Added unified cgroupv2 setting to updateContainerResources

[PannagaRao]

Added unified cgroupv2 settings to updateContainerResources

Signed-off-by: Pannaga Rao Bhoja Ramamanohara

What type of PR is this?

/kind bug

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes # #9816

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fixed UpdateContainerResources to apply cgroupv2 unified settings

Summary by CodeRabbit

• New Features

  • Extended resource handling to preserve and apply Linux cgroup v2 unified entries when updating container resources.

• Tests

  • Added unit and integration tests verifying dynamic updates of unified cgroup v2 entries on running containers.
  • Introduced a small test helper executable to drive unified-resource update scenarios and a new integration test exercising update flows.

• Chores

  • Added build/clean rules and CI artifact inclusion for the new test binary; added a test binary path variable.

[openshift-ci]

Hi @PannagaRao. Thanks for your PR.

I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds propagation of cgroup v2 "unified" resource entries into OCI/Linux resource structures during resource translation and container spec updates; introduces a CLI test binary and integration test to exercise dynamic updates of unified cgroup v2 settings.

Changes

Cohort / File(s)	Summary
Server: resource translation server/container_update_resources.go	Import maps; in toOCIResources allocate update.Unified and copy all entries from r.GetUnified() when present (handle cgroup v2 unified fields).
Internal: apply resources to container spec internal/lib/container_server.go	Import maps; when updating container spec, initialize updatedSpec.Linux.Resources.Unified if nil and copy entries from resources.Unified using maps.Copy when non-empty.
Tests: server unit test server/container_update_resources_test.go	Add unit test "should succeed with unified cgroup v2 resources" (skips if no cgroup v2); verifies Unified entries are applied to container spec after update.
Tests: integration harness & CLI test/updateunified/updateunified.go, test/cgroups.bats, test/common.sh, Makefile, .github/workflows/integration.yml	Add updateunified test binary and build rule; CLI binary that connects to CRI socket and calls UpdateContainerResources with provided unified key=values; add bats test to exercise dynamic unified updates; wire binary into CI artifacts and test harness variables.

Sequence Diagram(s)

sequenceDiagram
  participant CLI as "updateunified (CLI)"
  participant CRI as "CRI gRPC (unix socket)"
  participant Server as "container server"
  participant OCI as "OCI runtime / cgroup v2"

  CLI->>CRI: Connect + UpdateContainerResources(containerID, Linux.Unified map)
  CRI->>Server: Forward UpdateContainerResources request
  Server->>Server: toOCIResources -> allocate update.Unified and maps.Copy entries
  Server->>OCI: Apply updated spec (including Unified entries)
  OCI->>Server: Ack / updated cgroup v2 files
  Server->>CRI: RPC response OK
  CRI->>CLI: Print "OK"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble maps and copy with care,
unified keys tumble through the air,
memory.min and memory.high align,
specs get patched, the cgroup vines entwine,
hop—update done, a snack and a twine.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title directly describes the main change: adding unified cgroup v2 settings to the updateContainerResources function, which aligns with the core modifications across all modified files.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 70.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.46%. Comparing base (819d0dd) to head (456e2e7).
⚠️ Report is 12 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #9820       +/-   ##
===========================================
+ Coverage   46.49%   67.46%   +20.96%     
===========================================
  Files         180      212       +32     
  Lines       26670    29697     +3027     
===========================================
+ Hits        12401    20035     +7634     
+ Misses      13070     7953     -5117     
- Partials     1199     1709      +510     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/container_update_resources_test.go`:
- Around line 85-118: The test "should succeed with unified cgroup v2 resources"
assumes unified resources are applied only on cgroup v2 hosts; update the test
to detect the host cgroup mode and skip the test when running on cgroup v1:
before calling sut.UpdateContainerResources, add a guard that checks cgroup
version (e.g., via a helper like isCgroup2() or by probing /sys/fs/cgroup for
cgroup.controllers) and call Skip or t.Skip when not cgroup v2 so the assertions
on c.Spec().Linux.Resources.Unified only run on cgroup v2 systems; ensure you
reference the same test identifiers (sut.UpdateContainerResources,
types.UpdateContainerResourcesRequest, testContainer) when adding the guard.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cc3a8093-03d6-4057-bcdc-30f200c17772

📥 Commits

Reviewing files that changed from the base of the PR and between ad6220d and 1efe6bc.

📒 Files selected for processing (3)

• internal/lib/container_server.go
• server/container_update_resources.go
• server/container_update_resources_test.go

[sohankunkerkar]

/ok-to-test

[PannagaRao]

/retest

[PannagaRao]

/retest

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/updateunified/updateunified.go (1)

37-44: Minor: Error message is slightly misleading.

grpc.NewClient creates a client but doesn't establish a connection until the first RPC call. The error at line 42 relates to client creation failure (e.g., invalid target string), not a connection failure. Consider adjusting the message for clarity.

Suggested fix

 	conn, err := grpc.NewClient(
 		"unix://"+socket,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 	)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "failed to connect: %v\n", err)
+		fmt.Fprintf(os.Stderr, "failed to create client: %v\n", err)
 		os.Exit(1)
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/updateunified/updateunified.go` around lines 37 - 44, The error message
incorrectly says "failed to connect" though grpc.NewClient only creates a
client; update the fmt.Fprintf call to reflect client-creation failure (e.g.,
"failed to create gRPC client: %v") where grpc.NewClient is invoked and err is
checked, so the log accurately describes the failure before exiting (adjust the
message involving conn and err accordingly).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/cgroups.bats`:
- Around line 221-224: The assertion for memory.min is too loose: change the
substring check on the variable output (from the crictl exec call that reads
/sys/fs/cgroup/memory.min) to an exact/anchored comparison so it only passes
when the file equals "0" (e.g., use an exact string equality or numeric compare
after trimming whitespace on output) instead of the current wildcard pattern;
keep the memory.high check as-is.

---

Nitpick comments:
In `@test/updateunified/updateunified.go`:
- Around line 37-44: The error message incorrectly says "failed to connect"
though grpc.NewClient only creates a client; update the fmt.Fprintf call to
reflect client-creation failure (e.g., "failed to create gRPC client: %v") where
grpc.NewClient is invoked and err is checked, so the log accurately describes
the failure before exiting (adjust the message involving conn and err
accordingly).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cbb5a709-78a4-418b-962a-d28829dc2129

📥 Commits

Reviewing files that changed from the base of the PR and between cd2b28f and 6221fb1.

📒 Files selected for processing (4)

• Makefile
• test/cgroups.bats
• test/common.sh
• test/updateunified/updateunified.go

[PannagaRao]

/retest

[PannagaRao]

/retest

[sohankunkerkar]

Overall, it looks good!
Could you add a unit test to check if toOCIResources persists the spec?

[PannagaRao]

Overall, it looks good! Could you add a unit test to check if toOCIResources persists the spec?

I have already added a test to see if the spec is persisted in server/container_update_resources_test.go. Could you please elaborate on where else it should be checked?

[bitoku]

lgtm overall, will wait for the tests to pass.

[bitoku]

I'd want to implement it in cri-tools and use it, but it'll take some time.

[bitoku]

/retest

[bitoku]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: PannagaRao, sohankunkerkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [sohankunkerkar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sohankunkerkar]

@bitoku I will leave the final lgtm to you.

[bitoku]

/lgtm

[PannagaRao]

/retest