[Devel] [PATCH RH7 2/2] proc/cpuset: do not show cpuset in CT

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu May 19 08:32:01 PDT 2016 

After commit da53619c5d49 ("ve/cpuset: revert changes allowing to
attach to empty cpusets") one can not create non-empty cpuset
cgroup in CT. And docker which tries to create cgroup for every
visible controller creates cpuset cgroup for docker-ct and fails
to add processes to it.

Cgroup files cpuset.cpus are by design not valid to use
in our CTs as they pin processes in cgroup to defined range of
processors, but we don't want processes in container to be able
to pin itself to cpus they want. We have other mechanism to restric
CT's cpus usage - cpu.nr_cpus cgroup file, which allows balansing
containers between cpus. So we faked cpuset.cpus in CT so one can
not realy pin processes in CT. But that makes all cpuset cgroups
non-initialized and we also can't attach processes to cgroups. Same
is valid for cpuset.mems exept we do not have ~nr_mems.

We can just hide cpuset cgroup from /proc/self/cgroup and /proc/cgroups
to protect it from being used in CT(and also do not mount it in
libvzctl, which seem to automaticly happen). Docker not seeing
cpuset will almost silently skip it and work as usual.

*Over option is to make fake cpuset.{cpus,mems} to be semi-fake copying
values from root cgroup on write. But that can lock us changing
these files on host root cgroup as they are hierarchical.

https://jira.sw.ru/browse/PSBM-47280

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/cgroup.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5afeb59b..0a284f2 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4953,6 +4953,11 @@ int proc_cgroup_show(struct seq_file *m, void *v)
 		struct cgroup *cgrp;
 		int count = 0;
 
+		if (!ve_is_super(get_exec_env()) &&
+		    (root->subsys_mask & (1UL << cpuset_subsys_id)))
+			/* do not show cpuset in CT */
+			continue;
+
 		seq_printf(m, "%d:", root->hierarchy_id);
 		for_each_subsys(root, ss)
 			seq_printf(m, "%s%s", count++ ? "," : "", ss->name);
@@ -4997,6 +5002,10 @@ static int proc_cgroupstats_show(struct seq_file *m, void *v)
 
 		if (ss == NULL)
 			continue;
+		if (!ve_is_super(get_exec_env()) &&
+		    (ss->root->subsys_mask & (1UL << cpuset_subsys_id)))
+			/* do not show cpuset in CT */
+			continue;
 		num = _cg_virtualized(ss->root->number_of_cgroups);
 		seq_printf(m, "%s\t%d\t%d\t%d\n",
 			   ss->name, ss->root->hierarchy_id,
-- 
2.5.5

More information about the Devel mailing list