profile
viewpoint

push eventopencontainers/runc

Akihiro Suda

commit sha faf1e44ea9d001535f228ce570e56e18d3dece06

cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error Fix #2167 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha 2186cfa3cd52b8e00b1de76db7859cacdf7b1f94

Merge pull request #2168 from AkihiroSuda/ebpf-fix-rlimit cgroup2: ebpf: increase RLIM_MEMLOCK to avoid BPF_PROG_LOAD error

view details

push time in 5 days

issue closedopencontainers/runc

cgroup2: procHooks: failed to load program: operation not permitted

Moby is getting support for cgroup v2: https://github.com/moby/moby/pull/40174 (https://github.com/moby/moby/tree/ee30a1f5ad7c373bd9db3f0b5412b03082f76786)

But it doesn't work with runc b133feaeeb2e69ba94aa95eac3a455a143435ea9 (works with crun v0.10.4)

$ docker run -it --rm hello-world
docker: Error response from daemon: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"process_linux.go:415: setting cgroup config for procHooks process caused \\\"failed to load program: operation not permitted\\\"\"": unknown.

Podman+runc doesn't hit this issue.

closed time in 5 days

AkihiroSuda

push eventopencontainers/runc

Akihiro Suda

commit sha dbd771e4753a6630141ea9d7cde402d9a487f2c3

cgroup2: implement `runc ps` Implemented `runc ps` for cgroup v2 , using a newly added method `m.GetUnifiedPath()`. Unlike the v1 implementation that checks `m.GetPaths()["devices"]`, the v2 implementation does not require the device controller to be available. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha e57a774066af2f0adc76ffb6201588091cd872d5

Merge pull request #2149 from AkihiroSuda/cgroup2-ps cgroup2: implement `runc ps`

view details

push time in 21 days

PR merged opencontainers/runc

cgroup2: implement `runc ps`

Implemented runc ps for cgroup v2 , using a newly added method m.GetUnifiedPath(). Unlike the v1 implementation that checks m.GetPaths()["devices"], the v2 implementation does not require the device controller to be available.

+76 -3

3 comments

6 changed files

AkihiroSuda

pr closed time in 21 days

pull request commentopencontainers/runc

cgroup2: implement `runc ps`

LGTM

AkihiroSuda

comment created time in 21 days

push eventopencontainers/runc

Akihiro Suda

commit sha d918e7f40817e4c2e22beade538bab1bd5edcc96

cpuset_v2: skip Apply when no limit is specified Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Qiang Huang

commit sha d239ca84254c579a964101b4f8049b860fbfc135

Merge pull request #2148 from AkihiroSuda/cg2-ignore-cpuset-when-no-config cgroup2: cpuset_v2: skip Apply when no limit is specified

view details

push time in 23 days

issue closedopencontainers/runc

cgroup2: v1.0.0-rc.9 doesn't start up without adding +cpuset to /sys/fs/cgroup/cgroup.subtree_control

# /tmp/runc run foo
WARN[0000] signal: killed                               
ERRO[0000] container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"open /sys/fs/cgroup/foo/cpuset.cpus.effective: no such file or directory\"" 
container_linux.go:346: starting container process caused "process_linux.go:297: applying cgroup configuration for process caused \"open /sys/fs/cgroup/foo/cpuset.cpus.effective: no such file or directory\""

runc: 1.0.0-rc.9 OS: Fedora 31 beta (cgroup2 unified)

echo +cpuset > /sys/fs/cgroup/cgroup.subtree_control solves the issue

closed time in 23 days

AkihiroSuda

pull request commentopencontainers/runc

VERSION: update to 1.0.0-rc9

LGTM

cyphar

comment created time in 2 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

LGTM

percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *Manager) Freeze(state configs.FreezerState) error { 	return nil } +// ThawAll unfreezes the container's freezer cgroup, and all subcgroups+// recursively.+func (m *Manager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	paths := m.GetPaths()+	freezer, err := subsystemsLegacy.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*FreezerGroup).RecursiveThaw(paths["freezer"])

