Bug 1320302

Summary:	--cgroup-parent doesn't work correctly in docker 1.9
Product:	Red Hat Enterprise Linux 7	Reporter:	Lokesh Mandvekar <lsm5>
Component:	docker	Assignee:	Mrunal Patel <mpatel>
Status:	CLOSED ERRATA	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	unspecified	Docs Contact:	Yoana Ruseva <yruseva>
Priority:	unspecified
Version:	7.2	CC:	adimania, admiller, ajia, amurdaca, dwalsh, extras-qa, ichavero, jcajka, jchaloup, jhonce, lsm5, lsu, marianne, miminar, mpatel, vbatts
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	docker-1.9.1-25.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1320275	Environment:
Last Closed:	2016-03-31 23:24:20 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Lokesh Mandvekar 2016-03-22 19:25:37 UTC

+++ This bug was initially created as a clone of Bug #1320275 +++

Description of problem:
--cgroup-parent doesn't work as expected. It just changes the name of the scope.
For e.g. /system.slice/specifiedparent.slice-<docker_uuid>.scope

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Use the --cgroup-parent option with the systemd cgroup driver

Actual results:
/specifiedparent.slice/docker-<uuid>.scope

Expected results:


Additional info:

Comment 4 Alex Jia 2016-03-24 04:58:29 UTC

I can reproduce this w/ docker-1.9.1-19.el7.x86_64, when I ran 2 containers w/ --cgroup-parent=limits.slice option, the cgroup limitation can't be applied to each container.

For docker-1.9.1-25.el7.x86_64, docker {run, create} has --cgroup-parent, but also no --cgroup-parent option in docker daemon, is it an expected result? in addition, just an confirmation, is enough the following testing for you?


1. w/o running 2 containers

# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2. using docker run 2 containers 

2.1 using default value of cgroup parent

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
361a8a9e68b1        ubuntu              "bash"              17 seconds ago      Up 16 seconds                           tiny_fermat
2bf33268c8d0        busybox             "sh"                51 seconds ago      Up 50 seconds                           nostalgic_heisenberg

# systemd-cgls | grep -A4 -i '[S|s]ystem.slice'
└─system.slice
  ├─docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
  │ └─111814 bash
  ├─docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
  │ └─111745 sh


NOTE: for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/system.slice, actual cgroup directories as follows.


# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/hugetlb/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/hugetlb/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/perf_event/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/perf_event/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/blkio/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/blkio/system.slice/var-lib-docker.mount
/sys/fs/cgroup/blkio/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/net_cls/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/net_cls/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/freezer/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/freezer/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/devices/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/devices/system.slice/var-lib-docker.mount
/sys/fs/cgroup/devices/system.slice/docker.service
/sys/fs/cgroup/devices/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/memory/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/memory/system.slice/var-lib-docker.mount
/sys/fs/cgroup/memory/system.slice/docker.service
/sys/fs/cgroup/memory/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/cpu,cpuacct/system.slice/var-lib-docker.mount
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker.service
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/cpuset/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/cpuset/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/systemd/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/systemd/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2.2 setting --cgroup-parent=limits.slice

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
97cc26429866        ubuntu              "bash"              7 minutes ago       Up 7 minutes                            tender_dijkstra
9fe76d65b556        busybox             "sh"                7 minutes ago       Up 7 minutes                            adoring_babbage

# systemd-cgls | grep -A4 limits.slice
├─limits.slice
│ ├─docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
│ │ └─111569 bash
│ └─docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
│   └─111513 sh
--
│   │ └─111520 docker run -it --cgroup-parent=limits.slice ubuntu bash
│   ├─session-4484.scope
│   │ ├─107842 sshd: root@pts/2
│   │ ├─107846 -bash
│   │ ├─111626 systemd-cgls
│   │ └─111626 systemd-cgls
│   └─session-4477.scope
│     ├─106071 sshd: root@pts/0
│     ├─106076 -bash
│     └─111465 docker run -it --cgroup-parent=limits.slice busybox sh
└─system.slice
  ├─docker.service
  │ ├─111346 /bin/sh -c /usr/bin/docker daemon $OPTIONS            $DOCKER_ST...
  │ ├─111347 /usr/bin/docker daemon --selinux-enabled --add-registry registry...


NOTE: the limits.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, actual cgroup directories as follows.


# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/hugetlb/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/hugetlb/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/perf_event/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/perf_event/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/blkio/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/blkio/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/net_cls/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/net_cls/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/freezer/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/freezer/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/devices/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/devices/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/memory/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/memory/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/cpuset/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/cpuset/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/systemd/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/systemd/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2.3 invalid slice name

# docker run -it --cgroup-parent=/foobar busybox sh
Error response from daemon: Cannot start container ebc7f21047658970b7a504bd1844df104a3d49176acaca44261fe27a7d5c8d1e: [8] System error: Invalid slice name /foobar


3. using docker create 2 containers and start them

The docker create w/ --cgroup-parent also does work well like docker run, the details as follows.

# docker create -it --cgroup-parent=user.slice busybox sh
1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776
# docker create -it --cgroup-parent=user.slice ubuntu bash
483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a

# docker start -ai 1192ac4
/ #

# docker start -ai 483a949
root@483a94987e53:/# 

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
483a94987e53        ubuntu              "bash"              25 seconds ago      Up 3 seconds                            gloomy_dijkstra
1192ac424255        busybox             "sh"                7 minutes ago       Up 15 seconds                           awesome_swartz

# systemd-cgls | grep -A4 -i '[U|u]ser.slice'
├─user.slice
│ ├─docker-483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a.scope
│ │ └─113518 bash
│ ├─docker-1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776.scope
│ │ └─113470 sh

NOTE: the user.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, the actual cgroup directories also look good.

Comment 5 Luwen Su 2016-03-24 07:25:04 UTC

Per comment#4, move to verified

Comment 6 Lokesh Mandvekar 2016-03-24 14:11:20 UTC

VERIFIED, doesn't block atomic7.2.3 anymore.

Comment 8 errata-xmlrpc 2016-03-31 23:24:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0536.html