	switch t := c.value.(type) {+	case uint64:+		data = []byte(strconv.FormatUint(t, 10))+	case int64:+		data = []byte(strconv.FormatInt(t, 10))+	case []byte:+		data = t+	case string:+		data = []byte(t)+	default:+		return ErrInvalidFormat+	}+	return ioutil.WriteFile(+		filepath.Join(path, c.filename),+		data,+		perm,+	)+}++func writeValues(path string, values []Value) error {+	for _, o := range values {+		if err := o.write(path, defaultFilePerm); err != nil {+			return err+		}+	}+	return nil+}++func NewManager(mountpoint string, group string, resources *Resources) (*Manager, error) {+	if err := VerifyGroupPath(group); err != nil {+		return nil, err+	}++	path := filepath.Join(mountpoint, group)+	if err := os.MkdirAll(path, defaultDirPerm); err != nil {+		return nil, err+	}+	if err := writeValues(path, resources.Values()); err != nil {+		// clean up cgroup dir on failure+		os.Remove(path)+		return nil, err+	}+	return &Manager{+		unifiedMountpoint: mountpoint,+		path:              path,+	}, nil+}++func LoadManager(mountpoint string, group string) (*Manager, error) {+	if err := VerifyGroupPath(group); err != nil {+		return nil, err+	}+	path := filepath.Join(mountpoint, group)+	return &Manager{+		unifiedMountpoint: mountpoint,+		path:              path,+	}, nil+}++type Manager struct {+	unifiedMountpoint string+	path              string+}++func (c *Manager) NewChild(name string, resources *Resources) (*Manager, error) {+	if strings.HasPrefix(name, "/") {+		return nil, errors.New("name must be relative")+	}

write cgroup.subtree_control?

crosbymichael

comment created time in 7 days

issue commentopencontainers/runc

cgroup2: procHooks: failed to load program: operation not permitted

caps seems enough 🤔 (bpf(2) says EPERM can happen when CAP_SYS_ADMIN is missing)

diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index de989b5b..f6b67bad 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -7,6 +7,7 @@ import (
        "errors"
        "fmt"
        "io"
+       "io/ioutil"
        "os"
        "os/exec"
        "path/filepath"
@@ -410,6 +411,10 @@ func (p *initProcess) start() error {
                        }
                        sentRun = true
                case procHooks:
+                       status, _ := ioutil.ReadFile("/proc/self/status")
+                       os.RemoveAll("/tmp/foo")
+                       ioutil.WriteFile("/tmp/foo", status, 0444)
+
                        // Setup cgroup before prestart hook, so that the prestart hook could apply cgroup permissions.
                        if err := p.manager.Set(p.config.Config); err != nil {
                                return newSystemErrorWithCause(err, "setting cgroup config for procHooks process")

$ cat /tmp/foo 
Name:   runc
Umask:  0022
State:  S (sleeping)
Tgid:   49454
Ngid:   0
Pid:    49454
PPid:   49444
TracerPid:      0
Uid:    0       0       0       0
Gid:    0       0       0       0
FDSize: 64
Groups:  
NStgid: 49454
NSpid:  49454
NSpgid: 49444
NSsid:  46708
VmPeak:   556332 kB
VmSize:   556332 kB
VmLck:         0 kB
VmPin:         0 kB
VmHWM:     11884 kB
VmRSS:     11884 kB
RssAnon:            4672 kB
RssFile:            7212 kB
RssShmem:              0 kB
VmData:   151484 kB
VmStk:       132 kB
VmExe:      5088 kB
VmLib:         0 kB
VmPTE:       148 kB
VmSwap:        0 kB
HugetlbPages:          0 kB
CoreDumping:    0
THP_enabled:    1
Threads:        7
SigQ:   0/31498
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000000
SigCgt: fffffffffffbfeff
CapInh: 0000000000000000
CapPrm: 0000003fffffffff
CapEff: 0000003fffffffff
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
NoNewPrivs:     0
Seccomp:        0
Speculation_Store_Bypass:       thread vulnerable
Cpus_allowed:   00000000,00000000,00000000,00000003
Cpus_allowed_list:      0-1
Mems_allowed:   00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001
Mems_allowed_list:      0
voluntary_ctxt_switches:        88
nonvoluntary_ctxt_switches:     46
AkihiroSuda

comment created time in 7 days

issue closedmoby/moby

Big guys, how do you switch the cpu container to a gpu container? Request help.

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.

If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information.

For more information about reporting issues, see https://github.com/moby/moby/blob/master/CONTRIBUTING.md#reporting-other-issues


GENERAL SUPPORT INFORMATION

The GitHub issue tracker is for bug reports and feature requests. General support for docker can be found at the following locations:

  • Docker Support Forums - https://forums.docker.com
  • Slack - community.docker.com #general channel
  • Post a question on StackOverflow, using the Docker tag

General support for moby can be found at the following locations:

  • Moby Project Forums - https://forums.mobyproject.org
  • Slack - community.docker.com #moby-project channel
  • Post a question on StackOverflow, using the Moby tag

BUG REPORT INFORMATION

Use the commands below to provide key information from your environment: You do NOT have to include this information if this is a FEATURE REQUEST -->

Description

<!-- Briefly describe the problem you are having in a few paragraphs. -->

Steps to reproduce the issue: 1. 2. 3.

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

(paste your output here)

Output of docker info:

(paste your output here)

Additional environment details (AWS, VirtualBox, physical, etc.):

closed time in 7 days

zhoulei232

issue commentmoby/moby

Big guys, how do you switch the cpu container to a gpu container? Request help.

see https://github.com/NVIDIA/nvidia-docker

zhoulei232

comment created time in 7 days

push eventAkihiroSuda/docker

Akihiro Suda

commit sha 576fcfc506eae51a397c5faad2cf3226d7b823b5

cgroup2: enable cgroup namespace by default For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/libpod#4363 containers/libpod#4374 Privileged containers also use cgroupns=private by default. https://github.com/containers/libpod/pull/4374#issuecomment-549776387 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 7 days

issue commentdocker/for-linux

Please provide repo for docker-ce on Fedora 31

PR here: https://github.com/moby/moby/pull/40174

jhford

comment created time in 7 days

push eventAkihiroSuda/docker

Akihiro Suda

commit sha c424f8f7f79890cb8336d1aff576d5b5f12fe9e4

cgroup2: enable cgroup namespace by default For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/libpod#4363 containers/libpod#4374 Privileged containers also use cgroupns=private by default. https://github.com/containers/libpod/pull/4374#issuecomment-549776387 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 7 days

pull request commentcontainers/crun

[WIP] crun: add ps subcommand

thanks, seems fine

giuseppe

comment created time in 7 days

more