daemon: move check for CPU-realtime daemon options

Perform the validation when the daemon starts instead of performing these
validations for each individual container, so that we can fail early.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2022-01-06 22:20:15 +01:00
parent 36ec581e5c
commit 5263bea70f
No known key found for this signature in database
GPG key ID: 76698F39D527CE8C
6 changed files with 37 additions and 13 deletions

View file

@ -57,8 +57,8 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
flags.IntVar(&conf.OOMScoreAdjust, "oom-score-adjust", 0, "Set the oom_score_adj for the daemon") flags.IntVar(&conf.OOMScoreAdjust, "oom-score-adjust", 0, "Set the oom_score_adj for the daemon")
flags.BoolVar(&conf.Init, "init", false, "Run an init in the container to forward signals and reap processes") flags.BoolVar(&conf.Init, "init", false, "Run an init in the container to forward signals and reap processes")
flags.StringVar(&conf.InitPath, "init-path", "", "Path to the docker-init binary") flags.StringVar(&conf.InitPath, "init-path", "", "Path to the docker-init binary")
flags.Int64Var(&conf.CPURealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds for the parent cgroup for all containers") flags.Int64Var(&conf.CPURealtimePeriod, "cpu-rt-period", 0, "Limit the CPU real-time period in microseconds for the parent cgroup for all containers (not supported with cgroups v2)")
flags.Int64Var(&conf.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds for the parent cgroup for all containers") flags.Int64Var(&conf.CPURealtimeRuntime, "cpu-rt-runtime", 0, "Limit the CPU real-time runtime in microseconds for the parent cgroup for all containers (not supported with cgroups v2)")
flags.StringVar(&conf.SeccompProfile, "seccomp-profile", config.SeccompProfileDefault, `Path to seccomp profile. Use "unconfined" to disable the default seccomp profile`) flags.StringVar(&conf.SeccompProfile, "seccomp-profile", config.SeccompProfileDefault, `Path to seccomp profile. Use "unconfined" to disable the default seccomp profile`)
flags.Var(&conf.ShmSize, "default-shm-size", "Default shm size for containers") flags.Var(&conf.ShmSize, "default-shm-size", "Default shm size for containers")
flags.BoolVar(&conf.NoNewPrivileges, "no-new-privileges", false, "Set no-new-privileges by default for new containers") flags.BoolVar(&conf.NoNewPrivileges, "no-new-privileges", false, "Set no-new-privileges by default for new containers")

View file

@ -463,6 +463,11 @@ func loadDaemonCliConfig(opts *daemonOptions) (*config.Config, error) {
conf.TLSVerify = conf.TLS conf.TLSVerify = conf.TLS
} }
err = validateCPURealtimeOptions(conf)
if err != nil {
return nil, err
}
return conf, nil return conf, nil
} }

View file

@ -1,5 +1,7 @@
package main package main
import "github.com/docker/docker/daemon/config"
// preNotifyReady sends a message to the host when the API is active, but before the daemon is // preNotifyReady sends a message to the host when the API is active, but before the daemon is
func preNotifyReady() { func preNotifyReady() {
} }
@ -11,3 +13,7 @@ func notifyReady() {
// notifyStopping sends a message to the host when the server is shutting down // notifyStopping sends a message to the host when the server is shutting down
func notifyStopping() { func notifyStopping() {
} }
func validateCPURealtimeOptions(_ *config.Config) error {
return nil
}

View file

@ -1,6 +1,12 @@
package main package main
import systemdDaemon "github.com/coreos/go-systemd/v22/daemon" import (
cdcgroups "github.com/containerd/cgroups"
systemdDaemon "github.com/coreos/go-systemd/v22/daemon"
"github.com/docker/docker/daemon/config"
"github.com/docker/docker/pkg/sysinfo"
"github.com/pkg/errors"
)
// preNotifyReady sends a message to the host when the API is active, but before the daemon is // preNotifyReady sends a message to the host when the API is active, but before the daemon is
func preNotifyReady() { func preNotifyReady() {
@ -16,3 +22,16 @@ func notifyReady() {
func notifyStopping() { func notifyStopping() {
go systemdDaemon.SdNotify(false, systemdDaemon.SdNotifyStopping) go systemdDaemon.SdNotify(false, systemdDaemon.SdNotifyStopping)
} }
func validateCPURealtimeOptions(config *config.Config) error {
if config.CPURealtimePeriod == 0 && config.CPURealtimeRuntime == 0 {
return nil
}
if cdcgroups.Mode() == cdcgroups.Unified {
return errors.New("daemon-scoped cpu-rt-period and cpu-rt-runtime are not implemented for cgroup v2")
}
if !sysinfo.New().CPURealtime {
return errors.New("daemon-scoped cpu-rt-period and cpu-rt-runtime are not supported by the kernel")
}
return nil
}

View file

@ -97,3 +97,7 @@ func (cli *DaemonCli) initContainerD(_ context.Context) (func(time.Duration) err
system.InitContainerdRuntime(cli.Config.ContainerdAddr) system.InitContainerdRuntime(cli.Config.ContainerdAddr)
return nil, nil return nil, nil
} }
func validateCPURealtimeOptions(_ *config.Config) error {
return nil
}

View file

@ -818,16 +818,6 @@ func WithCgroups(daemon *Daemon, c *container.Container) coci.SpecOpts {
return nil return nil
} }
if cdcgroups.Mode() == cdcgroups.Unified {
return errors.New("daemon-scoped cpu-rt-period and cpu-rt-runtime are not implemented for cgroup v2")
}
// FIXME this is very expensive way to check if cpu rt is supported
sysInfo := daemon.RawSysInfo()
if !sysInfo.CPURealtime {
return errors.New("daemon-scoped cpu-rt-period and cpu-rt-runtime are not supported by the kernel")
}
p := cgroupsPath p := cgroupsPath
if useSystemd { if useSystemd {
initPath, err := cgroups.GetInitCgroup("cpu") initPath, err := cgroups.GetInitCgroup("cpu")