feat: set resources on inner container (#8)

sreya · web-flow · commit a64e758dccd8 · 2023-03-20T13:06:51.000-05:00
diff --git a/cli/docker.go b/cli/docker.go
@@ -58,6 +58,8 @@ const (
 	OuterTUNPath = "/tmp/coder-tun"
 	InnerTUNPath = "/dev/net/tun"
 
+	InnerContainerName = "workspace_cvm"
+
 	// Required for userns mapping.
 	// This is the ID of the user we apply in `envbox/Dockerfile`.
 	//
@@ -85,6 +87,8 @@ var (
 	EnvAgentToken = "CODER_AGENT_TOKEN"
 	EnvBootstrap  = "CODER_BOOTSTRAP_SCRIPT"
 	EnvMounts     = "CODER_MOUNTS"
+	EnvCPUs       = "CODER_CPUS"
+	EnvMemory     = "CODER_MEMORY"
 )
 
 var envboxPrivateMounts = map[string]struct{}{
@@ -261,6 +265,8 @@ func dockerCmd() *cobra.Command {
 	cliflag.StringVarP(cmd.Flags(), &flag.ethlink, "ethlink", "", "", defaultNetLink, "The ethernet link to query for the MTU that is passed to docerd. Used for tests.")
 	cliflag.BoolVarP(cmd.Flags(), &flag.addTUN, "add-tun", "", EnvAddTun, false, "Add a TUN device to the inner container.")
 	cliflag.BoolVarP(cmd.Flags(), &flag.addFUSE, "add-fuse", "", EnvAddFuse, false, "Add a FUSE device to the inner container.")
+	cliflag.IntVarP(cmd.Flags(), &flag.cpus, "cpus", "", EnvCPUs, 0, "Number of CPUs to allocate inner container. e.g. 2")
+	cliflag.IntVarP(cmd.Flags(), &flag.memory, "memory", "", EnvMemory, 0, "Max memory to allocate to the inner container in bytes.")
 
 	return cmd
 }
@@ -282,6 +288,8 @@ type flags struct {
 	boostrapScript    string
 	ethlink           string
 	containerMounts   string
+	cpus              int
+	memory            int
 }
 
 func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.DockerClient, flags flags) error {
@@ -471,15 +479,16 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Docker
 
 	// Create the inner container.
 	containerID, err := dockerutil.CreateContainer(ctx, client, &dockerutil.ContainerConfig{
-		Log:        log,
-		Mounts:     mounts,
-		Devices:    devices,
-		Envs:       envs,
-		Name:       "workspace_cvm",
-		WorkingDir: flags.innerWorkDir,
-		HasInit:    imgMeta.HasInit,
-		Image:      flags.innerImage,
-		// TODO set CPUQuota,MemoryLimit
+		Log:         log,
+		Mounts:      mounts,
+		Devices:     devices,
+		Envs:        envs,
+		Name:        InnerContainerName,
+		WorkingDir:  flags.innerWorkDir,
+		HasInit:     imgMeta.HasInit,
+		Image:       flags.innerImage,
+		CPUs:        int64(flags.cpus),
+		MemoryLimit: int64(flags.memory),
 	})
 	if err != nil {
 		return xerrors.Errorf("create container: %w", err)
diff --git a/cli/docker_test.go b/cli/docker_test.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/coder/envbox/cli"
 	"github.com/coder/envbox/cli/clitest"
+	"github.com/coder/envbox/dockerutil"
 	"github.com/coder/envbox/xunix"
 	"github.com/coder/envbox/xunix/xunixfake"
 )
@@ -164,7 +165,7 @@ func TestDocker(t *testing.T) {
 		client := clitest.DockerClient(t, ctx)
 		var called bool
 		client.ContainerCreateFn = func(_ context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, _ *v1.Platform, containerName string) (container.ContainerCreateCreatedBody, error) {
-			if containerName == "workspace_cvm" {
+			if containerName == cli.InnerContainerName {
 				called = true
 				require.Equal(t, expectedEnvs, config.Env)
 			}
@@ -217,7 +218,7 @@ func TestDocker(t *testing.T) {
 
