[Devel] [PATCH RH9 21/22] ve/cgroup: Hide ve cgroup in Containers

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Thu Oct 7 13:57:45 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Reasons:
1) We don't need to show this cgroup in CT, it's vz specific,
and nobody should use it inside.
2) Docker from v17.11 checks that all cgroups are mounted, but we
don't mount ve cgroup, thus docker fails.

Still show ve for pseudosuper, so that this change does not
influence criu. I checked that with this patch c/r of container works
fine and values in ve cgroup files persist.

Docker ct starts fine after these change.

https://jira.sw.ru/browse/PSBM-80421

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Cyrill Gorcunov <gorcunov at openvz.org>

Rebased to vz8:
 - Made ve_hide_cgroups non-static and added declaration to linux/cgroup.h
because it is used in proc_cgroupstats_show which now belongs to cgroup-v1.c
 - Deleted beancounter
 - Added #ifdef CONFIG_VE

(cherry picked from vz7 commit d1580bf6a02a ("ve/cgroup: hide ve and ub cgroups
in CT"))
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

(cherry picked from vz8 commit 63a6cbc3c305599166d98edaf9f81b609cf561c4)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 include/linux/cgroup.h    |  4 ++++
 kernel/cgroup/cgroup-v1.c |  8 +++++++-
 kernel/cgroup/cgroup.c    | 20 ++++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index fc798aa..6e9aca2 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -958,4 +958,8 @@ static inline void cgroup_bpf_put(struct cgroup *cgrp) {}
 
 #endif /* CONFIG_CGROUP_BPF */
 
+#ifdef CONFIG_VE
+int ve_hide_cgroups(struct cgroup_root *root);
+#endif
+
 #endif /* _LINUX_CGROUP_H */
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 4233856..494b4bd 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -690,11 +690,17 @@ int proc_cgroupstats_show(struct seq_file *m, void *v)
 	 */
 	mutex_lock(&cgroup_mutex);
 
-	for_each_subsys(ss, i)
+	for_each_subsys(ss, i) {
+#ifdef CONFIG_VE
+		if (ve_hide_cgroups(ss->root))
+			continue;
+#endif
+
 		seq_printf(m, "%s\t%d\t%d\t%d\n",
 			   ss->legacy_name, ss->root->hierarchy_id,
 			   _cg_virtualized(atomic_read(&ss->root->nr_cgrps)),
 			   cgroup_ssid_enabled(i));
+	}
 
 	mutex_unlock(&cgroup_mutex);
 	return 0;
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 74d0b50..2178468 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6004,6 +6004,21 @@ void cgroup_path_from_kernfs_id(u64 id, char *buf, size_t buflen)
 	kernfs_put(kn);
 }
 
+#ifdef CONFIG_VE
+int ve_hide_cgroups(struct cgroup_root *root)
+{
+	struct ve_struct *ve = get_exec_env();
+	unsigned long hidden_mask = (1UL << ve_cgrp_id);
+
+	/*
+	 * Hide ve cgroup in CT for docker,
+	 * still showing it to pseudosuper (criu)
+	 */
+	return !ve_is_super(ve) && !ve->is_pseudosuper
+		&& (root->subsys_mask & hidden_mask);
+}
+#endif
+
 /*
  * cgroup_get_from_id : get the cgroup associated with cgroup id
  * @id: cgroup id
@@ -6057,6 +6072,11 @@ int proc_cgroup_show(struct seq_file *m, struct pid_namespace *ns,
 		if (root == &cgrp_dfl_root && !cgrp_dfl_visible)
 			continue;
 
+#ifdef CONFIG_VE
+		if (ve_hide_cgroups(root))
+			continue;
+#endif
+
 		seq_printf(m, "%d:", root->hierarchy_id);
 		if (root != &cgrp_dfl_root)
 			for_each_subsys(ss, ssid)
-- 
1.8.3.1

More information about the Devel mailing list