Bug 1320302

Summary: --cgroup-parent doesn't work correctly in docker 1.9
Product: Red Hat Enterprise Linux 7 Reporter: Lokesh Mandvekar <lsm5>
Component: dockerAssignee: Mrunal Patel <mpatel>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact: Yoana Ruseva <yruseva>
Priority: unspecified    
Version: 7.2CC: adimania, admiller, ajia, amurdaca, dwalsh, extras-qa, ichavero, jcajka, jchaloup, jhonce, lsm5, lsu, marianne, miminar, mpatel, vbatts
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: docker-1.9.1-25.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1320275 Environment:
Last Closed: 2016-03-31 23:24:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lokesh Mandvekar 2016-03-22 19:25:37 UTC 
+++ This bug was initially created as a clone of Bug #1320275 +++

Description of problem:
--cgroup-parent doesn't work as expected. It just changes the name of the scope.
For e.g. /system.slice/specifiedparent.slice-<docker_uuid>.scope

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Use the --cgroup-parent option with the systemd cgroup driver

Actual results:
/specifiedparent.slice/docker-<uuid>.scope

Expected results:


Additional info:
Comment 4 Alex Jia 2016-03-24 04:58:29 UTC 
I can reproduce this w/ docker-1.9.1-19.el7.x86_64, when I ran 2 containers w/ --cgroup-parent=limits.slice option, the cgroup limitation can't be applied to each container.

For docker-1.9.1-25.el7.x86_64, docker {run, create} has --cgroup-parent, but also no --cgroup-parent option in docker daemon, is it an expected result? in addition, just an confirmation, is enough the following testing for you?


1. w/o running 2 containers

# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2. using docker run 2 containers 

2.1 using default value of cgroup parent

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
361a8a9e68b1        ubuntu              "bash"              17 seconds ago      Up 16 seconds                           tiny_fermat
2bf33268c8d0        busybox             "sh"                51 seconds ago      Up 50 seconds                           nostalgic_heisenberg

# systemd-cgls | grep -A4 -i '[S|s]ystem.slice'
└─system.slice
  ├─docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
  │ └─111814 bash
  ├─docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
  │ └─111745 sh


NOTE: for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/system.slice, actual cgroup directories as follows.


# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/hugetlb/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/hugetlb/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/perf_event/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/perf_event/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/blkio/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/blkio/system.slice/var-lib-docker.mount
/sys/fs/cgroup/blkio/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/net_cls/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/net_cls/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/freezer/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/freezer/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/devices/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/devices/system.slice/var-lib-docker.mount
/sys/fs/cgroup/devices/system.slice/docker.service
/sys/fs/cgroup/devices/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/memory/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/memory/system.slice/var-lib-docker.mount
/sys/fs/cgroup/memory/system.slice/docker.service
/sys/fs/cgroup/memory/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/cpu,cpuacct/system.slice/var-lib-docker.mount
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker.service
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/cpuset/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/cpuset/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/systemd/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/systemd/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2.2 setting --cgroup-parent=limits.slice

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
97cc26429866        ubuntu              "bash"              7 minutes ago       Up 7 minutes                            tender_dijkstra
9fe76d65b556        busybox             "sh"                7 minutes ago       Up 7 minutes                            adoring_babbage

# systemd-cgls | grep -A4 limits.slice
├─limits.slice
│ ├─docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
│ │ └─111569 bash
│ └─docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
│   └─111513 sh
--
│   │ └─111520 docker run -it --cgroup-parent=limits.slice ubuntu bash
│   ├─session-4484.scope
│   │ ├─107842 sshd: root@pts/2
│   │ ├─107846 -bash
│   │ ├─111626 systemd-cgls
│   │ └─111626 systemd-cgls
│   └─session-4477.scope
│     ├─106071 sshd: root@pts/0
│     ├─106076 -bash
│     └─111465 docker run -it --cgroup-parent=limits.slice busybox sh
└─system.slice
  ├─docker.service
  │ ├─111346 /bin/sh -c /usr/bin/docker daemon $OPTIONS            $DOCKER_ST...
  │ ├─111347 /usr/bin/docker daemon --selinux-enabled --add-registry registry...


NOTE: the limits.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, actual cgroup directories as follows.


# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/hugetlb/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/hugetlb/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/perf_event/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/perf_event/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/blkio/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/blkio/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/net_cls/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/net_cls/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/freezer/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/freezer/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/devices/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/devices/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/memory/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/memory/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/cpuset/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/cpuset/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/systemd/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/systemd/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2.3 invalid slice name

# docker run -it --cgroup-parent=/foobar busybox sh
Error response from daemon: Cannot start container ebc7f21047658970b7a504bd1844df104a3d49176acaca44261fe27a7d5c8d1e: [8] System error: Invalid slice name /foobar


3. using docker create 2 containers and start them

The docker create w/ --cgroup-parent also does work well like docker run, the details as follows.

# docker create -it --cgroup-parent=user.slice busybox sh
1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776
# docker create -it --cgroup-parent=user.slice ubuntu bash
483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a

# docker start -ai 1192ac4
/ #

# docker start -ai 483a949
root@483a94987e53:/# 

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
483a94987e53        ubuntu              "bash"              25 seconds ago      Up 3 seconds                            gloomy_dijkstra
1192ac424255        busybox             "sh"                7 minutes ago       Up 15 seconds                           awesome_swartz

# systemd-cgls | grep -A4 -i '[U|u]ser.slice'
├─user.slice
│ ├─docker-483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a.scope
│ │ └─113518 bash
│ ├─docker-1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776.scope
│ │ └─113470 sh

NOTE: the user.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, the actual cgroup directories also look good.
Comment 5 Luwen Su 2016-03-24 07:25:04 UTC 
Per comment#4, move to verified
Comment 6 Lokesh Mandvekar 2016-03-24 14:11:20 UTC 
VERIFIED, doesn't block atomic7.2.3 anymore.
Comment 8 errata-xmlrpc 2016-03-31 23:24:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0536.html