Skip to content

docs: Clarify jailer's behavior when --parent-cgroup provided but --cgroup not provided #5431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 10, 2025
Merged

docs: Clarify jailer's behavior when --parent-cgroup provided but --cgroup not provided #5431

merged 10 commits into from
Sep 10, 2025
+153 −83

Conversation

zulinx86
Copy link
Contributor

@zulinx86 zulinx86 commented Sep 8, 2025
edited
Loading

Changes

  • Tiny cleanups of jailer doc
  • Clarify the jailer's behavior when --parent-cgroup provided but --cgroup not provided
  • Add integration tests for all the cases when --parent-cgroup provided but --cgroup not provided.

Reason

The behavior of --parent-cgroup parameter on cgroup v2 is a bit complicated:

  • If any --cgroup parameters passed, jailer creates a new cgroup under the specified cgroup
  • If no --cgroup parameters not passed,
    • If the specified cgroup exists, jailer moves the process to the cgroup instead of creating a new cgroup under it.
    • If the specified cgroup does not exist, jailer doesn't do anything and proceeds without error.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • I have read and understand CONTRIBUTING.md.
  • I have run tools/devtool checkbuild --all to verify that the PR passes
    build checks on all supported architectures.
  • I have run tools/devtool checkstyle to verify that the PR passes the
    automated style checks.
  • I have described what is done in these changes, why they are needed, and
    how they are solving the problem in a clear and encompassing way.
  • I have updated any relevant documentation (both in code and in the docs)
    in the PR.
  • [ ] I have mentioned all user-facing changes in CHANGELOG.md.
  • [ ] If a specific issue led to this PR, this PR closes the issue.
  • [ ] When making API changes, I have followed the
    Runbook for Firecracker API changes.
  • I have tested all new and changed functionalities in unit tests and/or
    integration tests.
  • [ ] I have linked an issue to every new TODO.
  • This functionality cannot be added in rust-vmm.

@zulinx86 zulinx86 force-pushed the jailer_parent_cgroup branch 4 times, most recently from 5137349 to 608246a Compare September 8, 2025 13:06
@zulinx86 zulinx86 changed the title Jailer parent cgroup docs: Clarify behavior of --parent-cgroup if --cgroup not provided Sep 8, 2025
@zulinx86 zulinx86 changed the title docs: Clarify behavior of --parent-cgroup if --cgroup not provided docs: Clarify jailer's behavior when --parent-cgroup provided but --cgroup not provided Sep 8, 2025
@codecov Codecov
Copy link

codecov bot commented Sep 8, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 82.68%. Comparing base (8208ee8) to head (ae32fb1).
⚠️ Report is 10 commits behind head on main.

Files with missing lines Patch % Lines
src/jailer/src/env.rs 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #5431   +/-   ##
=======================================
  Coverage   82.68%   82.68%           
=======================================
  Files         263      263           
  Lines       27473    27473           
=======================================
  Hits        22717    22717           
  Misses       4756     4756
Flag Coverage Δ
5.10-m5n.metal 82.84% <0.00%> (ø)
5.10-m6a.metal 82.10% <0.00%> (+<0.01%) ⬆️
5.10-m6g.metal 79.47% <0.00%> (ø)
5.10-m6i.metal 82.84% <0.00%> (-0.01%) ⬇️
5.10-m7a.metal-48xl 82.08% <0.00%> (-0.01%) ⬇️
5.10-m7g.metal 79.47% <0.00%> (ø)
5.10-m7i.metal-24xl 82.81% <0.00%> (-0.01%) ⬇️
5.10-m7i.metal-48xl 82.81% <0.00%> (ø)
5.10-m8g.metal-24xl 79.47% <0.00%> (ø)
5.10-m8g.metal-48xl 79.47% <0.00%> (+<0.01%) ⬆️
6.1-m5n.metal 82.88% <0.00%> (-0.01%) ⬇️
6.1-m6a.metal 82.14% <0.00%> (+<0.01%) ⬆️
6.1-m6g.metal 79.47% <0.00%> (ø)
6.1-m6i.metal 82.88% <0.00%> (ø)
6.1-m7a.metal-48xl 82.13% <0.00%> (+<0.01%) ⬆️
6.1-m7g.metal 79.47% <0.00%> (ø)
6.1-m7i.metal-24xl 82.89% <0.00%> (ø)
6.1-m7i.metal-48xl 82.89% <0.00%> (+<0.01%) ⬆️
6.1-m8g.metal-24xl 79.47% <0.00%> (ø)
6.1-m8g.metal-48xl 79.47% <0.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@zulinx86 zulinx86 force-pushed the jailer_parent_cgroup branch from 608246a to 027fd24 Compare September 8, 2025 13:17
@zulinx86 zulinx86 added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Sep 8, 2025
Manciukic
Manciukic reviewed Sep 8, 2025
View reviewed changes
@Manciukic Manciukic enabled auto-merge (rebase) September 8, 2025 17:30
@zulinx86
docs(jailer): Fix jailer CLI usage formatting with missing backslashes
42a5667 
The jailer CLI usage was missing trailing backslashes on several lines.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
docs(jailer): Use underscore for placeholder
f782f24 
The jailer CLI usage uses underscore for placeholders of all the
parameters other than --cgroup-version

