Bug 1320302
Summary: | --cgroup-parent doesn't work correctly in docker 1.9 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Lokesh Mandvekar <lsm5> |
Component: | docker | Assignee: | Mrunal Patel <mpatel> |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | unspecified | Docs Contact: | Yoana Ruseva <yruseva> |
Priority: | unspecified | ||
Version: | 7.2 | CC: | adimania, admiller, ajia, amurdaca, dwalsh, extras-qa, ichavero, jcajka, jchaloup, jhonce, lsm5, lsu, marianne, miminar, mpatel, vbatts |
Target Milestone: | rc | Keywords: | Extras |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | docker-1.9.1-25.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 1320275 | Environment: | |
Last Closed: | 2016-03-31 23:24:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lokesh Mandvekar
2016-03-22 19:25:37 UTC
I can reproduce this w/ docker-1.9.1-19.el7.x86_64, when I ran 2 containers w/ --cgroup-parent=limits.slice option, the cgroup limitation can't be applied to each container. For docker-1.9.1-25.el7.x86_64, docker {run, create} has --cgroup-parent, but also no --cgroup-parent option in docker daemon, is it an expected result? in addition, just an confirmation, is enough the following testing for you? 1. w/o running 2 containers # find /sys/fs/cgroup/ -name "*docker*" /sys/fs/cgroup/systemd/system.slice/docker.service /sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount <ignore docker-registry related directories/> 2. using docker run 2 containers 2.1 using default value of cgroup parent # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 361a8a9e68b1 ubuntu "bash" 17 seconds ago Up 16 seconds tiny_fermat 2bf33268c8d0 busybox "sh" 51 seconds ago Up 50 seconds nostalgic_heisenberg # systemd-cgls | grep -A4 -i '[S|s]ystem.slice' └─system.slice ├─docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope │ └─111814 bash ├─docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope │ └─111745 sh NOTE: for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/system.slice, actual cgroup directories as follows. # find /sys/fs/cgroup/ -name "*docker*" /sys/fs/cgroup/hugetlb/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/hugetlb/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/perf_event/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/perf_event/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/blkio/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/blkio/system.slice/var-lib-docker.mount /sys/fs/cgroup/blkio/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/net_cls/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/net_cls/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/freezer/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/freezer/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/devices/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/devices/system.slice/var-lib-docker.mount /sys/fs/cgroup/devices/system.slice/docker.service /sys/fs/cgroup/devices/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/memory/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/memory/system.slice/var-lib-docker.mount /sys/fs/cgroup/memory/system.slice/docker.service /sys/fs/cgroup/memory/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/cpu,cpuacct/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/cpu,cpuacct/system.slice/var-lib-docker.mount /sys/fs/cgroup/cpu,cpuacct/system.slice/docker.service /sys/fs/cgroup/cpu,cpuacct/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/cpuset/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/cpuset/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/systemd/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope /sys/fs/cgroup/systemd/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope /sys/fs/cgroup/systemd/system.slice/docker.service /sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount <ignore docker-registry related directories/> 2.2 setting --cgroup-parent=limits.slice # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 97cc26429866 ubuntu "bash" 7 minutes ago Up 7 minutes tender_dijkstra 9fe76d65b556 busybox "sh" 7 minutes ago Up 7 minutes adoring_babbage # systemd-cgls | grep -A4 limits.slice ├─limits.slice │ ├─docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope │ │ └─111569 bash │ └─docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope │ └─111513 sh -- │ │ └─111520 docker run -it --cgroup-parent=limits.slice ubuntu bash │ ├─session-4484.scope │ │ ├─107842 sshd: root@pts/2 │ │ ├─107846 -bash │ │ ├─111626 systemd-cgls │ │ └─111626 systemd-cgls │ └─session-4477.scope │ ├─106071 sshd: root@pts/0 │ ├─106076 -bash │ └─111465 docker run -it --cgroup-parent=limits.slice busybox sh └─system.slice ├─docker.service │ ├─111346 /bin/sh -c /usr/bin/docker daemon $OPTIONS $DOCKER_ST... │ ├─111347 /usr/bin/docker daemon --selinux-enabled --add-registry registry... NOTE: the limits.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, actual cgroup directories as follows. # find /sys/fs/cgroup/ -name "*docker*" /sys/fs/cgroup/hugetlb/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/hugetlb/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/perf_event/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/perf_event/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/blkio/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/blkio/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/net_cls/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/net_cls/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/freezer/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/freezer/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/devices/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/devices/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/memory/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/memory/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/cpuset/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/cpuset/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/systemd/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope /sys/fs/cgroup/systemd/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope /sys/fs/cgroup/systemd/system.slice/docker.service /sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount <ignore docker-registry related directories/> 2.3 invalid slice name # docker run -it --cgroup-parent=/foobar busybox sh Error response from daemon: Cannot start container ebc7f21047658970b7a504bd1844df104a3d49176acaca44261fe27a7d5c8d1e: [8] System error: Invalid slice name /foobar 3. using docker create 2 containers and start them The docker create w/ --cgroup-parent also does work well like docker run, the details as follows. # docker create -it --cgroup-parent=user.slice busybox sh 1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776 # docker create -it --cgroup-parent=user.slice ubuntu bash 483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a # docker start -ai 1192ac4 / # # docker start -ai 483a949 root@483a94987e53:/# # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 483a94987e53 ubuntu "bash" 25 seconds ago Up 3 seconds gloomy_dijkstra 1192ac424255 busybox "sh" 7 minutes ago Up 15 seconds awesome_swartz # systemd-cgls | grep -A4 -i '[U|u]ser.slice' ├─user.slice │ ├─docker-483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a.scope │ │ └─113518 bash │ ├─docker-1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776.scope │ │ └─113470 sh NOTE: the user.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, the actual cgroup directories also look good. VERIFIED, doesn't block atomic7.2.3 anymore. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0536.html |