[Devel] [PATCH RHEL8 COMMIT] ve/cgroup: Hide ve cgroup in Containers
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Apr 30 14:46:06 MSK 2021
The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.24
------>
commit b4afc85b81fe8fc6aced05760cbbdae511921c9b
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Fri Apr 30 14:46:06 2021 +0300
ve/cgroup: Hide ve cgroup in Containers
Reasons:
1) We don't need to show this cgroup in CT, it's vz specific,
and nobody should use it inside.
2) Docker from v17.11 checks that all cgroups are mounted, but we
don't mount ve cgroup, thus docker fails.
Still show ve for pseudosuper, so that this change does not
influence criu. I checked that with this patch c/r of container works
fine and values in ve cgroup files persist.
Docker ct starts fine after these change.
https://jira.sw.ru/browse/PSBM-80421
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>
Rebased to vz8:
- Made ve_hide_cgroups non-static and added declaration to linux/cgroup.h
because it is used in proc_cgroupstats_show which now belongs to cgroup-v1.c
- Deleted beancounter
- Added #ifdef CONFIG_VE
(cherry picked from vz7 commit d1580bf6a02a ("ve/cgroup: hide ve and ub cgroups
in CT"))
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
include/linux/cgroup.h | 4 ++++
kernel/cgroup/cgroup-v1.c | 8 +++++++-
kernel/cgroup/cgroup.c | 20 ++++++++++++++++++++
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index 42ce2ece14f8..45da7bedc29d 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -962,4 +962,8 @@ static inline void cgroup_bpf_put(struct cgroup *cgrp) {}
#endif /* CONFIG_CGROUP_BPF */
+#ifdef CONFIG_VE
+int ve_hide_cgroups(struct cgroup_root *root);
+#endif
+
#endif /* _LINUX_CGROUP_H */
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index f6ef1f45383f..84c26532f67d 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -745,11 +745,17 @@ int proc_cgroupstats_show(struct seq_file *m, void *v)
*/
mutex_lock(&cgroup_mutex);
- for_each_subsys(ss, i)
+ for_each_subsys(ss, i) {
+#ifdef CONFIG_VE
+ if (ve_hide_cgroups(ss->root))
+ continue;
+#endif
+
seq_printf(m, "%s\t%d\t%d\t%d\n",
ss->legacy_name, ss->root->hierarchy_id,
_cg_virtualized(atomic_read(&ss->root->nr_cgrps)),
cgroup_ssid_enabled(i));
+ }
mutex_unlock(&cgroup_mutex);
return 0;
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 96f7f0b1e913..5ccc3edb7007 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6009,6 +6009,21 @@ void cgroup_path_from_kernfs_id(const union kernfs_node_id *id,
kernfs_put(kn);
}
+#ifdef CONFIG_VE
+int ve_hide_cgroups(struct cgroup_root *root)
+{
+ struct ve_struct *ve = get_exec_env();
+ unsigned long hidden_mask = (1UL << ve_cgrp_id);
+
+ /*
+ * Hide ve cgroup in CT for docker,
+ * still showing it to pseudosuper (criu)
+ */
+ return !ve_is_super(ve) && !ve->is_pseudosuper
+ && (root->subsys_mask & hidden_mask);
+}
+#endif
+
/*
* proc_cgroup_show()
* - Print task's cgroup paths into seq_file, one line for each hierarchy
@@ -6037,6 +6052,11 @@ int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
continue;
+#ifdef CONFIG_VE
+ if (ve_hide_cgroups(root))
+ continue;
+#endif
+
seq_printf(m, "%d:", root->hierarchy_id);
if (root != &cgrp_dfl_root)
for_each_subsys(ss, ssid)
More information about the Devel
mailing list