Ian Downes created MESOS-1282:
---------------------------------
Summary: Support unprivileged access to cgroups
Key: MESOS-1282
URL: https://issues.apache.org/jira/browse/MESOS-1282
Project: Mesos
Issue Type: Improvement
Affects Versions: 0.19.0
Reporter: Ian Downes
Priority: Minor
Fix For: 0.19.0
Supporting this would allow running tests with cgroup isolators on CI machines
where sudo access is unavailable.
This could be achieved by having the subsystems mounted and the mesos (or
mesos_test) cgroup created and owned by the unprivileged user.
{noformat}
[vagrant@mesos cpu]$ cat /proc/mounts | grep cgroup
tmpfs /sys/fs/cgroup tmpfs rw,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
cgroup /sys/fs/cgroup/cpu cgroup rw,relatime,cpu,clone_children 0 0
cgroup /sys/fs/cgroup/cpuacct cgroup rw,relatime,cpuacct,clone_children 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,memory,clone_children 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,devices,clone_children 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,freezer,clone_children 0 0
cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,net_cls,clone_children 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,blkio,clone_children 0 0
[vagrant@mesos cpu]$ pwd
/sys/fs/cgroup/cpu
[vagrant@mesos cpu]$ ls -la
total 0
drwxr-xr-x 2 root root 0 May 1 22:11 .
drwxrwxrwt 10 root root 200 Apr 30 23:09 ..
-rw-r--r-- 1 root root 0 Apr 30 23:14 cgroup.clone_children
--w--w--w- 1 root root 0 Apr 30 23:09 cgroup.event_control
-rw-r--r-- 1 root root 0 Apr 30 23:09 cgroup.procs
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_period_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_quota_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_period_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_runtime_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.shares
-r--r--r-- 1 root root 0 Apr 30 23:09 cpu.stat
-rw-r--r-- 1 root root 0 Apr 30 23:09 notify_on_release
-rw-r--r-- 1 root root 0 Apr 30 23:09 release_agent
-rw-r--r-- 1 root root 0 Apr 30 23:09 tasks
{noformat}
User is unprivileged:
{noformat}
[vagrant@mesos cpu]$ id
uid=500(vagrant) gid=500(vagrant) groups=500(vagrant),10(wheel)
[vagrant@mesos cpu]$ mkdir mesos
mkdir: cannot create directory `mesos': Permission denied
{noformat}
Create a cgroup and chown to the unprivileged user.
{noformat}
[vagrant@mesos cpu]$ sudo mkdir mesos && sudo chown -R vagrant:vagrant mesos
[vagrant@mesos cpu]$ ls -la
total 0
drwxr-xr-x 3 root root 0 May 1 22:11 .
drwxrwxrwt 10 root root 200 Apr 30 23:09 ..
-rw-r--r-- 1 root root 0 Apr 30 23:14 cgroup.clone_children
--w--w--w- 1 root root 0 Apr 30 23:09 cgroup.event_control
-rw-r--r-- 1 root root 0 Apr 30 23:09 cgroup.procs
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_period_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.cfs_quota_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_period_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.rt_runtime_us
-rw-r--r-- 1 root root 0 Apr 30 23:09 cpu.shares
-r--r--r-- 1 root root 0 Apr 30 23:09 cpu.stat
drwxr-xr-x 2 vagrant vagrant 0 May 1 22:12 mesos
-rw-r--r-- 1 root root 0 Apr 30 23:09 notify_on_release
-rw-r--r-- 1 root root 0 Apr 30 23:09 release_agent
-rw-r--r-- 1 root root 0 Apr 30 23:09 tasks
{noformat}
The unprivileged user can now create nested cgroups and move processes into/out
of cgroups it owns.
{noformat}
[vagrant@mesos cpu]$ echo $$
2877
[vagrant@mesos cpu]$ echo $$ > mesos/cgroup.procs
[vagrant@mesos cpu]$ cat mesos/cgroup.procs
2877
2957
[vagrant@mesos cpu]$ mkdir mesos/test
[vagrant@mesos cpu]$ echo $$ > mesos/test/cgroup.procs
[vagrant@mesos cpu]$ cat mesos/test/cgroup.procs
2877
2960
[vagrant@mesos cpu]$ echo $$ > mesos/cgroup.procs
[vagrant@mesos cpu]$ cat mesos/cgroup.procs
2877
2977
{noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
