[CRIU] Devices nested cgroup problem
Cyrill Gorcunov
gorcunov at gmail.com
Tue Aug 30 09:25:55 PDT 2016
Hi Tycho! You know, I've been playing with our vz7 containers
and found pretty interesting issue. If you create nested
cgroups in device controller for container then restore will
fail, because you write 'a' first but there are "parent" cgroup
present.
Here is an example.
vzctl start 100
vzctl exec 100 mkdir -p /sys/fs/cgroup/devices/one/two
(this creates nested cgroups "one", "two" inside container)
vzctl suspend
vzctl resume
...
The restore log was saved in /vz/private/100/dump/Dump/restore.log
Failed to restore the Container
---
(00.969979) cg: Restoring cgroup property value [a] to [devices//machine.slice/100/one/devices.deny]
(00.969994) Error (criu/cgroup.c:1209): cg: Failed writing a to devices//machine.slice/100/one/devices.deny: Invalid argument
(01.007631) Error (criu/cr-restore.c:1021): 157997 killed by signal 9: Killed
(01.007746) Error (criu/cr-restore.c:1912): Restoring FAILED.
The above happens because we're writting 'a' into 'deny' in children, which is
not allowed in kernel.
Actually I think we should not write 'a' in nested cgroups, only
write on toplevel should be done, since the children get propagated
from the parent.
For vz7 I did a workaround:
- don't save the list of devices at all
- our libvzctl tool setup permissions by self on container
startup/resume, but on vanilla containers it might be a
problem.
Mind to take a look? Or we could get rid of devices.list
completely and rely on container's manager to prepare the
proper list :)
Cyrill
More information about the CRIU
mailing list