Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix jailer --parent-cgroup parameter when no cgroups specified #4309

Merged
merged 5 commits into from
Dec 14, 2023
Merged

Fix jailer --parent-cgroup parameter when no cgroups specified #4309

merged 5 commits into from
Dec 14, 2023

Conversation

pb8o
Copy link
Contributor

@pb8o pb8o commented Dec 11, 2023
edited
Loading

Changes

If we specify --parent-cgroup without any --cgroup option, the jailer doesn't do anything, though a user specifying it could reasonably expect it to move the process under that cgroup.

We could just error in that situation, and expect something else to launch the jailer process in a cgroup, but we risk breaking anybody that is already using it that way.

Instead, we move the process to the --parent-cgroup since it's the most intuitive, although the specified --parent-cgroup is not a parent in that case.

Closes: #4287

Reason

...

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following
Developer Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • If a specific issue led to this PR, this PR closes the issue.
  • The description of changes is clear and encompassing.
  • Any required documentation changes (code and docs) are included in this PR.
  • API changes follow the Runbook for Firecracker API changes.
  • User-facing changes are mentioned in CHANGELOG.md.
  • All added/changed functionality is tested.
  • New TODOs link to an issue.
  • Commits meet contribution quality standards.
  • This functionality cannot be added in rust-vmm.

@pb8o pb8o force-pushed the fix-jailer-parent-cgroup branch from 4d8a195 to 3e8b4eb Compare December 11, 2023 10:45
@pb8o pb8o self-assigned this Dec 11, 2023
@pb8o pb8o added Type: Bug Indicates an unexpected problem or unintended behavior Type: Fix Indicates a fix to existing code Status: Awaiting author Indicates that an issue or pull request requires author action labels Dec 11, 2023
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2023
edited
Loading

Codecov Report

Attention: 14 lines in your changes are missing coverage. Please review.

Comparison is base (98235b7) 81.59% compared to head (5153b20) 81.55%.

Files Patch % Lines
src/jailer/src/cgroup.rs 0.00% 7 Missing ⚠️
src/jailer/src/env.rs 53.33% 7 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4309      +/-   ##
==========================================
- Coverage   81.59%   81.55%   -0.04%     
==========================================
  Files         240      240              
  Lines       29347    29367      +20     
==========================================
+ Hits        23945    23951       +6     
- Misses       5402     5416      +14
Flag Coverage Δ
4.14-c7g.metal 76.96% <36.36%> (-0.04%) ⬇️
4.14-m5d.metal 78.85% <36.36%> (-0.05%) ⬇️
4.14-m6a.metal 77.97% <36.36%> (-0.04%) ⬇️
4.14-m6g.metal 76.96% <36.36%> (-0.04%) ⬇️
4.14-m6i.metal 78.84% <36.36%> (-0.04%) ⬇️
5.10-c7g.metal 79.85% <36.36%> (-0.05%) ⬇️
5.10-m5d.metal 81.51% <36.36%> (-0.04%) ⬇️
5.10-m6a.metal 80.73% <36.36%> (-0.04%) ⬇️
5.10-m6g.metal 79.85% <36.36%> (-0.05%) ⬇️
5.10-m6i.metal 81.51% <36.36%> (-0.04%) ⬇️
6.1-c7g.metal 79.85% <36.36%> (-0.05%) ⬇️
6.1-m5d.metal 81.52% <36.36%> (-0.03%) ⬇️
6.1-m6a.metal 80.73% <36.36%> (-0.04%) ⬇️
6.1-m6g.metal 79.85% <36.36%> (-0.05%) ⬇️
6.1-m6i.metal 81.51% <36.36%> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pb8o pb8o force-pushed the fix-jailer-parent-cgroup branch 3 times, most recently from 3209131 to c778d9d Compare December 11, 2023 15:28
@pb8o pb8o added Status: Awaiting review Indicates that a pull request is ready to be reviewed and removed Status: Awaiting author Indicates that an issue or pull request requires author action labels Dec 11, 2023
@pb8o
Copy link
Contributor Author

pb8o commented Dec 12, 2023

I realized I should also amend the jailer.md documentation

@pb8o pb8o force-pushed the fix-jailer-parent-cgroup branch from c778d9d to eb88d9a Compare December 12, 2023 12:16
pb8o added 2 commits December 13, 2023 12:05
@pb8o
chore(test): clean up the cgroupsv2 checks
3d71ed8 
This is to bring clarity while developing a new test.

