Merge pull request #418 from xibz/cgroup

xibz · web-flow · commit ca88e0fd3ef9 · 2020-05-12T15:35:20.000-07:00
Adding Cgroup customization via CreateVM
diff --git a/proto/firecracker.pb.go b/proto/firecracker.pb.go
diff --git a/proto/firecracker.proto b/proto/firecracker.proto
@@ -102,5 +102,11 @@ message JailerConfig {
     string Mems = 3;
     uint32 UID = 4;
     uint32 GID = 5;
+	// CgroupPath is used to dictate where the cgroup should be located
+	// relative to the cgroup directory which is
+	// /sys/fs/cgroup/cpu/<CgroupPath>/<vmID>
+	// if no value was provided, then /firecracker-containerd will be used as
+	// the default value
+    string CgroupPath = 6;
 }
 
diff --git a/runtime/jailer.go b/runtime/jailer.go
@@ -102,6 +102,7 @@ func newJailer(
 		GID:            request.JailerConfig.GID,
 		CPUs:           request.JailerConfig.CPUs,
 		Mems:           request.JailerConfig.Mems,
+		CgroupPath:     request.JailerConfig.CgroupPath,
 	}
 	return newRuncJailer(ctx, l, service.vmID, config)
 }
diff --git a/runtime/jailer_test.go b/runtime/jailer_test.go
@@ -17,6 +17,7 @@ import (
 	"context"
 	"io/ioutil"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"syscall"
 	"testing"
@@ -25,6 +26,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/firecracker-microvm/firecracker-containerd/config"
+	"github.com/firecracker-microvm/firecracker-containerd/internal/vm"
 	"github.com/firecracker-microvm/firecracker-containerd/proto"
 )
 
@@ -57,6 +60,7 @@ func createSparseFile(path string, size int) error {
 
 	return nil
 }
+
 func TestCopyFile_sparse(t *testing.T) {
 	dir, err := ioutil.TempDir("", t.Name())
 	require.NoError(t, err)
@@ -96,3 +100,43 @@ func TestJailer_invalidUIDGID(t *testing.T) {
 	_, err := newJailer(context.Background(), logrus.NewEntry(logrus.New()), "/foo", &service{}, &req)
 	assert.Error(t, err, "expected invalid uid and gid error, but received none")
 }
+
+func TestNewJailer_Isolated(t *testing.T) {
+	prepareIntegTest(t)
+
+	ociBundlePath, err := ioutil.TempDir("", t.Name())
+	require.NoError(t, err)
+	defer os.RemoveAll(ociBundlePath)
+	b, err := exec.Command(
+		"cp",
+		"firecracker-runc-config.json.example",
+		filepath.Join(ociBundlePath, "config.json"),
+	).CombinedOutput()
+	require.NoErrorf(t, err, "copy runc config failed with: %s", string(b))
+
+	ctx := context.Background()
+	logger := logrus.NewEntry(logrus.New())
+	s := &service{
+		vmID:    "id",
+		shimDir: vm.Dir("/path/to/shim"),
+		config: &config.Config{
+			JailerConfig: config.JailerConfig{
+				RuncBinaryPath: "/path/to/runc_bin_path",
+				RuncConfigPath: filepath.Join(ociBundlePath, "config.json"),
+			},
+		},
+	}
+	req := &proto.CreateVMRequest{
+		JailerConfig: &proto.JailerConfig{
+			UID:        123,
+			GID:        456,
+			CgroupPath: "/my/cgroup_path",
+		},
+	}
+
+	j, err := newJailer(ctx, logger, ociBundlePath, s, req)
+	require.NoError(t, err)
+	runc, ok := j.(*runcJailer)
+	require.True(t, ok)
+	assert.Equal(t, filepath.Join(req.JailerConfig.CgroupPath, s.vmID), runc.CgroupPath())
+}
diff --git a/runtime/runc_jailer.go b/runtime/runc_jailer.go
@@ -60,6 +60,7 @@ type runcJailerConfig struct {
 	GID            uint32
 	CPUs           string
 	Mems           string
+	CgroupPath     string
 }
 
 func newRuncJailer(ctx context.Context, logger *logrus.Entry, vmID string, cfg runcJailerConfig) (*runcJailer, error) {
@@ -429,7 +430,12 @@ func (j *runcJailer) overwriteConfig(cfg *config.Config, machineConfig *firecrac
 }
 
 func (j runcJailer) CgroupPath() string {
-	return filepath.Join("/firecracker-containerd", j.vmID)
+	basePath := "/firecracker-containerd"
+	if j.Config.CgroupPath != "" {
+		basePath = j.Config.CgroupPath
+	}
+
+	return filepath.Join(basePath, j.vmID)
 }
 
 // setDefaultConfigValues will process the spec file provided and allow any
diff --git a/runtime/service_integ_test.go b/runtime/service_integ_test.go
@@ -273,6 +273,15 @@ func TestMultipleVMs_Isolated(t *testing.T) {
 				NetNS: netns.Path(),
 			},
 		},
+		{
+			MaxContainers: 3,
+			JailerConfig: &proto.JailerConfig{
+				UID:        300000,
+				GID:        300000,
+				NetNS:      netns.Path(),
+				CgroupPath: "/mycgroup",
+			},
+		},
 	}
 
 	testTimeout := 600 * time.Second
@@ -471,7 +480,7 @@ func testMultipleExecs(
 		require.NoError(t, err, "failed to stat root path of jailer")
 		_, err = os.Stat(filepath.Join("/sys/fs/cgroup/cpu", cgroupPath))
 		require.NoError(t, err, "failed to stat cgroup path of jailer")
-		assert.Equal(t, filepath.Join("/firecracker-containerd", vmIDStr), cgroupPath)
+		assert.Regexp(t, fmt.Sprintf(".+/%s", vmIDStr), cgroupPath)
 	}
 
 	// Verify each exec had the same stdout and use that value as the mount namespace that will be compared

Original file line number	Diff line number	Diff line change
`@@ -102,6 +102,7 @@ func newJailer(`
`102`	`102`	`GID: request.JailerConfig.GID,`
`103`	`103`	`CPUs: request.JailerConfig.CPUs,`
`104`	`104`	`Mems: request.JailerConfig.Mems,`
	`105`	`+ CgroupPath: request.JailerConfig.CgroupPath,`
`105`	`106`	`}`
`106`	`107`	`return newRuncJailer(ctx, l, service.vmID, config)`
`107`	`108`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ type runcJailerConfig struct {`
`60`	`60`	`GID uint32`
`61`	`61`	`CPUs string`
`62`	`62`	`Mems string`
	`63`	`+ CgroupPath string`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`func newRuncJailer(ctx context.Context, logger logrus.Entry, vmID string, cfg runcJailerConfig) (runcJailer, error) {`
`@@ -429,7 +430,12 @@ func (j runcJailer) overwriteConfig(cfg config.Config, machineConfig *firecrac`
`429`	`430`	`}`
`430`	`431`
`431`	`432`	`func (j runcJailer) CgroupPath() string {`
`432`		`- return filepath.Join("/firecracker-containerd", j.vmID)`
	`433`	`+ basePath := "/firecracker-containerd"`
	`434`	`+ if j.Config.CgroupPath != "" {`
	`435`	`+ basePath = j.Config.CgroupPath`
	`436`	`+ }`
	`437`	`+`
	`438`	`+ return filepath.Join(basePath, j.vmID)`
`433`	`439`	`}`
`434`	`440`
`435`	`441`	`// setDefaultConfigValues will process the spec file provided and allow any`