gvisor/test/root/cgroup_test.go

// Copyright 2018 The gVisor Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package root

import (
	"bufio"
	"context"
	"fmt"
	"io/ioutil"
	"os"
	"os/exec"
	"path/filepath"
	"strconv"
	"strings"
	"testing"
	"time"

	"gvisor.dev/gvisor/pkg/test/dockerutil"
	"gvisor.dev/gvisor/pkg/test/testutil"
	"gvisor.dev/gvisor/runsc/cgroup"
)

func verifyPid(pid int, path string) error {
	f, err := os.Open(path)
	if err != nil {
		return err
	}
	defer f.Close()

	var gots []int
	scanner := bufio.NewScanner(f)
	for scanner.Scan() {
		got, err := strconv.Atoi(scanner.Text())
		if err != nil {
			return err
		}
		if got == pid {
			return nil
		}
		gots = append(gots, got)
	}
	if scanner.Err() != nil {
		return scanner.Err()
	}
	return fmt.Errorf("got: %v, want: %d", gots, pid)
}

func TestMemCgroup(t *testing.T) {
	ctx := context.Background()
	d := dockerutil.MakeContainer(ctx, t)
	defer d.CleanUp(ctx)

	// Start a new container and allocate the specified about of memory.
	allocMemSize := 128 << 20
	allocMemLimit := 2 * allocMemSize

	if err := d.Spawn(ctx, dockerutil.RunOpts{
		Image:  "basic/ubuntu",
		Memory: allocMemLimit, // Must be in bytes.
	}, "python3", "-c", fmt.Sprintf("import time; s = 'a' * %d; time.sleep(100)", allocMemSize)); err != nil {
		t.Fatalf("docker run failed: %v", err)
	}

	// Extract the ID to lookup the cgroup.
	gid := d.ID()
	t.Logf("cgroup ID: %s", gid)

	// Wait when the container will allocate memory.
	memUsage := 0
	start := time.Now()
	for time.Since(start) < 30*time.Second {
		// Sleep for a brief period of time after spawning the
		// container (so that Docker can create the cgroup etc.
		// or after looping below (so the application can start).
		time.Sleep(100 * time.Millisecond)

		var path string

		// Read the cgroup memory limit.
		if cgroup.IsOnlyV2() {
			path = filepath.Join("/sys/fs/cgroup/docker", gid, "memory.max")
		} else {
			path = filepath.Join("/sys/fs/cgroup/memory/docker", gid, "memory.limit_in_bytes")
		}
		// Read the cgroup memory limit.
		outRaw, err := ioutil.ReadFile(path)
		if err != nil {
			// It's possible that the container does not exist yet.
			continue
		}
		out := strings.TrimSpace(string(outRaw))
		memLimit, err := strconv.Atoi(out)
		if err != nil {
			t.Fatalf("Atoi(%v): %v", out, err)
		}
		if memLimit != allocMemLimit {
			// The group may not have had the correct limit set yet.
			continue
		}

		if cgroup.IsOnlyV2() {
			// v2 does not have max_usage_in_bytes equivalent, so memory.current is the
			// next best thing that we can use
			path = filepath.Join("/sys/fs/cgroup/docker", gid, "memory.current")
		} else {
			path = filepath.Join("/sys/fs/cgroup/memory/docker", gid, "memory.max_usage_in_bytes")
		}
		// Read the cgroup memory usage.
		outRaw, err = ioutil.ReadFile(path)
		if err != nil {
			t.Fatalf("error reading usage: %v", err)
		}
		out = strings.TrimSpace(string(outRaw))
		memUsage, err = strconv.Atoi(out)
		if err != nil {
			t.Fatalf("Atoi(%v): %v", out, err)
		}
		t.Logf("read usage: %v, wanted: %v", memUsage, allocMemSize)

		// Are we done?
		if memUsage >= allocMemSize {
			return
		}
	}

	t.Fatalf("%vMB is less than %vMB", memUsage>>20, allocMemSize>>20)
}

// TestCgroup sets cgroup options and checks that cgroup was properly configured.
func TestCgroupV1(t *testing.T) {
	if cgroup.IsOnlyV2() {
		t.Skip("skipping cgroupv1 attribute testing in cgroupv2 setup")
	}
	ctx := context.Background()
	d := dockerutil.MakeContainer(ctx, t)
	defer d.CleanUp(ctx)

