RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1320302 - --cgroup-parent doesn't work correctly in docker 1.9
Summary: --cgroup-parent doesn't work correctly in docker 1.9
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.2
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Mrunal Patel
QA Contact: atomic-bugs@redhat.com
Yoana Ruseva
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-22 19:25 UTC by Lokesh Mandvekar
Modified: 2019-03-06 01:52 UTC (History)
16 users (show)

Fixed In Version: docker-1.9.1-25.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1320275
Environment:
Last Closed: 2016-03-31 23:24:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0536 0 normal SHIPPED_LIVE docker bug fix and enhancement update 2016-04-01 03:19:56 UTC

Description Lokesh Mandvekar 2016-03-22 19:25:37 UTC
+++ This bug was initially created as a clone of Bug #1320275 +++

Description of problem:
--cgroup-parent doesn't work as expected. It just changes the name of the scope.
For e.g. /system.slice/specifiedparent.slice-<docker_uuid>.scope

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Use the --cgroup-parent option with the systemd cgroup driver

Actual results:
/specifiedparent.slice/docker-<uuid>.scope

Expected results:


Additional info:

Comment 4 Alex Jia 2016-03-24 04:58:29 UTC
I can reproduce this w/ docker-1.9.1-19.el7.x86_64, when I ran 2 containers w/ --cgroup-parent=limits.slice option, the cgroup limitation can't be applied to each container.

For docker-1.9.1-25.el7.x86_64, docker {run, create} has --cgroup-parent, but also no --cgroup-parent option in docker daemon, is it an expected result? in addition, just an confirmation, is enough the following testing for you?


1. w/o running 2 containers

# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2. using docker run 2 containers 

2.1 using default value of cgroup parent

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
361a8a9e68b1        ubuntu              "bash"              17 seconds ago      Up 16 seconds                           tiny_fermat
2bf33268c8d0        busybox             "sh"                51 seconds ago      Up 50 seconds                           nostalgic_heisenberg

# systemd-cgls | grep -A4 -i '[S|s]ystem.slice'
└─system.slice
  ├─docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
  │ └─111814 bash
  ├─docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
  │ └─111745 sh


NOTE: for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/system.slice, actual cgroup directories as follows.


# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/hugetlb/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/hugetlb/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/perf_event/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/perf_event/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/blkio/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/blkio/system.slice/var-lib-docker.mount
/sys/fs/cgroup/blkio/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/net_cls/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/net_cls/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/freezer/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/freezer/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/devices/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/devices/system.slice/var-lib-docker.mount
/sys/fs/cgroup/devices/system.slice/docker.service
/sys/fs/cgroup/devices/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/memory/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/memory/system.slice/var-lib-docker.mount
/sys/fs/cgroup/memory/system.slice/docker.service
/sys/fs/cgroup/memory/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/cpu,cpuacct/system.slice/var-lib-docker.mount
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker.service
/sys/fs/cgroup/cpu,cpuacct/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/cpuset/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/cpuset/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/systemd/system.slice/docker-361a8a9e68b19171a95a8ac59b0dba5e9b456d64d900892cb6257e16ed168e2a.scope
/sys/fs/cgroup/systemd/system.slice/docker-2bf33268c8d06149013ea573a5fe2830d22a149a7e103747105d160a13b57a5e.scope
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2.2 setting --cgroup-parent=limits.slice

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
97cc26429866        ubuntu              "bash"              7 minutes ago       Up 7 minutes                            tender_dijkstra
9fe76d65b556        busybox             "sh"                7 minutes ago       Up 7 minutes                            adoring_babbage

# systemd-cgls | grep -A4 limits.slice
├─limits.slice
│ ├─docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
│ │ └─111569 bash
│ └─docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
│   └─111513 sh
--
│   │ └─111520 docker run -it --cgroup-parent=limits.slice ubuntu bash
│   ├─session-4484.scope
│   │ ├─107842 sshd: root@pts/2
│   │ ├─107846 -bash
│   │ ├─111626 systemd-cgls
│   │ └─111626 systemd-cgls
│   └─session-4477.scope
│     ├─106071 sshd: root@pts/0
│     ├─106076 -bash
│     └─111465 docker run -it --cgroup-parent=limits.slice busybox sh
└─system.slice
  ├─docker.service
  │ ├─111346 /bin/sh -c /usr/bin/docker daemon $OPTIONS            $DOCKER_ST...
  │ ├─111347 /usr/bin/docker daemon --selinux-enabled --add-registry registry...


NOTE: the limits.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, actual cgroup directories as follows.


# find /sys/fs/cgroup/ -name "*docker*"
/sys/fs/cgroup/hugetlb/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/hugetlb/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/perf_event/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/perf_event/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/blkio/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/blkio/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/net_cls/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/net_cls/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/freezer/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/freezer/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/devices/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/devices/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/memory/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/memory/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/cpu,cpuacct/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/cpuset/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/cpuset/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/systemd/limits.slice/docker-97cc264298667d60cf845dd2791a8752bb8d07847b5bda0afacb9cdb27dfeb11.scope
/sys/fs/cgroup/systemd/limits.slice/docker-9fe76d65b556761803f7dfdac242607aac4fc4ea687db61fa4e0c08462c7e80f.scope
/sys/fs/cgroup/systemd/system.slice/docker.service
/sys/fs/cgroup/systemd/system.slice/var-lib-docker.mount

<ignore docker-registry related directories/>


2.3 invalid slice name

# docker run -it --cgroup-parent=/foobar busybox sh
Error response from daemon: Cannot start container ebc7f21047658970b7a504bd1844df104a3d49176acaca44261fe27a7d5c8d1e: [8] System error: Invalid slice name /foobar


3. using docker create 2 containers and start them

The docker create w/ --cgroup-parent also does work well like docker run, the details as follows.

# docker create -it --cgroup-parent=user.slice busybox sh
1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776
# docker create -it --cgroup-parent=user.slice ubuntu bash
483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a

# docker start -ai 1192ac4
/ #

# docker start -ai 483a949
root@483a94987e53:/# 

# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
483a94987e53        ubuntu              "bash"              25 seconds ago      Up 3 seconds                            gloomy_dijkstra
1192ac424255        busybox             "sh"                7 minutes ago       Up 15 seconds                           awesome_swartz

# systemd-cgls | grep -A4 -i '[U|u]ser.slice'
├─user.slice
│ ├─docker-483a94987e534c5f05bcfdc232c4fd76fb314c15943bd906d9b3a66d8d2a5d2a.scope
│ │ └─113518 bash
│ ├─docker-1192ac424255df08bc24f412b38b6a783bdca2496b853b5bbe84d3c0cbd20776.scope
│ │ └─113470 sh

NOTE: the user.slice is in the same hierarchical level as system.slice, for each container, a docker-containerID.scope is created under /sys/fs/cgroup/subsystem/<cgroup-parent>, the actual cgroup directories also look good.

Comment 5 Luwen Su 2016-03-24 07:25:04 UTC
Per comment#4, move to verified

Comment 6 Lokesh Mandvekar 2016-03-24 14:11:20 UTC
VERIFIED, doesn't block atomic7.2.3 anymore.

Comment 8 errata-xmlrpc 2016-03-31 23:24:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0536.html


Note You need to log in before you can comment on or make changes to this bug.