[Devel] [PATCH] cgroup/cpuset: emulate cgroup in container

Wed Dec 13 15:43:33 MSK 2017

Personally I don't like these as we still have no unswer to "If cpusets 
are optional for docker, why k8s can't work without them?" it seem there 
is not enough explanation in VZAP-31.

We also need to revert the patch below to show cpuset in CT:
commit 5160bd34c9bd ("ve/proc/cpuset: do not show cpuset in CT")

It seem I can still attach a process to a nested cgroup in CT with these 
patch:

CT-6ecd9be1 /# cat /proc/cgroups | grep cpuset
cpuset	16	1	1
CT-6ecd9be1 /# ls /sys/fs/cgroup/cpuset/cpuset.cpus
/sys/fs/cgroup/cpuset/cpuset.cpus
CT-6ecd9be1 /# mkdir /sys/fs/cgroup/cpuset/test
CT-6ecd9be1 /# sleep 1000 &
[1] 678
CT-6ecd9be1 /# echo  678 > /sys/fs/cgroup/cpuset/test/tasks
CT-6ecd9be1 /# cat /sys/fs/cgroup/cpuset/test/tasks
678

On 12/13/2017 01:37 PM, Stanislav Kinsburskiy wrote:
> Any changes to this cgroup are skipped in container, but success code is
> returned.
> The idea is to fool Docker/Kubernetes.
> 
> https://jira.sw.ru/browse/PSBM-58423
> 
> This patch obsoletes "ve/proc/cpuset: do not show cpuset in CT"
> 
> Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
> ---
>   kernel/cpuset.c |    9 +++++++++
>   1 file changed, 9 insertions(+)
> 
> diff --git a/kernel/cpuset.c b/kernel/cpuset.c
> index 26d88eb..dfac505 100644
> --- a/kernel/cpuset.c
> +++ b/kernel/cpuset.c
> @@ -1441,6 +1441,9 @@ static int cpuset_can_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
>   	struct task_struct *task;
>   	int ret;
>   
> +	if (!ve_is_super(get_exec_env()))
> +		return 0;
> +
>   	mutex_lock(&cpuset_mutex);
>   
>   	ret = -ENOSPC;
> @@ -1470,6 +1473,9 @@ static int cpuset_can_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
>   static void cpuset_cancel_attach(struct cgroup *cgrp,
>   				 struct cgroup_taskset *tset)
>   {
> +	if (!ve_is_super(get_exec_env()))
> +		return;
> +
>   	mutex_lock(&cpuset_mutex);
>   	cgroup_cs(cgrp)->attach_in_progress--;
>   	mutex_unlock(&cpuset_mutex);
> @@ -1494,6 +1500,9 @@ static void cpuset_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
>   	struct cpuset *cs = cgroup_cs(cgrp);
>   	struct cpuset *oldcs = cgroup_cs(oldcgrp);
>   
> +	if (!ve_is_super(get_exec_env()))
> +		return;
> +
>   	mutex_lock(&cpuset_mutex);
>   
>   	/* prepare for attach */
> 

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.