	// This is not a comprehensive list of attributes.
	//
	// Note that we are specifically missing cpusets, which fail if specified.
	// In any case, it's unclear if cpusets can be reliably tested here: these
	// are often run on a single core virtual machine, and there is only a single
	// CPU available in our current set, and every container's set.
	attrs := []struct {
		field          string
		value          int64
		ctrl           string
		file           string
		want           string
		skipIfNotFound bool
	}{
		{
			field: "cpu-shares",
			value: 1000,
			ctrl:  "cpu",
			file:  "cpu.shares",
			want:  "1000",
		},
		{
			field: "cpu-period",
			value: 2000,
			ctrl:  "cpu",
			file:  "cpu.cfs_period_us",
			want:  "2000",
		},
		{
			field: "cpu-quota",
			value: 3000,
			ctrl:  "cpu",
			file:  "cpu.cfs_quota_us",
			want:  "3000",
		},
		{
			field: "kernel-memory",
			value: 100 << 20,
			ctrl:  "memory",
			file:  "memory.kmem.limit_in_bytes",
			want:  "104857600",
		},
		{
			field: "memory",
			value: 1 << 30,
			ctrl:  "memory",
			file:  "memory.limit_in_bytes",
			want:  "1073741824",
		},
		{
			field: "memory-reservation",
			value: 500 << 20,
			ctrl:  "memory",
			file:  "memory.soft_limit_in_bytes",
			want:  "524288000",
		},
		{
			field:          "memory-swap",
			value:          2 << 30,
			ctrl:           "memory",
			file:           "memory.memsw.limit_in_bytes",
			want:           "2147483648",
			skipIfNotFound: true, // swap may be disabled on the machine.
		},
		{
			field: "memory-swappiness",
			value: 5,
			ctrl:  "memory",
			file:  "memory.swappiness",
			want:  "5",
		},
		{
			field:          "blkio-weight",
			value:          750,
			ctrl:           "blkio",
			file:           "blkio.weight",
			want:           "750",
			skipIfNotFound: true, // blkio groups may not be available.
		},
		{
			field: "pids-limit",
			value: 1000,
			ctrl:  "pids",
			file:  "pids.max",
			want:  "1000",
		},
	}

	// Make configs.
	conf, hostconf, _ := d.ConfigsFrom(dockerutil.RunOpts{
		Image: "basic/alpine",
	}, "sleep", "10000")

	// Add Cgroup arguments to configs.
	for _, attr := range attrs {
		switch attr.field {
		case "cpu-shares":
			hostconf.Resources.CPUShares = attr.value
		case "cpu-period":
			hostconf.Resources.CPUPeriod = attr.value
		case "cpu-quota":
			hostconf.Resources.CPUQuota = attr.value
		case "kernel-memory":
			hostconf.Resources.KernelMemory = attr.value
		case "memory":
			hostconf.Resources.Memory = attr.value
		case "memory-reservation":
			hostconf.Resources.MemoryReservation = attr.value
		case "memory-swap":
			hostconf.Resources.MemorySwap = attr.value
		case "memory-swappiness":
			val := attr.value
			hostconf.Resources.MemorySwappiness = &val
		case "blkio-weight":
			hostconf.Resources.BlkioWeight = uint16(attr.value)
		case "pids-limit":
			val := attr.value
			hostconf.Resources.PidsLimit = &val
		}
	}

	// Create container.
	if err := d.CreateFrom(ctx, "basic/alpine", conf, hostconf, nil); err != nil {
		t.Fatalf("create failed with: %v", err)
	}

	// Start container.
	if err := d.Start(ctx); err != nil {
		t.Fatalf("start failed with: %v", err)
	}

	// Lookup the relevant cgroup ID.
	gid := d.ID()
	t.Logf("cgroup ID: %s", gid)