Right, my mistake, we could have a RecursiveSet method for subsystem, but we can do that when we see more needs.

percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 var unifiedSubsystems = subsystemSet{ 	&fs.PidsGroupV2{}, } +func (m *UnifiedManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := unifiedSubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroupV2).RecursiveThaw(path)

Same here.

percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *LegacyManager) Freeze(state configs.FreezerState) error { 	return nil } +func (m *LegacyManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := legacySubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

You can call freezer.RecursiveThaw directly.

percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *Manager) Freeze(state configs.FreezerState) error { 	return nil } +// ThawAll unfreezes the container's freezer cgroup, and all subcgroups+// recursively.+func (m *Manager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	paths := m.GetPaths()+	freezer, err := subsystemsLegacy.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*FreezerGroup).RecursiveThaw(paths["freezer"])

As now you have RecursiveThaw for cgroupv2, you can use

freezer, err := m.getSubsystems().Get("freezer")
if err != nil {
    return err
}
return freezer.RecursiveThaw(paths["freezer"])
percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 func (m *LegacyManager) Freeze(state configs.FreezerState) error { 	return nil } +func (m *LegacyManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := legacySubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

And you don't need cast here.

percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 var unifiedSubsystems = subsystemSet{ 	&fs.PidsGroupV2{}, } +func (m *UnifiedManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := unifiedSubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

That's correct.

percontation

comment created time in 2 months

Pull request review commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

 var unifiedSubsystems = subsystemSet{ 	&fs.PidsGroupV2{}, } +func (m *UnifiedManager) ThawAll() error {+	err := m.Freeze(configs.Thawed)+	if err != nil {+		return err+	}+	path, err := getSubsystemPath(m.Cgroups, "freezer")+	if err != nil {+		return err+	}+	freezer, err := unifiedSubsystems.Get("freezer")+	if err != nil {+		return err+	}+	return freezer.(*fs.FreezerGroup).RecursiveThaw(path)

Yes, you can use fs cgroup method in cgroupv2, even in systemd cgroup, it'll work, but that'll be a dependency, and it'll be broken if one day we remove legacy cgroup support (though that most likely won't happen).

percontation

comment created time in 2 months

push eventopencontainers/runtime-spec

Giuseppe Scrivano

commit sha d1ef109cd0b39239ff82c267df314f7ed2da576b

config-linux: support seccomp flags allow to specify what flags must be passed to seccomp(2) when installing the filter. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Qiang Huang

commit sha 52e2591aa9f7211d64c49c4fed8691a183189284

Merge pull request #1018 from giuseppe/seccomp-flags config-linux: support seccomp flags

view details

push time in 2 months

PR merged opencontainers/runtime-spec

config-linux: support seccomp flags

allow to specify what flags must be passed to seccomp(2) when installing the filter.

Signed-off-by: Giuseppe Scrivano gscrivan@redhat.com

+26 -0

4 comments

4 changed files

giuseppe

pr closed time in 2 months

pull request commentopencontainers/runtime-spec

config-linux: support seccomp flags

LGTM

giuseppe

comment created time in 2 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

LGTM

@mrunalp @crosbymichael Is it OK that we only add functionalities on legacy cgroup now?

percontation

comment created time in 2 months

pull request commentopencontainers/runc

Make sure signalAllProcesses is invoked in the function of destroy when container shares pid namespace

I agree we should kill all processes when container exit while it's sharing pidns with other container. But why it's not handled in https://github.com/opencontainers/runc/blob/v1.0.0-rc8/signals.go#L99 ? We did call signalAllProcesses in wait method of initProcess https://github.com/opencontainers/runc/blob/v1.0.0-rc8/libcontainer/process_linux.go#L454

keloyang

comment created time in 2 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

@percontation @mruck Current change looks good to me, just needs rebase, thanks.

percontation

comment created time in 2 months

pull request commentopencontainers/runc

Recursively thaw freezer subcgroups during SIGKILL

I don't think runc is quite robust for nested containers, but for this fix, the idea looks good to me, child container should not block the exit of father container.

