don't fail when subsystem not mounted #476
Conversation
| @@ -10,7 +10,7 @@ type DevicesGroup struct { | |||
|
|
|||
| func (s *DevicesGroup) Apply(d *data) error { | |||
| dir, err := d.join("devices") | |||
| if err != nil { | |||
| if err != nil && !cgroups.IsNotFound(err) { | |||
There was a problem hiding this comment.
We really cannot do this because devices is a hard requirement. Without the devices cgroup it is a security issue because a container will have unrestricted access to device nodes.
|
@hqhq what cgroups does your systems not have mounted? |
|
@crosbymichael some of our clients don't mount all cgroup subsystems, maybe just mount cpuset and memory cgroup. It's OK if Docker take device cgroup as hard requirement, but I think that can be done on Docker side, because that's what Docker needed, and we can show specific message, libcontainer should be more common, what do you think? |
|
@hqhq I think cgroups are a fundamental aspect for creating containers and support should be required. There is little overhead for mounting these and joining them as monitoring via cgroups is very important to understand the performance of your containerized apps. I feel like containers are the sum of namespaces, cgroups, caps, and rootfs jails (chroot). Each are equally important and should be required. @vmarmol how do you feel about making these mounts required or not? |
|
I see @hqhq's point about libcontainer maybe not being the place where we enforce this, but I do see the value in having a setup we know and test frequently. We already assume cgroups are mounted in various places and it'll be brittle for those that don't. I'm conflicted but I side with @crosbymichael about having a good experience for the 99% usecases. |
|
@crosbymichael @vmarmol I don't think we should take all cgroup subsystems as hard requirement, devices cgroup has a good reason but not all of others. I added some check on Docker side moby/moby#11882, and we can take devices cgroup as hard requirement in libcontaier. |
hqhq
force-pushed
the
hq_dont_fail_subsystem
branch
from
3e65a95 to
2d6ee23
Compare
|
I updated devices part, WDYT? |
|
@hqhq ok, i think that maybe a good approach to take. |
| // Normally dir should not be empty, one case is that cgroup subsystem | ||
| // is not mounted, we will get empty dir, and we want it fail here. | ||
| if dir == "" { | ||
| return fmt.Errorf("No such directory for %s.", file) |
There was a problem hiding this comment.
nit: lowercase "No" for Go errors to start with lowercase.
|
Sounds reasonable to me. |
hqhq
force-pushed
the
hq_dont_fail_subsystem
branch
from
2d6ee23 to
1bcb6f3
Compare
|
Updated. |
|
@hqhq Do we need any changes on the systemd side? |
hqhq
force-pushed
the
hq_dont_fail_subsystem
branch
from
1bcb6f3 to
e10bc4b
Compare
|
@mrunalp Yes we need indeed, updated, thanks. |
hqhq
force-pushed
the
hq_dont_fail_subsystem
branch
from
e10bc4b to
a824f09
Compare
|
Rebased, ping. |
|
ping. |
| if path == "" { | ||
| return nil | ||
| } | ||
|
|
There was a problem hiding this comment.
should this check be moved into cpusetGroup.ApplyDir ?
|
This still doesn't satisfy the use case where no cgroups are mounted right? |
We do this aim two goals: - don't fail when some subsystems are not mounted (devices cgroup is an exception because it will cause secirity issues). - fail hard instead of ignoring the error when a user specifies an option and we are unable to fulfill the request. Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
|
@vishh No, for now devices cgroup is hard requirement for security. |
hqhq
force-pushed
the
hq_dont_fail_subsystem
branch
from
a824f09 to
27d3dd3
Compare
|
LGTM |
| @@ -48,6 +48,11 @@ func (s *CpusetGroup) GetStats(path string, stats *cgroups.Stats) error { | |||
| } | |||
|
|
|||
| func (s *CpusetGroup) ApplyDir(dir string, cgroup *configs.Cgroup, pid int) error { | |||
There was a problem hiding this comment.
Shouldn't we not even make the call to apply for this subsystem if it doesn't exist?
There was a problem hiding this comment.
I was outside, just moved in as @dqminh suggested.
If outside, we should do that on both fs and systemd side, but I don't think that's a big deal. Just want make sure which way you prefer.
There was a problem hiding this comment.
Yeah, checking this outside would duplicate this logic, I like it here better too 👍
|
code LGTM. |
|
ping. |
|
LGTM |
1 similar comment
|
LGTM |
don't fail when subsystem not mounted
We do this aim two goals:
an option and we are unable to fulfill the request.
Signed-off-by: Qiang Huang h.huangqiang@huawei.com