Merge pull request #40486 from AkihiroSuda/rootless-cgroup2-systemd

rootless: support `--exec-opt native.cgroupdriver=systemd`
This commit is contained in:
Brian Goff 2020-03-02 16:11:21 -08:00 committed by GitHub
commit 76e3a49933
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 74 additions and 18 deletions

View file

@ -599,15 +599,13 @@ func verifyPlatformContainerResources(resources *containertypes.Resources, sysIn
} }
func (daemon *Daemon) getCgroupDriver() string { func (daemon *Daemon) getCgroupDriver() string {
if UsingSystemd(daemon.configStore) {
return cgroupSystemdDriver
}
if daemon.Rootless() { if daemon.Rootless() {
return cgroupNoneDriver return cgroupNoneDriver
} }
cgroupDriver := cgroupFsDriver return cgroupFsDriver
if UsingSystemd(daemon.configStore) {
cgroupDriver = cgroupSystemdDriver
}
return cgroupDriver
} }
// getCD gets the raw value of the native.cgroupdriver option, if set. // getCD gets the raw value of the native.cgroupdriver option, if set.

View file

@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
@ -84,8 +85,26 @@ func WithLibnetwork(daemon *Daemon, c *container.Container) coci.SpecOpts {
} }
// WithRootless sets the spec to the rootless configuration // WithRootless sets the spec to the rootless configuration
func WithRootless(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { func WithRootless(daemon *Daemon) coci.SpecOpts {
return specconv.ToRootless(s) return func(_ context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
var v2Controllers []string
if daemon.getCgroupDriver() == cgroupSystemdDriver {
if !cgroups.IsCgroup2UnifiedMode() {
return errors.New("rootless systemd driver doesn't support cgroup v1")
}
rootlesskitParentEUID := os.Getenv("ROOTLESSKIT_PARENT_EUID")
if rootlesskitParentEUID == "" {
return errors.New("$ROOTLESSKIT_PARENT_EUID is not set (requires RootlessKit v0.8.0)")
}
controllersPath := fmt.Sprintf("/sys/fs/cgroup/user.slice/user-%s.slice/cgroup.controllers", rootlesskitParentEUID)
controllersFile, err := ioutil.ReadFile(controllersPath)
if err != nil {
return err
}
v2Controllers = strings.Fields(string(controllersFile))
}
return specconv.ToRootless(s, v2Controllers)
}
} }
// WithOOMScore sets the oom score // WithOOMScore sets the oom score
@ -760,6 +779,9 @@ func WithCgroups(daemon *Daemon, c *container.Container) coci.SpecOpts {
useSystemd := UsingSystemd(daemon.configStore) useSystemd := UsingSystemd(daemon.configStore)
if useSystemd { if useSystemd {
parent = "system.slice" parent = "system.slice"
if daemon.configStore.Rootless {
parent = "user.slice"
}
} }
if c.HostConfig.CgroupParent != "" { if c.HostConfig.CgroupParent != "" {
@ -985,7 +1007,7 @@ func (daemon *Daemon) createSpec(c *container.Container) (retSpec *specs.Spec, e
opts = append(opts, coci.WithReadonlyPaths(c.HostConfig.ReadonlyPaths)) opts = append(opts, coci.WithReadonlyPaths(c.HostConfig.ReadonlyPaths))
} }
if daemon.configStore.Rootless { if daemon.configStore.Rootless {
opts = append(opts, WithRootless) opts = append(opts, WithRootless(daemon))
} }
return &s, coci.ApplyOpts(context.Background(), nil, &containers.Container{ return &s, coci.ApplyOpts(context.Background(), nil, &containers.Container{
ID: c.ID, ID: c.ID,

View file

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# v0.7.1 # v0.8.0
: ${ROOTLESSKIT_COMMIT:=76c4e26750da3986fa0e741464fbf0fcd55bea71} : ${ROOTLESSKIT_COMMIT:=ce88a431e6a7cf891ebb68b10bfc6a5724b9ae72}
install_rootlesskit() { install_rootlesskit() {
case "$1" in case "$1" in

View file

@ -8,10 +8,12 @@ import (
) )
// ToRootless converts spec to be compatible with "rootless" runc. // ToRootless converts spec to be compatible with "rootless" runc.
// * Remove cgroups (will be supported in separate PR when delegation permission is configured) // * Remove non-supported cgroups
// * Fix up OOMScoreAdj // * Fix up OOMScoreAdj
func ToRootless(spec *specs.Spec) error { //
return toRootless(spec, getCurrentOOMScoreAdj()) // v2Controllers should be non-nil only if running with v2 and systemd.
func ToRootless(spec *specs.Spec, v2Controllers []string) error {
return toRootless(spec, v2Controllers, getCurrentOOMScoreAdj())
} }
func getCurrentOOMScoreAdj() int { func getCurrentOOMScoreAdj() int {
@ -26,10 +28,44 @@ func getCurrentOOMScoreAdj() int {
return i return i
} }
func toRootless(spec *specs.Spec, currentOOMScoreAdj int) error { func toRootless(spec *specs.Spec, v2Controllers []string, currentOOMScoreAdj int) error {
// Remove cgroup settings. if len(v2Controllers) == 0 {
spec.Linux.Resources = nil // Remove cgroup settings.
spec.Linux.CgroupsPath = "" spec.Linux.Resources = nil
spec.Linux.CgroupsPath = ""
} else {
if spec.Linux.Resources != nil {
m := make(map[string]struct{})
for _, s := range v2Controllers {
m[s] = struct{}{}
}
// Remove devices: https://github.com/containers/crun/issues/255
spec.Linux.Resources.Devices = nil
if _, ok := m["memory"]; !ok {
spec.Linux.Resources.Memory = nil
}
if _, ok := m["cpu"]; !ok {
spec.Linux.Resources.CPU = nil
}
if _, ok := m["cpuset"]; !ok {
if spec.Linux.Resources.CPU != nil {
spec.Linux.Resources.CPU.Cpus = ""
spec.Linux.Resources.CPU.Mems = ""
}
}
if _, ok := m["pids"]; !ok {
spec.Linux.Resources.Pids = nil
}
if _, ok := m["io"]; !ok {
spec.Linux.Resources.BlockIO = nil
}
if _, ok := m["rdma"]; !ok {
spec.Linux.Resources.Rdma = nil
}
spec.Linux.Resources.HugepageLimits = nil
spec.Linux.Resources.Network = nil
}
}
if spec.Process.OOMScoreAdj != nil && *spec.Process.OOMScoreAdj < currentOOMScoreAdj { if spec.Process.OOMScoreAdj != nil && *spec.Process.OOMScoreAdj < currentOOMScoreAdj {
*spec.Process.OOMScoreAdj = currentOOMScoreAdj *spec.Process.OOMScoreAdj = currentOOMScoreAdj