fix(envbox): work with cgroupv2 (#34)

johnstcn · web-flow · commit b0b58d660378 · 2023-05-11T17:10:23.000+01:00
* Envbox now warns instead of failing when trying to copy outer container quota to inner
* Adds logic for cgroupv2 
* Adds more unit tests around all of the above for both cgroupv1 and cgroupv2
diff --git a/cli/clitest/fs.go b/cli/clitest/fs.go
@@ -16,9 +16,9 @@ func FakeSysboxManagerReady(t *testing.T, fs afero.Fs) {
 }
 
 func FakeCPUGroups(t *testing.T, fs afero.Fs, quota, period string) {
-	err := afero.WriteFile(fs, xunix.CPUPeriodPath, []byte(period), 0o600)
+	err := afero.WriteFile(fs, xunix.CPUPeriodPathCGroupV1, []byte(period), 0o600)
 	require.NoError(t, err)
 
-	err = afero.WriteFile(fs, xunix.CPUQuotaPath, []byte(quota), 0o600)
+	err = afero.WriteFile(fs, xunix.CPUQuotaPathCGroupV1, []byte(quota), 0o600)
 	require.NoError(t, err)
 }
diff --git a/cli/docker.go b/cli/docker.go
@@ -637,21 +637,22 @@ func runDockerCVM(ctx context.Context, log slog.Logger, client dockerutil.Docker
 		return xerrors.Errorf("make bootstrap dir: %w", err)
 	}
 
-	cpuQuota, err := xunix.ReadCPUQuota(ctx)
+	cpuQuota, err := xunix.ReadCPUQuota(ctx, log)
 	if err != nil {
-		return xerrors.Errorf("read CPU quota: %w", err)
-	}
-
-	log.Debug(ctx, "setting CPU quota",
-		slog.F("quota", cpuQuota.Quota),
-		slog.F("period", cpuQuota.Period),
-	)
+		blog.Infof("Unable to read CPU quota: %s", err.Error())
+	} else {
+		log.Debug(ctx, "setting CPU quota",
+			slog.F("quota", cpuQuota.Quota),
+			slog.F("period", cpuQuota.Period),
+			slog.F("cgroup", cpuQuota.CGroup.String()),
+		)
 
-	// We want the inner container to have the same limits as the outer container
-	// so that processes inside the container know what they're working with.
-	err = dockerutil.SetContainerCPUQuota(ctx, containerID, cpuQuota.Quota, cpuQuota.Period)
-	if err != nil {
-		return xerrors.Errorf("set inner container CPU quota: %w", err)
+		// We want the inner container to have the same limits as the outer container
+		// so that processes inside the container know what they're working with.
+		if err := dockerutil.SetContainerQuota(ctx, containerID, cpuQuota); err != nil {
+			blog.Infof("Unable to set quota for inner container: %s", err.Error())
+			blog.Info("This is not a fatal error, but it may cause cgroup-aware applications to misbehave.")
+		}
 	}
 
 	blog.Info("Envbox startup complete!")
diff --git a/dockerutil/container.go b/dockerutil/container.go
@@ -137,26 +137,61 @@ func BootstrapContainer(ctx context.Context, client DockerClient, conf Bootstrap
 	return nil
 }
 
