After commit da53619c5d49 ("ve/cpuset: revert changes allowing to attach to empty cpusets") one can not create non-empty cpuset cgroup in CT. And docker which tries to create cgroup for every visible controller creates cpuset cgroup for docker-ct and fails to add processes to it.
Cgroup files cpuset.cpus are by design not valid to use in our CTs as they pin processes in cgroup to defined range of processors, but we don't want processes in container to be able to pin itself to cpus they want. We have other mechanism to restric CT's cpus usage - cpu.nr_cpus cgroup file, which allows balansing containers between cpus. So we faked cpuset.cpus in CT so one can not realy pin processes in CT. But that makes all cpuset cgroups non-initialized and we also can't attach processes to cgroups. Same is valid for cpuset.mems exept we do not have ~nr_mems. We can just hide cpuset cgroup from /proc/self/cgroup and /proc/cgroups to protect it from being used in CT(and also do not mount it in libvzctl, which seem to automaticly happen). Docker not seeing cpuset will almost silently skip it and work as usual. v2: add ve_hide_cgroups https://jira.sw.ru/browse/PSBM-47280 Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com> --- kernel/cgroup.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 5afeb59b..5c012f6 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -4912,6 +4912,13 @@ static int __init cgroup_wq_init(void) } core_initcall(cgroup_wq_init); +static int ve_hide_cgroups(struct cgroupfs_root *root) +{ + /* Hide cpuset cgroup in CT for docker */ + return !ve_is_super(get_exec_env()) + && (root->subsys_mask & (1UL << cpuset_subsys_id)); +} + /* * proc_cgroup_show() * - Print task's cgroup paths into seq_file, one line for each hierarchy @@ -4953,6 +4960,8 @@ int proc_cgroup_show(struct seq_file *m, void *v) struct cgroup *cgrp; int count = 0; + if (ve_hide_cgroups(root)) + continue; seq_printf(m, "%d:", root->hierarchy_id); for_each_subsys(root, ss) seq_printf(m, "%s%s", count++ ? "," : "", ss->name); @@ -4997,6 +5006,8 @@ static int proc_cgroupstats_show(struct seq_file *m, void *v) if (ss == NULL) continue; + if (ve_hide_cgroups(ss->root)) + continue; num = _cg_virtualized(ss->root->number_of_cgroups); seq_printf(m, "%s\t%d\t%d\t%d\n", ss->name, ss->root->hierarchy_id, -- 2.5.5 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel