Add PIDs cgroup support to Docker

[cyphar]

@jfrazelle gave me the honour of opening this on her behalf 😸.

The PIDs cgroup is vital to allowing the limiting of the number of processes with high granularity (on the level of containers). The other main options are simply not fit for the task:

• LIMIT_NPROC has no granularity.
• kmemcg just simply doesn't work.
• ulimit operates on a user basis, so docker run -u someone will cause issues.

opencontainers/runc#446 has been merged. We're waiting on 1.10 to be released (as well as some issues in runc to be resolved).

[cyphar]

I'd like to point out to reviewers that the tests passing doesn't actually indicate if the code works, since the QA test beds don't support the PIDs cgroup. Please try the tests on your own machine (with a 4.3+ kernel with CONFIG_CGROUP_PIDS=y). OpenSUSE Tumbleweed, Arch Linux and a few other distros have CONFIG_CGROUP_PIDS=y by default.

[cpuguy83]

What is the meaning of 0 for pids limit?

[jessfraz]

does nothing

[cpuguy83]

So is 0 and -1 the same?

[cyphar]

-1 means "explicitly set the limit to be unlimited, and error out if the cgroup doesn't exist"
0 means "use the default" which results in it being unlimited.
We're trying to iron out this interface in opencontainers/runtime-spec#233.

[jessfraz]

also thinking it would be nice if there was a sane default for all containers set by the daemon something like 512 (more than enough, but not unlimited)

[jessfraz]

@cyphar agreed,

@diogomonica I ran several programs and tested various containers and I think 512 is a good number... it will be applied to the cgroup parent which means not every container gets 512, they get a portion, java uses quite a lot so we are trying to provide security while not having people just change it to unlimited

[jessfraz]

I have been running this patch on several of our servers including prod ones to collect stats I'd be willing to show you the results

[diogomonica]

Absolutely. Would love to see the results.

[jessfraz]

ill save you the time, they say 512 is the magic number :P

I can make a gist later it's pretty interesting even redis spawns multiple

[diogomonica]

Ha! Problem solved.

[cpuguy83]

Looks like the libcontainer vendor is out of date.

[jessfraz]

ya its waiting on a pr ;)

[jessfraz]

now rebased on #18788, made it a diff PR, so we dont hold up w this PR design discussion since gccgo needs it

[thaJeztah]

Looks like there were some issues in RunC opencontainers/runc#58 (comment) and the PR was temporarily reverted until those are solved opencontainers/runc#445

[jessfraz]

:tear:

On Dec 19, 2015, 10:54 -0800, Sebastiaan van Stijnnotifications@github.com, wrote:

Looks like there were some issues in RunCopencontainers/runc#58 (comment)(opencontainers/runc#58 (comment) the PR was temporarily reverted until those are solvedopencontainers/runc#445(opencontainers/runc#445)

—
Reply to this email directly orview it on GitHub(#18697 (comment)).

[jessfraz]

we are greeennnnnn

[thaJeztah]

I think this is now blocked on opencontainers/runc#446?

[cyphar]

@thaJeztah Yup, that is correct.

[cyphar]

Yay! 🎉

[tonistiigi]

Where is this being set? I think we need something like this: 103cc23#diff-234033fe3b8730c35e53ce0d8dbda485R119

[jessfraz]

I can't find that same function on master the stats one in daemon?

On Tuesday, March 8, 2016, Tõnis Tiigi notifications@github.com wrote:

In api/client/stats_helpers.go
#18697 (comment):

@@ -24,6 +24,7 @@ type containerStats struct {
NetworkTx float64
BlockRead float64
BlockWrite float64

• PidsCurrent uint64

Where is this being set? I think we need something like this: 103cc23
#diff-234033fe3b8730c35e53ce0d8dbda485R119
103cc23#diff-234033fe3b8730c35e53ce0d8dbda485R119

—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18697/files#r55461314.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[tonistiigi]

I only meant that setting of this value before pritning seems to be missing on the client side. My commit is based on the containerd branch so the daemon side is different there.

[jessfraz]

Maybe something got lost in a rebase because I have used it and it works

On Tuesday, March 8, 2016, Tõnis Tiigi notifications@github.com wrote:

In api/client/stats_helpers.go
#18697 (comment):

@@ -24,6 +24,7 @@ type containerStats struct {
NetworkTx float64
BlockRead float64
BlockWrite float64

• PidsCurrent uint64

I only meant that setting of this value before pritning seems to be
missing on the client side. My commit is based on the containerd branch so
the daemon side is different there.

—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18697/files#r55464136.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[jessfraz]

It's right here :)
https://github.com/docker/docker/pull/18697/files#diff-77f23598eb03c37b3f275940922fe494R65

On Tuesday, March 8, 2016, Jessica Frazelle me@jessfraz.com wrote:

Maybe something got lost in a rebase because I have used it and it works

On Tuesday, March 8, 2016, Tõnis Tiigi <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

In api/client/stats_helpers.go
#18697 (comment):

@@ -24,6 +24,7 @@ type containerStats struct {
NetworkTx float64
BlockRead float64
BlockWrite float64

• PidsCurrent uint64

I only meant that setting of this value before pritning seems to be
missing on the client side. My commit is based on the containerd branch so
the daemon side is different there.

—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18697/files#r55464136.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[jessfraz]

Oh I see yeah that was definitely lost in a rebase :(

On Tuesday, March 8, 2016, Tõnis Tiigi notifications@github.com wrote:

In api/client/stats_helpers.go
#18697 (comment):

@@ -24,6 +24,7 @@ type containerStats struct {
NetworkTx float64
BlockRead float64
BlockWrite float64

• PidsCurrent uint64

That's setting cgroup value to the api type on daemon side. PidsCurrent
is client side value used for printing.

—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18697/files#r55465554.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[cyphar]

I can fix this if you like.

[jessfraz]

Thanks!

On Tuesday, March 8, 2016, Aleksa Sarai notifications@github.com wrote:

In api/client/stats_helpers.go
#18697 (comment):

@@ -24,6 +24,7 @@ type containerStats struct {
NetworkTx float64
BlockRead float64
BlockWrite float64

• PidsCurrent uint64

I can fix this if you like.

—
Reply to this email directly or view it on GitHub
https://github.com/docker/docker/pull/18697/files#r55476919.

Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu http://pgp.mit.edu/pks/lookup?op=get&search=0x18F3685C0022BFF3

[cyphar]

I'm also planning on adding PidsLimit to the stats as well so we can get the cool current / limit stuff all the other cgroups do. Obviously that'll take a while (libcontainer + engine-api + docker).

[cyphar]

I've made a PR fixing this (#21150).

/cc @jfrazelle @calavera @tonistiigi

[ghost]

Was this feature not included in the 1.11 released on 13th april?

[cyphar]

@mkonakan Yes, this is in Docker 1.11.

[thaJeztah]

@mkonakan it requires kernel 4.3 or up though, so may not be available if you're using an older version

[ghost]

Cool. Thank you. I am currently on 1.10 only. I could not find this feature is included in the 1.11 release information. So, posted the question here. Will update and check on it. Thank you guys :)

[cpuguy83]

@innocentme1 There is no default, it's just what you set per container.
PIDs cgroup controller docs: https://www.kernel.org/doc/Documentation/cgroup-v1/pids.txt

[innocentme1]

Re-posting as my previous comment seems to be scrambled

@cpuguy83 @cyphar I am currently not on kernel > 4.3 so I could not test things and I also could not find them in any docs. So, expecting your help for below ques

1- Is this PIDs limit enabled by default in Docker? How do I verify it?
2. How do I disable this setting if its default?
3. Whats the process limit count when this setting will detect & prevent?
4. Can I change the default limit for detection? If yes - how?
5. Where can I see the details regarding this on docker docs? or any command etc?

[innocentme1]

@cpuguy83 I would appreciate if I can get answers for each one of the one's I requested so that I can get clear idea on everything. So, if its per container level

• Do I have to set everytime I launch a container?
• If I do not specify each time , whats the default value it takes ? (Assuming it has feature enabled by default)

[cpuguy83]

@innocentme1 Please read the docs.
This setting is no different than any other setting that docker provides to containers.

[cpuguy83]

p.s., if you would like to discuss further #docker on IRC or forums.docker.com is far more appropriate and easier to help out than a closed GH PR.

[innocentme1]

@cpuguy83 sure. Thank you 👍

[matheuss]

Any reason on why this wasn't added to docker update as well?

[cyphar]

Not really @matheuss, it should be fairly trivial to add to docker update as well.

[cpuguy83]

@matheuss Here's the PR for it: #32519