-// copyCPUQuotaToInnerCGroup writes the contents of the following files to
-// their corresponding locations under cgroupBase:
-// - /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us
-// - /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us
+// SetContainerQuota writes a quota to its correct location for the inner container.
+// HACK: until https://github.com/nestybox/sysbox/issues/582 is resolved, we need to copy
+// the CPU quota and period from the outer container to the inner container to ensure
+// that applications inside the container know how much CPU they have to work with.
 //
-// HACK: until https://github.com/nestybox/sysbox/issues/582 is resolved, we need to set cfs_quota_us
-// and cfs_period_us inside the container to ensure that applications inside the container know how much
-// CPU they have to work with.
-func SetContainerCPUQuota(ctx context.Context, containerID string, quota, period int) error {
+// For cgroupv2:
+// - /sys/fs/cgroup/<subpath>/init.scope/cpu.max
+//
+// For cgroupv1:
+// - /sys/fs/cgroup/cpu,cpuacct/<subpath>/syscont-cgroup-root/cpu.cfs_quota_us
+// - /sys/fs/cgroup/cpu,cpuacct/<subpath>/syscont-cgroup-root/cpu.cfs_period_us
+func SetContainerQuota(ctx context.Context, containerID string, quota xunix.CPUQuota) error {
+	switch quota.CGroup {
+	case xunix.CGroupV2:
+		return setContainerQuotaCGroupV2(ctx, containerID, quota)
+	case xunix.CGroupV1:
+		return setContainerQuotaCGroupV1(ctx, containerID, quota)
+	default:
+		return xerrors.Errorf("Unknown cgroup %d", quota.CGroup)
+	}
+}
+
+func setContainerQuotaCGroupV2(ctx context.Context, containerID string, quota xunix.CPUQuota) error {
+	var (
+		fs         = xunix.GetFS(ctx)
+		cgroupBase = fmt.Sprintf("/sys/fs/cgroup/docker/%s/init.scope/", containerID)
+	)
+
+	var content string
+	if quota.Quota < 0 {
+		content = fmt.Sprintf("max %d\n", quota.Period)
+	} else {
+		content = fmt.Sprintf("%d %d\n", quota.Quota, quota.Period)
+	}
+
+	err := afero.WriteFile(fs, filepath.Join(cgroupBase, "cpu.max"), []byte(content), 0o644)
+	if err != nil {
+		return xerrors.Errorf("write cpu.max to inner container cgroup: %w", err)
+	}
+
+	return nil
+}
+
+func setContainerQuotaCGroupV1(ctx context.Context, containerID string, quota xunix.CPUQuota) error {
 	var (
 		fs         = xunix.GetFS(ctx)
 		cgroupBase = fmt.Sprintf("/sys/fs/cgroup/cpu,cpuacct/docker/%s/syscont-cgroup-root/", containerID)
 	)
 
-	err := afero.WriteFile(fs, filepath.Join(cgroupBase, "cpu.cfs_period_us"), []byte(strconv.Itoa(period)), 0o644)
+	err := afero.WriteFile(fs, filepath.Join(cgroupBase, "cpu.cfs_period_us"), []byte(strconv.Itoa(quota.Period)), 0o644)
 	if err != nil {
 		return xerrors.Errorf("write cpu.cfs_period_us to inner container cgroup: %w", err)
 	}
 
-	err = afero.WriteFile(fs, filepath.Join(cgroupBase, "cpu.cfs_quota_us"), []byte(strconv.Itoa(quota)), 0o644)
+	err = afero.WriteFile(fs, filepath.Join(cgroupBase, "cpu.cfs_quota_us"), []byte(strconv.Itoa(quota.Quota)), 0o644)
 	if err != nil {
 		return xerrors.Errorf("write cpu.cfs_quota_us to inner container cgroup: %w", err)
 	}
diff --git a/dockerutil/container_test.go b/dockerutil/container_test.go
@@ -0,0 +1,82 @@
+package dockerutil_test
+
+import (
+	"bytes"
+	"context"
+	"testing"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/envbox/dockerutil"
+	"github.com/coder/envbox/xunix"
+	"github.com/coder/envbox/xunix/xunixfake"
+)
+
+func TestSetContainerQuota(t *testing.T) {
+	t.Parallel()
+
+	for _, tc := range []struct {
+		Name        string
+		Quota       xunix.CPUQuota
+		ContainerID string
+		ExpectedFS  map[string]string
+		Error       string
+	}{
+		{
+			Name: "CGroupV1",
+			Quota: xunix.CPUQuota{
+				Quota:  150000,
+				Period: 100000,
+				CGroup: xunix.CGroupV1,
+			},
+			ContainerID: "dummy",
+			ExpectedFS: map[string]string{
+				"/sys/fs/cgroup/cpu,cpuacct/docker/dummy/syscont-cgroup-root/cpu.cfs_quota_us":  "150000",
+				"/sys/fs/cgroup/cpu,cpuacct/docker/dummy/syscont-cgroup-root/cpu.cfs_period_us": "100000",
+			},
+		},
+		{
+			Name: "CGroupV2",
+			Quota: xunix.CPUQuota{
+				Quota:  150000,
+				Period: 100000,
+				CGroup: xunix.CGroupV2,
+			},
+			ContainerID: "dummy",
+			ExpectedFS: map[string]string{
+				"/sys/fs/cgroup/docker/dummy/init.scope/cpu.max": "150000 100000",
+			},
+		},
+		{
+			Name: "CGroupV2Max",
+			Quota: xunix.CPUQuota{
+				Quota:  -1,
+				Period: 100000,
+				CGroup: xunix.CGroupV2,
+			},
+			ContainerID: "dummy",
+			ExpectedFS: map[string]string{
+				"/sys/fs/cgroup/docker/dummy/init.scope/cpu.max": "max 100000",
+			},
+		},
+	} {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+			tmpfs := &xunixfake.MemFS{MemMapFs: &afero.MemMapFs{}}
+			ctx := xunix.WithFS(context.Background(), tmpfs)
+			err := dockerutil.SetContainerQuota(ctx, tc.ContainerID, tc.Quota)
+			if tc.Error == "" {
+				require.NoError(t, err)
+			} else {
+				require.ErrorContains(t, err, tc.Error)
+			}
+			for path, content := range tc.ExpectedFS {
+				actualContent, err := afero.ReadFile(tmpfs, path)
+				require.NoError(t, err)
+				require.Equal(t, content, string(bytes.TrimSpace(actualContent)))
+			}
+		})
+	}
+}
diff --git a/xunix/sys.go b/xunix/sys.go
@@ -3,40 +3,116 @@ package xunix
 import (
 	"bytes"
 	"context"
+	"path/filepath"
 	"strconv"
+	"strings"
 
 	"github.com/spf13/afero"
 	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
 )
 
 type CPUQuota struct {
 	Quota  int
 	Period int
+	CGroup CGroup
+}
+
+const (
+	CPUPeriodPathCGroupV1 = "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us"
+	CPUQuotaPathCGroupV1  = "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us"
+)
+
+type CGroup int
+
+func (c CGroup) String() string {
+	return [...]string{"cgroupv1", "cgroupv2"}[c]
 }
 
 const (
-	CPUPeriodPath = "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us"
-	CPUQuotaPath  = "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us"
+	CGroupV1 CGroup = iota
+	CGroupV2
 )
 
-func ReadCPUQuota(ctx context.Context) (CPUQuota, error) {
+// ReadCPUQuota attempts to read the CFS CPU quota and period from the current
+// container context. It first attempts to read the paths relevant to cgroupv2
+// and falls back to reading the paths relevant go cgroupv1
+//
+// Relevant paths for cgroupv2:
+// - /proc/self/cgroup
+// - /sys/fs/cgroup/<self>/cpu.max
+//
+// Relevant paths for cgroupv1:
+// - /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us
+// - /sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us
+func ReadCPUQuota(ctx context.Context, log slog.Logger) (CPUQuota, error) {
+	quota, err := readCPUQuotaCGroupV2(ctx)
+	if err == nil {
+		return quota, nil
+	}
+
+	log.Info(ctx, "Unable to read cgroupv2 quota, falling back to cgroupv1", slog.Error(err))
+	return readCPUQuotaCGroupV1(ctx)
+}
+
+func readCPUQuotaCGroupV2(ctx context.Context) (CPUQuota, error) {
+	fs := GetFS(ctx)
+	self, err := ReadCGroupSelf(ctx)
+	if err != nil {
+		return CPUQuota{}, xerrors.Errorf("determine own cgroup: %w", err)
+	}
+
+	maxStr, err := afero.ReadFile(fs, filepath.Join("/sys/fs/cgroup/", self, "cpu.max"))
+	if err != nil {
+		return CPUQuota{}, xerrors.Errorf("read cpu.max outside container: %w", err)
+	}
+
+	list := strings.Split(string(bytes.TrimSpace(maxStr)), " ")
+	if len(list) != 2 {
+		return CPUQuota{}, xerrors.Errorf("expected cpu.max to have exactly two entries, got: %s", string(maxStr))
+	}
+
+	var quota int
+	var period int
+
+	if list[0] == "max" {
+		quota = -1
+	} else {
+		quota, err = strconv.Atoi(list[0])
+		if err != nil {
+			return CPUQuota{}, xerrors.Errorf("quota %s not an int: %w", list[0], err)
+		}
+	}
+
+	period, err = strconv.Atoi(list[1])
+	if err != nil {
+		return CPUQuota{}, xerrors.Errorf("period %s not an int: %w", list[1], err)
+	}
+
+	return CPUQuota{Quota: quota, Period: period, CGroup: CGroupV2}, nil
+}
+
+func readCPUQuotaCGroupV1(ctx context.Context) (CPUQuota, error) {
 	fs := GetFS(ctx)
-	periodStr, err := afero.ReadFile(fs, "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us")
+	periodRaw, err := afero.ReadFile(fs, CPUPeriodPathCGroupV1)
 	if err != nil {
 		return CPUQuota{}, xerrors.Errorf("read cpu.cfs_period_us outside container: %w", err)
 	}
 
