-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decouple setting cgroup device rules from cgroup manager #3452
Conversation
c08172a
to
9833a73
Compare
@AkihiroSuda PTAL 🙏🏻 (if you like this more or less than #3421). It is not finished, but it is more or less clear where this is going. Personally I think this is better than the build tag, because we can use the same library with and without device management (i.e. a runtime switch is better than the compile time) |
bb32a4f
to
aeb5433
Compare
8be7ccc
to
acab16a
Compare
// DeviceFilter returns eBPF device filter program and its license string | ||
func DeviceFilter(rules []*devices.Rule) (asm.Instructions, string, error) { | ||
// deviceFilter returns eBPF device filter program and its license string. | ||
func deviceFilter(rules []*devices.Rule) (asm.Instructions, string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably no need to unexpose DeviceFilter
, Emulator
, etc.
Or this could be another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a separate commit so I can just drop it.
Or, if moving everything in a single package is not that good (let's see what @cyphar says), this can be undone, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving it to a single package is fine. Honestly I probably should've kept it in this package in the first place (I wish Go had project-level internal symbols that didn't require you to restructure everything to use internal/
).
@cyphar PTAL |
@kolyshkin is there any movement on this? |
@cyphar @opencontainers/runc-maintainers PTAL |
acab16a
to
5889f32
Compare
5889f32
to
d2afe8f
Compare
@kolyshkin @AkihiroSuda @cyphar is there any chance of getting this merged this week so work on containers/common#936 can resume? |
Being the author of this, I can not really influence its acceptance (although I am a maintainer here, I can not accept my own PRs, and so I rely on other maintainers for this, the same way they rely on me). You can still work on that using my repo fork; I guess that until a tagged runc release is made, you can't include this anyway so the fork is as good as the unreleased version. |
ff8e9f6
to
7a6f3fe
Compare
OK, I have simplified the code a bit, removed all the new methods from cgroup managers, replacing those with 3 functions variables added to cgroups package, and added |
This moves the functionality related to devices, SkipDevices, and SkipFreezeOnSet to a separate file, in preparation for the next commit. No code changes. Signed-off-by: Kir Kolyshkin <[email protected]>
This commit separates the functionality of setting cgroup device rules out of libct/cgroups to libct/cgroups/devices package. This package, if imported, sets the function variables in libct/cgroups and libct/cgroups/systemd, so that a cgroup manager can use those to manage devices. If those function variables are nil (when libct/cgroups/devices are not imported), a cgroup manager returns the ErrDevicesUnsupported in case any device rules are set in Resources. It also consolidates the code from libct/cgroups/ebpf and libct/cgroups/ebpf/devicefilter into libct/cgroups/devices. Moved some tests in libct/cg/sd that require device management to libct/sd/devices. Signed-off-by: Kir Kolyshkin <[email protected]>
These are only used from inside the package, and we don't want them to be public. The only two methods left are Enable and Disable. While at it, fix or suppress found lint-extra warnings. Signed-off-by: Kir Kolyshkin <[email protected]>
7a6f3fe
to
47e0997
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <[email protected]>
This is an alternative to #3421, which tries to remove the functionality of setting cgroup device access rules from the cgroup managers.
Motivation
This should help runc/libct/cg users who are
SkipDevices
andfor such users, and with this codeSkipFreezeOnSet
SkipDevices
can be omitted entirely in case the sources do not includejackfan.us.kg/opencontainers/runc/libcontainer/cgroups/devices
package.Implementation
This
libct/cg/devices
. Those aresetV1
andsetV2
. Same for generating systemd cgroup device properties (systemdProperties
).As a result:
+import _ "github.com/opencontainers/runc/libcontainer/cgroups/devices"
Caveats
SkipFreezeOnSet
for systemd v1 cgroup manager since it can manage an existing systemd unit which has some device rules set, and any update of such unit results in rules being reloaded, so we have to freeze it before set.