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
docs(jailer): Fix unclosed parenthesis
7d79445 
The parenthesis was not closed.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
docs(jailer): Remove description for non-existing parameter
30ffa48 
Since we removed the --node parameter in v1.0, we should not have
description for the parameter.

Fixes: b4d51ac ("jailer: remove --node parameter")
Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86 zulinx86 force-pushed the jailer_parent_cgroup branch 2 times, most recently from ec4c031 to b8ed66e Compare September 9, 2025 07:53
Manciukic
Manciukic previously approved these changes Sep 9, 2025
View reviewed changes
@zulinx86
docs(jailer): Distinguish parameter names and values
5de4ed3 
- Added `--` prefix when referring to the CLI option itself.
- Wrapped placeholders for parameter values with angle brackets.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
docs(jailer): Reorder cgroup-related parameters
11eac42 
Since the behavior of --parent-cgroup depends on whether --cgroup is
provided or not and wether --cgroup-version is 1 or 2, explain the
dependencies first and then --parent-cgroup.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
docs(jailer): Clarify behavior of --parent-cgroup
8a7214c 
Reorganized the description of --parent-cgroup into bullet points to
make clear that its behavior depends on the combination of parameters.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
jailer: Better error message for failure of moving to cgroup
fd71e38 
If no --cgroup parameters are specified and --cgroup-version=2 is
passed, the jailer moves the process to the cgroup specified with
--parent-cgroup rather than creating a cgroup under it, contrary to its
name. This move fails if the destination cgroup has domain controllers
(e.g. memory) enabled in cgroup.subtree_control, which is called "no
internal process constraint [1].

[1]: https://docs.kernel.org/admin-guide/cgroup-v2.html#no-internal-process-constraint
Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
test(jailer): Test --parent-cgroup specified but no --cgroup provided
5d39eb9 
The jailer's behavior when --parent-cgroup specified but no --cgroup
provided varies depending on the existence and subtree_control
configuration of the specified cgroup. Test all the cases for such a
combination of parameters.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86
docs(jailer): Remove requirement for exec file name
ae32fb1 
We removed the requirement for jailer where the file name of
`--exec-file` needs to contain `firecracker`.

Fixes: aedee56 ("feat(jailer): remove requirement for an executable name")
Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86 zulinx86 force-pushed the jailer_parent_cgroup branch from b8ed66e to ae32fb1 Compare September 9, 2025 08:33
@zulinx86 zulinx86 requested review from pb8o and xmarcalx September 9, 2025 08:38
xmarcalx
xmarcalx approved these changes Sep 10, 2025
View reviewed changes
Copy link
Contributor

@xmarcalx xmarcalx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Manciukic Manciukic merged commit 3eab936 into firecracker-microvm:main Sep 10, 2025
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Manciukic Manciukic Manciukic approved these changes

@xmarcalx xmarcalx xmarcalx approved these changes

@pb8o pb8o Awaiting requested review from pb8o

Assignees
No one assigned
Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zulinx86 @Manciukic @xmarcalx