-	quotaStr, err := afero.ReadFile(fs, "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us")
+	quotaRaw, err := afero.ReadFile(fs, CPUQuotaPathCGroupV1)
 	if err != nil {
 		return CPUQuota{}, xerrors.Errorf("read cpu.cfs_quota_us outside container: %w", err)
 	}
 
-	period, err := strconv.Atoi(string(bytes.TrimSpace(periodStr)))
+	periodStr := string(bytes.TrimSpace(periodRaw))
+	period, err := strconv.Atoi(periodStr)
 	if err != nil {
 		return CPUQuota{}, xerrors.Errorf("period %s not an int: %w", periodStr, err)
 	}
 
-	quota, err := strconv.Atoi(string(bytes.TrimSpace(quotaStr)))
+	quotaStr := string(bytes.TrimSpace(quotaRaw))
+	quota, err := strconv.Atoi(quotaStr)
 	if err != nil {
 		return CPUQuota{}, xerrors.Errorf("quota %s not an int: %w", quotaStr, err)
 	}
@@ -46,3 +122,28 @@ func ReadCPUQuota(ctx context.Context) (CPUQuota, error) {
 		Period: period,
 	}, nil
 }
+
+// readCGroup attempts to determine the cgroup for the container by
+// reading the fields of /proc/self/cgroup (third field)
+// We currently only check the first line of /proc/self/cgroup.
+func ReadCGroupSelf(ctx context.Context) (string, error) {
+	fs := GetFS(ctx)
+	raw, err := afero.ReadFile(fs, "/proc/self/cgroup")
+	if err != nil {
+		return "", xerrors.Errorf("read /proc/self/cgroup: %w", err)
+	}
+
+	lines := bytes.Split(raw, []byte("\n"))
+	if len(lines) == 0 {
+		return "", xerrors.Errorf("unexpected content of /proc/self/cgroup: %s", string(raw))
+	}
+
+	// Just pick the first line.
+	line := lines[0]
+	fields := bytes.Split(line, []byte(":"))
+	if len(fields) != 3 {
+		return "", xerrors.Errorf("expected 3 fields in last line of /proc/self/cgroup: %s", string(raw))
+	}
+
+	return string(fields[2]), nil
+}
diff --git a/xunix/sys_test.go b/xunix/sys_test.go

Original file line number	Diff line number	Diff line change
`@@ -16,9 +16,9 @@ func FakeSysboxManagerReady(t *testing.T, fs afero.Fs) {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`func FakeCPUGroups(t *testing.T, fs afero.Fs, quota, period string) {`
`19`		`- err := afero.WriteFile(fs, xunix.CPUPeriodPath, []byte(period), 0o600)`
	`19`	`+ err := afero.WriteFile(fs, xunix.CPUPeriodPathCGroupV1, []byte(period), 0o600)`
`20`	`20`	`require.NoError(t, err)`
`21`	`21`
`22`		`- err = afero.WriteFile(fs, xunix.CPUQuotaPath, []byte(quota), 0o600)`
	`22`	`+ err = afero.WriteFile(fs, xunix.CPUQuotaPathCGroupV1, []byte(quota), 0o600)`
`23`	`23`	`require.NoError(t, err)`
`24`	`24`	`}`