 		var called bool
 		client.ContainerCreateFn = func(_ context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, _ *v1.Platform, containerName string) (container.ContainerCreateCreatedBody, error) {
-			if containerName == "workspace_cvm" {
+			if containerName == cli.InnerContainerName {
 				called = true
 				require.Equal(t, expectedMounts, hostConfig.Binds)
 			}
@@ -301,7 +302,7 @@ func TestDocker(t *testing.T) {
 
 		var called bool
 		client.ContainerCreateFn = func(_ context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, _ *v1.Platform, containerName string) (container.ContainerCreateCreatedBody, error) {
-			if containerName == "workspace_cvm" {
+			if containerName == cli.InnerContainerName {
 				called = true
 				require.Equal(t, expectedDevices, hostConfig.Devices)
 			}
@@ -368,7 +369,7 @@ func TestDocker(t *testing.T) {
 
 		var called bool
 		client.ContainerCreateFn = func(_ context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, _ *v1.Platform, containerName string) (container.ContainerCreateCreatedBody, error) {
-			if containerName == "workspace_cvm" {
+			if containerName == cli.InnerContainerName {
 				called = true
 				require.Equal(t, []string{"sleep", "infinity"}, []string(config.Entrypoint))
 			}
@@ -406,6 +407,42 @@ func TestDocker(t *testing.T) {
 		err := cmd.ExecuteContext(ctx)
 		require.NoError(t, err)
 	})
+
+	t.Run("SetsResources", func(t *testing.T) {
+		t.Parallel()
+
+		const (
+			// 4GB.
+			memory = 4 << 30
+			cpus   = 6
+		)
+		name := namesgenerator.GetRandomName(1)
+		ctx, cmd := clitest.New(t, "docker",
+			"--image=ubuntu",
+			"--username=root",
+			fmt.Sprintf("--container-name=%s", name),
+			"--agent-token=hi",
+			fmt.Sprintf("--cpus=%d", cpus),
+			fmt.Sprintf("--memory=%d", memory),
+		)
+
+		var called bool
+		client := clitest.DockerClient(t, ctx)
+		client.ContainerCreateFn = func(_ context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, _ *v1.Platform, containerName string) (container.ContainerCreateCreatedBody, error) {
+			if containerName == cli.InnerContainerName {
+				called = true
+				require.Equal(t, int64(memory), hostConfig.Memory)
+				require.Equal(t, int64(cpus*dockerutil.DefaultCPUPeriod), hostConfig.CPUQuota)
+				require.Equal(t, int64(dockerutil.DefaultCPUPeriod), hostConfig.CPUPeriod)
+			}
+
+			return container.ContainerCreateCreatedBody{}, nil
+		}
+
+		err := cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		require.True(t, called, "create function was not called for inner container")
+	})
 }
 
 // rawDockerAuth is sample input for a kubernetes secret to a gcr.io private
diff --git a/dockerutil/container.go b/dockerutil/container.go
@@ -21,7 +21,7 @@ import (
 const (
 	runtime = "sysbox-runc"
 	// Default CPU period for containers.
-	defaultCPUPeriod uint64 = 1e5
+	DefaultCPUPeriod uint64 = 1e5
 )
 
 type DockerClient interface {
@@ -42,7 +42,7 @@ type ContainerConfig struct {
 	// HasInit dictates whether the entrypoint of the container is /sbin/init
 	// or 'sleep infinity'.
 	HasInit     bool
-	CPUQuota    int64
+	CPUs        int64
 	MemoryLimit int64
 }
 
@@ -59,8 +59,8 @@ func CreateContainer(ctx context.Context, client DockerClient, conf *ContainerCo
 			// TODO: Sysbox does not copy cpu.cfs_{period,quota}_us into syscont-cgroup-root cgroup.
 			// These will not be visible inside the child container.
 			// See: https://github.com/nestybox/sysbox/issues/582
-			CPUPeriod: int64(defaultCPUPeriod),
-			CPUQuota:  conf.CPUQuota,
+			CPUPeriod: int64(DefaultCPUPeriod),
+			CPUQuota:  conf.CPUs * int64(DefaultCPUPeriod),
 			Memory:    conf.MemoryLimit,
 		},
 		ExtraHosts: []string{"host.docker.internal:host-gateway"},