percontation

comment created time in 2 months

push eventopencontainers/runc

Sebastiaan van Stijn

commit sha 4be3c48e054d3eb299245b3e5c94651e7b83dfd1

Reformat vendor.conf and pin all deps by git-sha to make it better readable, and to encourage pinning by sha, but align to a tagged release. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha de24d733509bbb39105a9241397da62ff0f19fac

bump github.com/pkg/errors 0.8.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 414a39dedbdadd401037197a1a561539957554c7

bump containerd/console 0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f relevant changes: - containerd/console#27 console_linux: Fix race: lock Cond before Signal Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 0fc0662338e0734de88a4829c55ab1331ddc1d9a

bump cyphar/filepath-securejoin v0.2.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 8e4f645fcaf5ef2f1d67525066a6082edb979f56

bump docker/go-units v0.3.3 relevant changes: - docker/go-units#8 Enhance FromHumanSize to parse float64 string - docker/go-units#20 Add `HumanSizeWithPrecision` function Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 1150ce9c6efc7271dad2de6c3942858dba400bbd

bump urfave/cli v1.20.0 previous version was somewhere between v1.18 and v1.19 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha eb86f6037ec7b90497a447b3f91e5a69e66442c7

bump syndtr/gocapability d98352740cb2c55f81556b63d4a1ec64c5a319c2 relevant changes: - syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2 - syndtr/gocapability#16 Fix capHeader.pid type Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 21498b8e5458e15c08a945b567a4e67a94e1f914

bump mrunalp/fileutils 7d4729fb36185a7c1719923406c9d40e54fb93c7 no significant changes, other than some linting fixes Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 85c02f3f308074c240b1da7c14299a34a2bb27f8

bump coreos/go-systemd v19, godbus/dbus v5.0.1 - https://github.com/coreos/go-systemd/compare/v14..v19 - coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method - coreos/go-systemd#251 activation: add support for listeners with names - coreos/go-systemd#296 dbus: Fix API break from godbus - https://github.com/godbus/dbus/compare/v3..v5.0.1 - godbus/dbus#89 introduce MakeVariantWithSignature Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 115d4b9e57af68946f110b76e9af968576e15f49

bump golang/protobuf v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Qiang Huang

commit sha a6606a7ae9d9e00bf0a8721ee1d4eb095fcc4ad6

Merge pull request #2029 from thaJeztah/bump_dependencies Update dependencies

view details

push time in 3 months

PR merged opencontainers/runc

Update dependencies

Thought I'd do a round of updating dependencies, and where possible use tagged versions

Also formatting the vendor.conf file, and pin all deps by git-sha, to make it better readable, and to encourage pinning by sha, but align to a tagged release.

  • https://github.com/pkg/errors/compare/v0.8.0...v0.8.1
  • https://github.com/containerd/console/compare/2748ece16665b45a47f884001d5831ec79703880...0650fd9eeb50bab4fc99dceb9f2e14cf58f36e7f
    • containerd/console#27 console_linux: Fix race: lock Cond before Signal
  • https://github.com/docker/go-units/compare/v0.2.0...v0.3.3
    • docker/go-units#8 Enhance FromHumanSize to parse float64 string
    • docker/go-units#20 Add HumanSizeWithPrecision function
  • https://github.com/urfave/cli/compare/d53eb991652b1d438abdd34ce4bfa3ef1539108e...v1.20.0
    • previous version was somewhere between v1.18 and v1.19
  • https://github.com/syndtr/gocapability/compare/db04d3cc01c8b54962a58ec7e491717d06cfcc16...d98352740cb2c55f81556b63d4a1ec64c5a319c2
    • syndtr/gocapability#14 capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2
    • syndtr/gocapability#16 Fix capHeader.pid type
  • https://github.com/mrunalp/fileutils/compare/ed869b029674c0e9ce4c0dfa781405c2d9946d08...7d4729fb36185a7c1719923406c9d40e54fb93c7
    • no significant changes, other than some linting fixes
  • https://github.com/coreos/go-systemd/compare/v14..v19
    • coreos/go-systemd#248 dbus: add SetPropertiesSubscriber method
    • coreos/go-systemd#251 activation: add support for listeners with names
    • coreos/go-systemd#296 dbus: Fix API break from godbus
  • https://github.com/godbus/dbus/compare/v3..v5.0.1
    • godbus/dbus#89 introduce MakeVariantWithSignature
  • https://github.com/golang/protobuf/compare/18c9bb3261723cd5401db4d0c9fbc5c3b6c70fe8...v1.0.0
    • picking the first tagged release (newer versions exist, but I have bad experiences with bumping, lol)
+3422 -937

16 comments

79 changed files

thaJeztah

pr closed time in 3 months

pull request commentopencontainers/runc

Update dependencies

LGTM

thaJeztah

comment created time in 3 months

push eventopencontainers/runtime-tools

Odin Ugedal

commit sha 5a98426296e4234cb5dd8b15ce6c597811bb2332

Fix cgroup hugetlb size prefix for kB The hugetlb cgroup control files (introduced here in 2012: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abb8206cb0773) use "KB" and not "kB" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/hugetlb_cgroup.c\?h\=v5.0\#n349\). The behavior in the kernel has not changed since the introduction, and the current code using "kB" will therefore fail on devices with small amounts of ram (see kubernetes/kubernetes#77169) running a kernel with config flag CONFIG_HUGETLBFS=y As seen from the code in "mem_fmt" inside hugetlb_cgroup.c, only "KB", "MB" and "GB" are used, so the others may be removed as well. Here is a real world example of the files inside the "/sys/kernel/mm/hugepages/" directory: - "hugepages-64kB" - "hugepages-2048kB" - "hugepages-32768kB" - "hugepages-1048576kB" And the corresponding cgroup files: - "hugetlb.64KB._____" - "hugetlb.2MB._____" - "hugetlb.32MB._____" - "hugetlb.1GB._____" Signed-off-by: Odin Ugedal <odin@ugedal.com>

view details

Odin Ugedal

commit sha be9f6f1dd1c2de7ce0059226513fa73a4ea98ee0

Update hugetlb tests to be more portable Not all arches/setups supports all page sizes. Should only use the ones supported on the current platform Signed-off-by: Odin Ugedal <odin@ugedal.com>

view details

Qiang Huang

commit sha fdf411e43a18749a197ae2046d2a5415e6a2164f

Merge pull request #696 from odinuge/hugetlb-fix Fix cgroup hugetlb size prefix for kB

view details

push time in 3 months

PR merged opencontainers/runtime-tools

Fix cgroup hugetlb size prefix for kB

This is ~a cherry-pick of https://github.com/opencontainers/runc/pull/2065.

The hugetlb cgroup control files (introduced here in 2012: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=abb8206cb0773) use "KB" and not "kB" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/hugetlb_cgroup.c?h=v5.0#n349).

The behavior in the kernel has not changed since the introduction, and the current code using "kB" will therefore fail on devices with small amounts of ram (see kubernetes/kubernetes#77169) running a kernel with config flag CONFIG_HUGETLBFS=y

As seen from the code in "mem_fmt" inside hugetlb_cgroup.c, only "KB", "MB" and "GB" are used, so the others may be removed as well.

Here is a real world example of the files inside the "/sys/kernel/mm/hugepages/" directory:

  • "hugepages-64kB"
  • "hugepages-2048kB"
  • "hugepages-32768kB"
  • "hugepages-1048576kB"

And the corresponding cgroup files:

  • "hugetlb.64KB._____"
  • "hugetlb.2MB._____"
  • "hugetlb.32MB._____"
  • "hugetlb.1GB._____"
+68 -52

4 comments

3 changed files

odinuge

pr closed time in 3 months

pull request commentopencontainers/runtime-tools

Fix cgroup hugetlb size prefix for kB

LGTM

odinuge

comment created time in 3 months

more