Adds CgroupPath to the runcJailer

This commit adds the CgroupPath to the runc jailer allowing for
customization of where the cgroup path should exist.

Signed-off-by: xibz <[email protected]>

Author: xibz

runtime/jailer.go

@@ -102,6 +102,7 @@ func newJailer(
 		GID:            request.JailerConfig.GID,
 		CPUs:           request.JailerConfig.CPUs,
 		Mems:           request.JailerConfig.Mems,
+		CgroupPath:     request.JailerConfig.CgroupPath,
 	}
 	return newRuncJailer(ctx, l, service.vmID, config)
 }

runtime/jailer_test.go

@@ -17,6 +17,7 @@ import (
 	"context"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"syscall"
 	"testing"
@@ -25,6 +26,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/firecracker-microvm/firecracker-containerd/config"
+	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 	"github.com/firecracker-microvm/firecracker-containerd/proto"
 )
 
@@ -57,6 +60,7 @@ func createSparseFile(path string, size int) error {
 
 	return nil
 }
+
 func TestCopyFile_sparse(t *testing.T) {
 	dir, err := ioutil.TempDir("", t.Name())
 	require.NoError(t, err)
@@ -96,3 +100,43 @@ func TestJailer_invalidUIDGID(t *testing.T) {
 	_, err := newJailer(context.Background(), logrus.NewEntry(logrus.New()), "/foo", &service{}, &req)
 	assert.Error(t, err, "expected invalid uid and gid error, but received none")
 }
+
+func TestNewJailer_Isolated(t *testing.T) {
+	prepareIntegTest(t)
+
+	ociBundlePath, err := ioutil.TempDir("", t.Name())
+	require.NoError(t, err)
+	defer os.RemoveAll(ociBundlePath)
+	b, err := exec.Command(
+		"cp",
+		"firecracker-runc-config.json.example",
+		filepath.Join(ociBundlePath, "config.json"),
+	).CombinedOutput()
+	require.NoErrorf(t, err, "copy runc config failed with: %s", string(b))
+
+	ctx := context.Background()
+	logger := logrus.NewEntry(logrus.New())
+	s := &service{
+		vmID:    "id",
+		shimDir: vm.Dir("/path/to/shim"),
+		config: &config.Config{
+			JailerConfig: config.JailerConfig{
+				RuncBinaryPath: "/path/to/runc_bin_path",
+				RuncConfigPath: filepath.Join(ociBundlePath, "config.json"),
+			},
+		},
+	}
+	req := &proto.CreateVMRequest{
+		JailerConfig: &proto.JailerConfig{
+			UID:        123,
+			GID:        456,
+			CgroupPath: "/my/cgroup_path",
+		},
+	}
+
+	j, err := newJailer(ctx, logger, ociBundlePath, s, req)
+	require.NoError(t, err)
+	runc, ok := j.(*runcJailer)
+	require.True(t, ok)
+	assert.Equal(t, filepath.Join(req.JailerConfig.CgroupPath, s.vmID), runc.CgroupPath())
+}

runtime/runc_jailer.go

@@ -60,6 +60,7 @@ type runcJailerConfig struct {
 	GID            uint32
 	CPUs           string
 	Mems           string
+	CgroupPath     string
 }
 
 func newRuncJailer(ctx context.Context, logger *logrus.Entry, vmID string, cfg runcJailerConfig) (*runcJailer, error) {
@@ -429,7 +430,12 @@ func (j *runcJailer) overwriteConfig(cfg *config.Config, machineConfig *firecrac
 }
 
 func (j runcJailer) CgroupPath() string {
-	return filepath.Join("/firecracker-containerd", j.vmID)
+	basePath := "/firecracker-containerd"
+	if j.Config.CgroupPath != "" {
+		basePath = j.Config.CgroupPath
+	}
+
+	return filepath.Join(basePath, j.vmID)
 }
 
 // setDefaultConfigValues will process the spec file provided and allow any

runtime/service_integ_test.go

@@ -273,6 +273,15 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 				NetNS: netns.Path(),
 			},
 		},
+		{
+			MaxContainers: 3,
+			JailerConfig: &proto.JailerConfig{
+				UID:        300000,
+				GID:        300000,
+				NetNS:      netns.Path(),
+				CgroupPath: "/mycgroup",
+			},
+		},
 	}
 
 	testTimeout := 600 * time.Second
@@ -471,7 +480,7 @@ func testMultipleExecs(
 		require.NoError(t, err, "failed to stat root path of jailer")
 		_, err = os.Stat(filepath.Join("/sys/fs/cgroup/cpu", cgroupPath))
 		require.NoError(t, err, "failed to stat cgroup path of jailer")
-		assert.Equal(t, filepath.Join("/firecracker-containerd", vmIDStr), cgroupPath)
+		assert.Regexp(t, fmt.Sprintf(".+/%s", vmIDStr), cgroupPath)
 	}
 
 	// Verify each exec had the same stdout and use that value as the mount namespace that will be compared