[Devel] [PATCH v2 RH7 2/3] proc/cpuset: do not show cpuset in CT

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Mon May 23 03:25:33 PDT 2016 

After commit da53619c5d49 ("ve/cpuset: revert changes allowing to
attach to empty cpusets") one can not create non-empty cpuset
cgroup in CT. And docker which tries to create cgroup for every
visible controller creates cpuset cgroup for docker-ct and fails
to add processes to it.

Cgroup files cpuset.cpus are by design not valid to use
in our CTs as they pin processes in cgroup to defined range of
processors, but we don't want processes in container to be able
to pin itself to cpus they want. We have other mechanism to restric
CT's cpus usage - cpu.nr_cpus cgroup file, which allows balansing
containers between cpus. So we faked cpuset.cpus in CT so one can
not realy pin processes in CT. But that makes all cpuset cgroups
non-initialized and we also can't attach processes to cgroups. Same
is valid for cpuset.mems exept we do not have ~nr_mems.

We can just hide cpuset cgroup from /proc/self/cgroup and /proc/cgroups
to protect it from being used in CT(and also do not mount it in
libvzctl, which seem to automaticly happen). Docker not seeing
cpuset will almost silently skip it and work as usual.

v2: add ve_hide_cgroups

https://jira.sw.ru/browse/PSBM-47280

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/cgroup.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5afeb59b..5c012f6 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4912,6 +4912,13 @@ static int __init cgroup_wq_init(void)
 }
 core_initcall(cgroup_wq_init);
 
+static int ve_hide_cgroups(struct cgroupfs_root *root)
+{
+	/* Hide cpuset cgroup in CT for docker */
+	return !ve_is_super(get_exec_env())
+	       && (root->subsys_mask & (1UL << cpuset_subsys_id));
+}
+
 /*
  * proc_cgroup_show()
  *  - Print task's cgroup paths into seq_file, one line for each hierarchy
@@ -4953,6 +4960,8 @@ int proc_cgroup_show(struct seq_file *m, void *v)
 		struct cgroup *cgrp;
 		int count = 0;
 
+		if (ve_hide_cgroups(root))
+			continue;
 		seq_printf(m, "%d:", root->hierarchy_id);
 		for_each_subsys(root, ss)
 			seq_printf(m, "%s%s", count++ ? "," : "", ss->name);
@@ -4997,6 +5006,8 @@ static int proc_cgroupstats_show(struct seq_file *m, void *v)
 
 		if (ss == NULL)
 			continue;
+		if (ve_hide_cgroups(ss->root))
+			continue;
 		num = _cg_virtualized(ss->root->number_of_cgroups);
 		seq_printf(m, "%s\t%d\t%d\t%d\n",
 			   ss->name, ss->root->hierarchy_id,
-- 
2.5.5

More information about the Devel mailing list