The commit is pushed to "branch-rh7-3.10.0-327.18.2.vz7.14.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.18.2.vz7.14.6
------>
commit 80829af44db1aa18b7076ffa2074bc9f948dae3a
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Mon May 23 16:13:26 2016 +0400
ve/proc/cpuset: do not show cpuset in CT
After commit da53619c5d49 ("ve/cpuset: revert changes allowing to
attach to empty cpusets") one can not create non-empty cpuset
cgroup in CT. And docker which tries to create cgroup for every
visible controller creates cpuset cgroup for docker-ct and fails
to add processes to it.
Cgroup files cpuset.cpus are by design not valid to use
in our CTs as they pin processes in cgroup to defined range of
processors, but we don't want processes in container to be able
to pin itself to cpus they want. We have other mechanism to restric
CT's cpus usage - cpu.nr_cpus cgroup file, which allows balansing
containers between cpus. So we faked cpuset.cpus in CT so one can
not realy pin processes in CT. But that makes all cpuset cgroups
non-initialized and we also can't attach processes to cgroups. Same
is valid for cpuset.mems exept we do not have ~nr_mems.
We can just hide cpuset cgroup from /proc/self/cgroup and /proc/cgroups
to protect it from being used in CT(and also do not mount it in
libvzctl, which seem to automaticly happen). Docker not seeing
cpuset will almost silently skip it and work as usual.
v2: add ve_hide_cgroups
https://jira.sw.ru/browse/PSBM-47280
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
---
kernel/cgroup.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5afeb59b..5c012f6 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4912,6 +4912,13 @@ static int __init cgroup_wq_init(void)
}
core_initcall(cgroup_wq_init);
+static int ve_hide_cgroups(struct cgroupfs_root *root)
+{
+ /* Hide cpuset cgroup in CT for docker */
+ return !ve_is_super(get_exec_env())
+ && (root->subsys_mask & (1UL << cpuset_subsys_id));
+}
+
/*
* proc_cgroup_show()
* - Print task's cgroup paths into seq_file, one line for each hierarchy
@@ -4953,6 +4960,8 @@ int proc_cgroup_show(struct seq_file *m, void *v)
struct cgroup *cgrp;
int count = 0;
+ if (ve_hide_cgroups(root))
+ continue;
seq_printf(m, "%d:", root->hierarchy_id);
for_each_subsys(root, ss)
seq_printf(m, "%s%s", count++ ? "," : "", ss->name);
@@ -4997,6 +5006,8 @@ static int proc_cgroupstats_show(struct seq_file *m, void *v)
if (ss == NULL)
continue;
+ if (ve_hide_cgroups(ss->root))
+ continue;
num = _cg_virtualized(ss->root->number_of_cgroups);
seq_printf(m, "%s\t%d\t%d\t%d\n",
ss->name, ss->root->hierarchy_id,