Bug 1268059

Summary: docker exec setting the wrong cgroups
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Riek <riek>
Component: dockerAssignee: Mrunal Patel <mpatel>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.1CC: ajia, dwalsh, lsm5, lsu, mpatel
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 15:16:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1303656    

Description Daniel Riek 2015-10-01 17:22:21 UTC 
When running "docker exec bash" into a container, cgroups can be set wrong.

Running a systemd-based container built from: 
https://github.com/riekrh/Fedora-Dockerfiles/tree/master/systemd/apache-atomic

The Dockerfile has:
CMD ["/usr/sbin/init"]

Ignore the LABELS. 

Starting via:
# docker run --rm -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup --init=systemd --name my-httpd-atomic llunved/httpd-atomic

Then:
# docker exec CONTAINERID bash
[ ENTERING CONTAINER ] 
bash-4.3# cat /proc/1/cgroup 
10:hugetlb:/
9:perf_event:/
8:blkio:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
7:net_cls:/
6:freezer:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
5:devices:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
4:memory:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
3:cpuacct,cpu:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
2:cpuset:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
1:name=systemd:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope

bash-4.3# cat /proc/self/cgroup 
10:hugetlb:/
9:perf_event:/
8:blkio:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
7:net_cls:/
6:freezer:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
5:devices:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
4:memory:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
3:cpuacct,cpu:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
2:cpuset:/system.slice/docker-8a632f02f168fed20f7ff7c56c060cfba3f8c5f081297d4e60360cbeaa4c53e3.scope
1:name=systemd:/system.slice/docker.service

* So the cgroups are different between systemd in the container and the instance of bash (self) created by docker exec.

Note sure if this affects non-systemd containers.

A possible effect of this is, that "# systemctl restart httpd" does no work in the example container.
Comment 2 Daniel Walsh 2015-10-01 20:54:54 UTC 
Mrunal can you take a look at this.

docker exec should be putting the process inside of the pid 1 cgroup.
Comment 3 Mrunal Patel 2015-10-01 23:51:31 UTC 
Found the issue. Not all paths are set correctly during exec.
I am working on a fix.
Comment 4 Mrunal Patel 2015-10-05 19:30:09 UTC 
https://github.com/opencontainers/runc/pull/315 opened to correct the systemd name cgroup.
Comment 5 Daniel Walsh 2015-10-05 20:46:10 UTC 
Leave assigned until it gets merged and we can identify a docker rpm that the fix will be in.
Comment 6 Mrunal Patel 2015-10-05 22:19:06 UTC 
https://github.com/opencontainers/runc/pull/315 has been merged. Next step will be to get it into docker as part of runc update.
Comment 7 Daniel Walsh 2015-10-06 13:08:10 UTC 
Fixed in docker-1.9
Comment 9 Alex Jia 2016-02-03 10:31:59 UTC 
(In reply to Daniel Riek from comment #0)

> Starting via:
> # docker run --rm -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup --init=systemd
> --name my-httpd-atomic llunved/httpd-atomic

There is no '--init' option in docker-1.9.1-16.el7.x86_64.

# docker run --rm -p 80:80 -v /sys/fs/cgroup:/sys/fs/cgroup --init=systemd --name my-httpd-atomic llunved/httpd-atomic
flag provided but not defined: --init
See 'docker run --help'.
Comment 10 Daniel Walsh 2016-02-03 11:45:17 UTC 
Correct we have dropped --init from docker-1.9 and future.  We will have a new way of doing this in docker-1.10 that is less onerous to upstream.
Comment 11 Mrunal Patel 2016-03-21 16:38:56 UTC 
Taking out the needinfo as Dan Walsh provided the information.
Comment 14 Luwen Su 2016-05-02 09:06:21 UTC 
Since lack of implementation of --init in docker client, i'd like to verified this via ONLY checking those patch whether is in the current git branch(top git commit) 

In docker-1.9.1-38.el7.x86_64, move to verified
Comment 16 errata-xmlrpc 2016-05-12 15:16:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1034.html