From c48ac77840f1aa22a76428e2451ca1ae9cf85a48 Mon Sep 17 00:00:00 2001 From: Jessica Frazelle Date: Fri, 21 Aug 2015 11:13:33 -0700 Subject: [PATCH] update hack/dind for 1.8 mounting of cgroups Signed-off-by: Jessica Frazelle --- hack/dind | 138 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 71 insertions(+), 67 deletions(-) diff --git a/hack/dind b/hack/dind index 9289ba6556..1c564922c3 100755 --- a/hack/dind +++ b/hack/dind @@ -13,16 +13,79 @@ set -e # apparmor sucks and Docker needs to know that it's in a container (c) @tianon export container=docker -# First, make sure that cgroups are mounted correctly. -CGROUP=/cgroup +# as of docker 1.8, cgroups will be mounted in the container +if ! mountpoint -q /sys/fs/cgroup; then -mkdir -p "$CGROUP" + # First, make sure that cgroups are mounted correctly. + CGROUP=/cgroup -if ! mountpoint -q "$CGROUP"; then - mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || { - echo >&2 'Could not make a tmpfs mount. Did you use --privileged?' - exit 1 - } + mkdir -p "$CGROUP" + + if ! mountpoint -q "$CGROUP"; then + mount -n -t tmpfs -o uid=0,gid=0,mode=0755 cgroup $CGROUP || { + echo >&2 'Could not make a tmpfs mount. Did you use --privileged?' + exit 1 + } + fi + + # Mount the cgroup hierarchies exactly as they are in the parent system. + for HIER in $(cut -d: -f2 /proc/1/cgroup); do + + # The following sections address a bug which manifests itself + # by a cryptic "lxc-start: no ns_cgroup option specified" when + # trying to start containers within a container. + # The bug seems to appear when the cgroup hierarchies are not + # mounted on the exact same directories in the host, and in the + # container. + + SUBSYSTEMS="${HIER%name=*}" + + # If cgroup hierarchy is named(mounted with "-o name=foo") we + # need to mount it in $CGROUP/foo to create exect same + # directoryes as on host. Else we need to mount it as is e.g. + # "subsys1,subsys2" if it has two subsystems + + # Named, control-less cgroups are mounted with "-o name=foo" + # (and appear as such under /proc//cgroup) but are usually + # mounted on a directory named "foo" (without the "name=" prefix). + # Systemd and OpenRC (and possibly others) both create such a + # cgroup. So just mount them on directory $CGROUP/foo. + + OHIER=$HIER + HIER="${HIER#*name=}" + + mkdir -p "$CGROUP/$HIER" + + if ! mountpoint -q "$CGROUP/$HIER"; then + mount -n -t cgroup -o "$OHIER" cgroup "$CGROUP/$HIER" + fi + + # Likewise, on at least one system, it has been reported that + # systemd would mount the CPU and CPU accounting controllers + # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu" + # but on a directory called "cpu,cpuacct" (note the inversion + # in the order of the groups). This tries to work around it. + + if [ "$HIER" = 'cpuacct,cpu' ]; then + ln -s "$HIER" "$CGROUP/cpu,cpuacct" + fi + + # If hierarchy has multiple subsystems, in /proc//cgroup + # we will see ":subsys1,subsys2,subsys3,name=foo:" substring, + # we need to mount it to "$CGROUP/foo" and if there were no + # name to "$CGROUP/subsys1,subsys2,subsys3", so we must create + # symlinks for docker daemon to find these subsystems: + # ln -s $CGROUP/foo $CGROUP/subsys1 + # ln -s $CGROUP/subsys1,subsys2,subsys3 $CGROUP/subsys1 + + if [ "$SUBSYSTEMS" != "${SUBSYSTEMS//,/ }" ]; then + SUBSYSTEMS="${SUBSYSTEMS//,/ }" + for SUBSYS in $SUBSYSTEMS + do + ln -s "$CGROUP/$HIER" "$CGROUP/$SUBSYS" + done + fi + done fi if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then @@ -32,65 +95,6 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then } fi -# Mount the cgroup hierarchies exactly as they are in the parent system. -for HIER in $(cut -d: -f2 /proc/1/cgroup); do - - # The following sections address a bug which manifests itself - # by a cryptic "lxc-start: no ns_cgroup option specified" when - # trying to start containers within a container. - # The bug seems to appear when the cgroup hierarchies are not - # mounted on the exact same directories in the host, and in the - # container. - - SUBSYSTEMS="${HIER%name=*}" - - # If cgroup hierarchy is named(mounted with "-o name=foo") we - # need to mount it in $CGROUP/foo to create exect same - # directoryes as on host. Else we need to mount it as is e.g. - # "subsys1,subsys2" if it has two subsystems - - # Named, control-less cgroups are mounted with "-o name=foo" - # (and appear as such under /proc//cgroup) but are usually - # mounted on a directory named "foo" (without the "name=" prefix). - # Systemd and OpenRC (and possibly others) both create such a - # cgroup. So just mount them on directory $CGROUP/foo. - - OHIER=$HIER - HIER="${HIER#*name=}" - - mkdir -p "$CGROUP/$HIER" - - if ! mountpoint -q "$CGROUP/$HIER"; then - mount -n -t cgroup -o "$OHIER" cgroup "$CGROUP/$HIER" - fi - - # Likewise, on at least one system, it has been reported that - # systemd would mount the CPU and CPU accounting controllers - # (respectively "cpu" and "cpuacct") with "-o cpuacct,cpu" - # but on a directory called "cpu,cpuacct" (note the inversion - # in the order of the groups). This tries to work around it. - - if [ "$HIER" = 'cpuacct,cpu' ]; then - ln -s "$HIER" "$CGROUP/cpu,cpuacct" - fi - - # If hierarchy has multiple subsystems, in /proc//cgroup - # we will see ":subsys1,subsys2,subsys3,name=foo:" substring, - # we need to mount it to "$CGROUP/foo" and if there were no - # name to "$CGROUP/subsys1,subsys2,subsys3", so we must create - # symlinks for docker daemon to find these subsystems: - # ln -s $CGROUP/foo $CGROUP/subsys1 - # ln -s $CGROUP/subsys1,subsys2,subsys3 $CGROUP/subsys1 - - if [ "$SUBSYSTEMS" != "${SUBSYSTEMS//,/ }" ]; then - SUBSYSTEMS="${SUBSYSTEMS//,/ }" - for SUBSYS in $SUBSYSTEMS - do - ln -s "$CGROUP/$HIER" "$CGROUP/$SUBSYS" - done - fi -done - # Note: as I write those lines, the LXC userland tools cannot setup # a "sub-container" properly if the "devices" cgroup is not in its # own hierarchy. Let's detect this and issue a warning.