Setup cgroups for all subsystems

Fixes #5117 Fixes #5118 Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2022-11-09 12:21:53 -05:00 · 2014-04-09 11:43:19 +00:00 · 2014-04-09 11:43:19 +00:00 · 031fcb31d3
commit 031fcb31d3
parent 931f065560
2 changed files with 45 additions and 19 deletions
--- a/integration-cli/docker_cli_top_test.go
+++ b/integration-cli/docker_cli_top_test.go
@ -7,7 +7,7 @@ import (
 	"testing"
 )

-func TestTop(t *testing.T) {
+func TestTopNonPrivileged(t *testing.T) {
 	runCmd := exec.Command(dockerBinary, "run", "-i", "-d", "busybox", "sleep", "20")
 	out, _, err := runCommandWithOutput(runCmd)
 	errorOut(err, t, fmt.Sprintf("failed to start the container: %v", err))
@ -28,5 +28,29 @@ func TestTop(t *testing.T) {
 		t.Fatal("top should've listed sleep 20 in the process list")
 	}

-	logDone("top - sleep process should be listed")
+	logDone("top - sleep process should be listed in non privileged mode")
+}
+
+func TestTopPrivileged(t *testing.T) {
+	runCmd := exec.Command(dockerBinary, "run", "--privileged", "-i", "-d", "busybox", "sleep", "20")
+	out, _, err := runCommandWithOutput(runCmd)
+	errorOut(err, t, fmt.Sprintf("failed to start the container: %v", err))
+
+	cleanedContainerID := stripTrailingCharacters(out)
+
+	topCmd := exec.Command(dockerBinary, "top", cleanedContainerID)
+	out, _, err = runCommandWithOutput(topCmd)
+	errorOut(err, t, fmt.Sprintf("failed to run top: %v %v", out, err))
+
+	killCmd := exec.Command(dockerBinary, "kill", cleanedContainerID)
+	_, err = runCommand(killCmd)
+	errorOut(err, t, fmt.Sprintf("failed to kill container: %v", err))
+
+	deleteContainer(cleanedContainerID)
+
+	if !strings.Contains(out, "sleep 20") {
+		t.Fatal("top should've listed sleep 20 in the process list")
+	}
+
+	logDone("top - sleep process should be listed in privileged mode")
 }
--- a/pkg/cgroups/apply_raw.go
+++ b/pkg/cgroups/apply_raw.go
@ -78,17 +78,17 @@ func (raw *rawCgroup) join(subsystem string, pid int) (string, error) {
 }

 func (raw *rawCgroup) setupDevices(c *Cgroup, pid int) (err error) {
-	if !c.DeviceAccess {
-		dir, err := raw.join("devices", pid)
+	dir, err := raw.join("devices", pid)
+	if err != nil {
+		return err
+	}
+	defer func() {
 		if err != nil {
-			return err
+			os.RemoveAll(dir)
 		}
+	}()

-		defer func() {
-			if err != nil {
-				os.RemoveAll(dir)
-			}
-		}()
+	if !c.DeviceAccess {

 		if err := writeFile(dir, "devices.deny", "a"); err != nil {
 			return err
@ -132,16 +132,17 @@ func (raw *rawCgroup) setupDevices(c *Cgroup, pid int) (err error) {
 }

 func (raw *rawCgroup) setupMemory(c *Cgroup, pid int) (err error) {
-	if c.Memory != 0 || c.MemorySwap != 0 {
-		dir, err := raw.join("memory", pid)
+	dir, err := raw.join("memory", pid)
+	if err != nil && (c.Memory != 0 || c.MemorySwap != 0) {
+		return err
+	}
+	defer func() {
 		if err != nil {
-			return err
+			os.RemoveAll(dir)
 		}
-		defer func() {
-			if err != nil {
-				os.RemoveAll(dir)
-			}
-		}()
+	}()
+
+	if c.Memory != 0 || c.MemorySwap != 0 {

 		if c.Memory != 0 {
 			if err := writeFile(dir, "memory.limit_in_bytes", strconv.FormatInt(c.Memory, 10)); err != nil {
@ -178,9 +179,10 @@ func (raw *rawCgroup) setupCpu(c *Cgroup, pid int) (err error) {
 }

 func (raw *rawCgroup) setupCpuset(c *Cgroup, pid int) (err error) {
+	// we don't want to join this cgroup unless it is specified
 	if c.CpusetCpus != "" {
 		dir, err := raw.join("cpuset", pid)
-		if err != nil {
+		if err != nil && c.CpusetCpus != "" {
 			return err
 		}
 		defer func() {