	// Check list of attributes defined above.
	for _, attr := range attrs {
		path := filepath.Join("/sys/fs/cgroup", attr.ctrl, "docker", gid, attr.file)
		out, err := ioutil.ReadFile(path)
		if err != nil {
			if os.IsNotExist(err) && attr.skipIfNotFound {
				t.Logf("skipped %s/%s", attr.ctrl, attr.file)
				continue
			}
			t.Fatalf("failed to read %q: %v", path, err)
		}
		if got := strings.TrimSpace(string(out)); got != attr.want {
			t.Errorf("field: %q, cgroup attribute %s/%s, got: %q, want: %q", attr.field, attr.ctrl, attr.file, got, attr.want)
		}
	}

	// Check that sandbox is inside cgroup.
	controllers := []string{
		"blkio",
		"cpu",
		"cpuset",
		"memory",
		"net_cls",
		"net_prio",
		"devices",
		"freezer",
		"perf_event",
		"pids",
		"systemd",
	}
	pid, err := d.SandboxPid(ctx)
	if err != nil {
		t.Fatalf("SandboxPid: %v", err)
	}
	for _, ctrl := range controllers {
		path := filepath.Join("/sys/fs/cgroup", ctrl, "docker", gid, "cgroup.procs")
		if err := verifyPid(pid, path); err != nil {
			t.Errorf("cgroup control %q processes: %v", ctrl, err)
		}
	}
}

// TestCgroupV2 sets cgroup options and checks that cgroup was properly configured with
// cgroupv2 setup
func TestCgroupV2(t *testing.T) {
	if !cgroup.IsOnlyV2() {
		t.Skip("skipping cgroupv2 attribute testing in cgroupv1 setup")
	}
	ctx := context.Background()
	d := dockerutil.MakeContainer(ctx, t)
	defer d.CleanUp(ctx)

	// This is not a comprehensive list of attributes.
	//
	// Note that we are specifically missing cpusets, which fail if specified.
	// In any case, it's unclear if cpusets can be reliably tested here: these
	// are often run on a single core virtual machine, and there is only a single
	// CPU available in our current set, and every container's set.
	attrs := []struct {
		field          string
		value          int64
		file           string
		want           string
		skipIfNotFound bool
	}{
		{
			field: "cpu-shares",
			value: 3333,
			file:  "cpu.weight",
			want:  "128",
		},
		{
			field: "cpu-period",
			value: 2000,
			file:  "cpu.max",
			want:  "max 2000",
		},
		{
			field: "memory",
			value: 1 << 30,
			file:  "memory.max",
			want:  "1073741824",
		},
		{
			field: "memory-reservation",
			value: 500 << 20,
			file:  "memory.low",
			want:  "524288000",
		},
		{
			field: "memory-swap",
			value: 1 << 31,
			file:  "memory.swap.max",
			// memory.swap.max is only the swap value, unlike cgroupv1
			want:           fmt.Sprintf("%d", 1<<31-1<<30),
			skipIfNotFound: true, // swap may be disabled on the machine.
		},
		{
			field:          "blkio-weight",
			value:          750,
			file:           "io.bfq.weight",
			want:           fmt.Sprintf("default %d", 750),
			skipIfNotFound: true, // blkio groups may not be available.
		},
		{
			field: "pids-limit",
			value: 1000,
			file:  "pids.max",
			want:  "1000",
		},
	}

	// Make configs.
	conf, hostconf, _ := d.ConfigsFrom(dockerutil.RunOpts{
		Image: "basic/alpine",
	}, "sleep", "10000")

	// Add Cgroup arguments to configs.
	for _, attr := range attrs {
		switch attr.field {
		case "cpu-shares":
			hostconf.Resources.CPUShares = attr.value
		case "cpu-period":
			hostconf.Resources.CPUPeriod = attr.value
		case "cpu-quota":
			hostconf.Resources.CPUQuota = attr.value
		case "kernel-memory":
			hostconf.Resources.KernelMemory = attr.value
		case "memory":
			hostconf.Resources.Memory = attr.value
		case "memory-reservation":
			hostconf.Resources.MemoryReservation = attr.value
		case "memory-swap":
			hostconf.Resources.MemorySwap = attr.value
		case "memory-swappiness":
			val := attr.value
			hostconf.Resources.MemorySwappiness = &val
		case "blkio-weight":
			// detect existence of io.bfq.weight as this is not always loaded
			_, err := ioutil.ReadFile(filepath.Join("/sys/fs/cgroup/docker", attr.file))
			if err == nil || !attr.skipIfNotFound {
				hostconf.Resources.BlkioWeight = uint16(attr.value)
			}
		case "pids-limit":
			val := attr.value
			hostconf.Resources.PidsLimit = &val
		}
	}