Signed-off-by: Pablo Barbáchano <[email protected]>
@pb8o
test: add a cgroups_info fixture
783f821 
The fixture has information like the cgroups version available on the
system and where it is mounted.

In addition it has helper functions to create cgroups and move a PID
into a cgroup.

Signed-off-by: Pablo Barbáchano <[email protected]>
@pb8o pb8o force-pushed the fix-jailer-parent-cgroup branch from eb88d9a to adc5138 Compare December 13, 2023 11:05
xmarcalx
xmarcalx reviewed Dec 13, 2023
View reviewed changes
@pb8o pb8o added Priority: High Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled Type: Enhancement Indicates new feature requests and removed Type: Bug Indicates an unexpected problem or unintended behavior Type: Fix Indicates a fix to existing code labels Dec 14, 2023
pb8o added 2 commits December 14, 2023 11:18
@pb8o
feat(jailer): honor solitary --parent-cgroup option on cgroupsv2
27a19fe 
If we specify `--parent-cgroup` without any `--cgroup` option, the
jailer doesn't do anything, though a user specifying it could reasonably
expect it to move the process under that cgroup.

We could just error in that situation, and expect something else to
launch the jailer process in a cgroup, but we risk breaking anybody that
is already using it that way.

Instead, we move the process to the `--parent-cgroup` since it's the
most intuitive, although the specified `--parent-cgroup` is not a parent
in that case.

Link: firecracker-microvm#4287

Signed-off-by: Pablo Barbáchano <[email protected]>
@pb8o
test(jailer): add test to check solitary --parent-cgroup
2fd20e4 
Tests that --parent-cgroup without any cgroups moves Firecracker to the
cgroup (cgroupsv2 only).

Signed-off-by: Pablo Barbáchano <[email protected]>
@pb8o pb8o force-pushed the fix-jailer-parent-cgroup branch from adc5138 to 2fd20e4 Compare December 14, 2023 10:19
@pb8o pb8o merged commit 036d990 into firecracker-microvm:main Dec 14, 2023
@pb8o pb8o deleted the fix-jailer-parent-cgroup branch December 14, 2023 11:24
roypat added a commit to roypat/firecracker that referenced this pull request Feb 5, 2024
@roypat
fix: Remove outdated caveat entry in jailer.md
3d422e2 
The described issue was fixed by firecracker-microvm#4309.

Signed-off-by: Patrick Roy <[email protected]>
roypat added a commit to roypat/firecracker that referenced this pull request Feb 5, 2024
@roypat
fix: Remove outdated caveat entry in jailer.md
d2c5b24 
The described issue was fixed by firecracker-microvm#4309.

Signed-off-by: Patrick Roy <[email protected]>
roypat added a commit to roypat/firecracker that referenced this pull request Feb 6, 2024
@roypat
fix: Remove outdated caveat entry in jailer.md
7c95988 
The described issue was fixed by firecracker-microvm#4309.

Signed-off-by: Patrick Roy <[email protected]>
pb8o pushed a commit that referenced this pull request Feb 12, 2024
@roypat @pb8o
fix: Remove outdated caveat entry in jailer.md
0486725 
The described issue was fixed by #4309.

Signed-off-by: Patrick Roy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xmarcalx xmarcalx xmarcalx left review comments

@kalyazin kalyazin kalyazin approved these changes

@JonathanWoollett-Light JonathanWoollett-Light JonathanWoollett-Light approved these changes

@wearyzen wearyzen Awaiting requested review from wearyzen

Assignees

@pb8o pb8o

Labels
Priority: High Indicates than an issue or pull request should be resolved ahead of issues or pull requests labelled Status: Awaiting review Indicates that a pull request is ready to be reviewed Type: Enhancement Indicates new feature requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug] parent-cgroup does not work as expected
4 participants
@pb8o @kalyazin @JonathanWoollett-Light @xmarcalx