[CRIU] Devices nested cgroup problem

Tycho Andersen tycho.andersen at canonical.com
Wed Aug 31 11:48:27 PDT 2016


Hi Cyrill

[Sorry for the delay, I'm on vacation through Tuesday of next week]

On Tue, Aug 30, 2016 at 07:25:55PM +0300, Cyrill Gorcunov wrote:
> Hi Tycho! You know, I've been playing with our vz7 containers
> and found pretty interesting issue. If you create nested
> cgroups in device controller for container then restore will
> fail, because you write 'a' first but there are "parent" cgroup
> present.
> 
> Here is an example.
> vzctl start 100
> vzctl exec 100 mkdir -p /sys/fs/cgroup/devices/one/two
> (this creates nested cgroups "one", "two" inside container)
> vzctl suspend
> vzctl resume
> ...
> The restore log was saved in /vz/private/100/dump/Dump/restore.log
> Failed to restore the Container
> ---
> (00.969979) cg: Restoring cgroup property value [a] to [devices//machine.slice/100/one/devices.deny]
> (00.969994) Error (criu/cgroup.c:1209): cg: Failed writing a to devices//machine.slice/100/one/devices.deny: Invalid argument
> (01.007631) Error (criu/cr-restore.c:1021): 157997 killed by signal 9: Killed
> (01.007746) Error (criu/cr-restore.c:1912): Restoring FAILED.
> 
> The above happens because we're writting 'a' into 'deny' in children, which is
> not allowed in kernel.
> 
> Actually I think we should not write 'a' in nested cgroups, only
> write on toplevel should be done, since the children get propagated
> from the parent.

Oh, whoops. I think just making these "special" like we have with some
of the memory properties should be enough; that way we can still
support checkpoint and restore of these. The attached patch should fix
it (it does for the new test, at least). Does that work?

Tycho

> For vz7 I did a workaround:
> 
>  - don't save the list of devices at all
>  - our libvzctl tool setup permissions by self on container
>    startup/resume, but on vanilla containers it might be a
>    problem.
> 
> Mind to take a look? Or we could get rid of devices.list
> completely and rely on container's manager to prepare the
> proper list :)
> 
> 	Cyrill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-cgroup-treat-devices-as-special-properties.patch
Type: text/x-diff
Size: 5314 bytes
Desc: not available
URL: <http://lists.openvz.org/pipermail/criu/attachments/20160831/613cb8c9/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-tests-add-a-test-for-memory-devices-specialness.patch
Type: text/x-diff
Size: 1359 bytes
Desc: not available
URL: <http://lists.openvz.org/pipermail/criu/attachments/20160831/613cb8c9/attachment-0003.bin>


More information about the CRIU mailing list