Bug 1471803 - oci-kvm-hook Doesn't work on RHEL7 docker
oci-kvm-hook Doesn't work on RHEL7 docker
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Frantisek Kluknavsky
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks: 1472848
  Show dependency treegraph
 
Reported: 2017-07-17 09:20 EDT by Daniel Walsh
Modified: 2017-08-01 20:13 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1472815 1472848 (view as bug list)
Environment:
Last Closed: 2017-08-01 20:13:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2017-07-17 09:20:37 EDT
This issue was reported here by Stef Walters.
https://github.com/stefwalter/oci-kvm-hook/issues/3

Need three back ports for docker-runc to make this work correctly.
Comment 2 Daniel Walsh 2017-07-17 09:23:19 EDT
Alright, I figured this out. Turns out we needed to backport a patch to make it possible for prestart hooks to edit cgroup stuff. Patches for 1.12.6, 1.13.1 and 1.13.1-rhel are here:

projectatomic/runc@79c3939
projectatomic/runc@d90fcb7
projectatomic/runc@79db05f

Original patch: opencontainers/runc#1239

https://github.com/projectatomic/runc/commit/79c3939053c870fbb4de5484d98640d5ba028ef4

https://github.com/projectatomic/runc/commit/d90fcb78c3886d01d48829a11fb481af5db08372

https://github.com/projectatomic/runc/commit/79db05ff0192bae1d0e505b93c5ac28818beb441
Comment 5 Luwen Su 2017-07-25 00:27:22 EDT
For now
# docker run -it timesu/test-kvm /bin/bash

//docker-1.12.6-48.git0fdc778.el7.x86_64

#ls -l /sys/fs/cgroup/devices/system.slice/docker-45da3109bf49026fa288603c1c1d9c762150de9fc9fce34a89eb60ff4f70bc23.scope/
total 0
-rw-r--r--. 1 root root 0 Jul 25 12:18 cgroup.clone_children
--w--w--w-. 1 root root 0 Jul 25 12:18 cgroup.event_control
-rw-r--r--. 1 root root 0 Jul 25 12:18 cgroup.procs
--w-------. 1 root root 0 Jul 25 12:18 devices.allow
--w-------. 1 root root 0 Jul 25 12:18 devices.deny
-r--r--r--. 1 root root 0 Jul 25 12:18 devices.list
-rw-r--r--. 1 root root 0 Jul 25 12:18 notify_on_release
-rw-r--r--. 1 root root 0 Jul 25 12:18 tasks

compared with before
https://github.com/stefwalter/oci-kvm-hook/issues/3
-rw-r--r--. 1 root root 0 Jul 14 14:09 cgroup.clone_children
                                                          -rw-r--r--. 1 root root 0 Jul 14 14:09 cgroup.procs
                                                          --w-------. 1 root root 0 Jul 14 14:09 devices.allow
                                                          --w-------. 1 root root 0 Jul 14 14:09 devices.deny
                                                          -r--r--r--. 1 root root 0 Jul 14 14:09 devices.list
                                                          -rw-r--r--. 1 root root 0 Jul 14 14:09 notify_on_release
                                                          -rw-r--r--. 1 root root 0 Jul 14 14:09 tasks
Comment 7 errata-xmlrpc 2017-08-01 20:13:50 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2344

Note You need to log in before you can comment on or make changes to this bug.