	// Create container.
	if err := d.CreateFrom(ctx, "basic/alpine", conf, hostconf, nil); err != nil {
		t.Fatalf("create failed with: %v", err)
	}

	// Start container.
	if err := d.Start(ctx); err != nil {
		t.Fatalf("start failed with: %v", err)
	}

	// Lookup the relevant cgroup ID.
	gid := d.ID()
	t.Logf("cgroup ID: %s", gid)

	// Check list of attributes defined above.
	for _, attr := range attrs {
		path := filepath.Join("/sys/fs/cgroup/docker", gid, attr.file)
		out, err := ioutil.ReadFile(path)
		if err != nil {
			if os.IsNotExist(err) && attr.skipIfNotFound {
				t.Logf("skipped %s", attr.file)
				continue
			}
			t.Fatalf("failed to read %q: %v", path, err)
		}
		if got := strings.TrimSpace(string(out)); got != attr.want {
			t.Errorf("field: %q, cgroup attribute %s, got: %q, want: %q", attr.field, attr.file, got, attr.want)
		}
	}

	// Check that sandbox is inside cgroup.
	pid, err := d.SandboxPid(ctx)
	if err != nil {
		t.Fatalf("SandboxPid: %v", err)
	}
	path := filepath.Join("/sys/fs/cgroup/docker", gid, "cgroup.procs")
	if err := verifyPid(pid, path); err != nil {
		t.Errorf("cgroup control processes: %v", err)
	}
}

// TestCgroupParent sets the "CgroupParent" option and checks that the child and
// parent's cgroups are created correctly relative to each other.
func TestCgroupParent(t *testing.T) {
	ctx := context.Background()
	d := dockerutil.MakeContainer(ctx, t)
	defer d.CleanUp(ctx)

	// Construct a known cgroup name.
	parent := testutil.RandomID("runsc-")
	conf, hostconf, _ := d.ConfigsFrom(dockerutil.RunOpts{
		Image: "basic/alpine",
	}, "sleep", "10000")
	hostconf.Resources.CgroupParent = parent

	if err := d.CreateFrom(ctx, "basic/alpine", conf, hostconf, nil); err != nil {
		t.Fatalf("create failed with: %v", err)
	}

	if err := d.Start(ctx); err != nil {
		t.Fatalf("start failed with: %v", err)
	}

	// Extract the ID to look up the cgroup.
	gid := d.ID()
	t.Logf("cgroup ID: %s", gid)

	// Check that sandbox is inside cgroup.
	pid, err := d.SandboxPid(ctx)
	if err != nil {
		t.Fatalf("SandboxPid: %v", err)
	}

	// Finds cgroup for the sandbox's parent process to check that cgroup is
	// created in the right location relative to the parent.
	cmd := fmt.Sprintf("grep PPid: /proc/%d/status | sed 's/PPid:\\s//'", pid)
	ppidStr, err := exec.Command("bash", "-c", cmd).CombinedOutput()
	if err != nil {
		t.Fatalf("Executing %q: %v", cmd, err)
	}
	ppid, err := strconv.Atoi(strings.TrimSpace(string(ppidStr)))
	if err != nil {
		t.Fatalf("invalid PID (%s): %v", ppidStr, err)
	}
	cgroups, err := cgroup.NewFromPid(ppid)
	if err != nil {
		t.Fatalf("cgroup.NewFromPid(%d): %v", ppid, err)
	}
	path := filepath.Join(cgroups.MakePath("cpuacct"), parent, gid, "cgroup.procs")
	if err := verifyPid(pid, path); err != nil {
		t.Errorf("cgroup control %q processes: %v", "memory", err)
	}
}