This hook requires the nvidia-container-cli tool provided by libnvidia-container:
https://github.com/nvidia/libnvidia-container
For containers that do not have CUDA_VERSION or NVIDIA_VISIBLE_DEVICES
set in the environment, the hook will be a no-op.
To enable in the configuration file:
lxc.hook.mount = /usr/local/share/lxc/hooks/nvidia
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>
This is based on raw_clone in systemd but adapted to our needs. The main reason
is that we need an implementation of fork()/clone() that does guarantee us that
no pthread_atfork() handlers are run. While clone() in glibc currently doesn't
run pthread_atfork() handlers we should be fine but there's no guarantee that
this won't be the case in the future. So let's do the syscall directly - or as
direct as we can. An additional nice feature is that we get fork() behavior,
i.e. lxc_raw_clone() returns 0 in the child and the child pid in the parent.
Our implementation tries to make sure that we cover all cases according to
kernel sources. Note that we are not interested in any arguments that could be
passed after the stack.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
When we report STOPPED to a caller and then close the command socket it is
technically possible - and I've seen this happen on the test builders - that a
container start() right after a wait() will receive ECONNREFUSED because it
called open() before we close(). So for all new state clients simply close the
command socket. This will inform all state clients that the container is
STOPPED and also prevents a race between a open()/close() on the command socket
causing a new process to get ECONNREFUSED because we haven't yet closed the
command socket.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This adds a simple test case which verifies that the new migrate() API
command 'MIGRATE_FEATURE_CHECK' works as expected.
If a feature does not exist on the currently running
architecture/kernel/criu combination it does not report an error as this
is a valid scenario.
Signed-off-by: Adrian Reber <areber@redhat.com>
For migration optimization features like pre-copy or post-copy migration
the support cannot be determined by simply looking at the CRIU version.
Features like that depend on the architecture/kernel/criu combination
and CRIU offers a feature checking interface to query if it is
supported.
This adds a LXC interface to query CRIU for those feature via the
migrate() API call. For the recent pre-copy migration support in LXD
this can be used to automatically detect if pre-copy migration should be
used.
In addition to the existing migrate() API commands this adds a new
command: 'MIGRATE_FEATURE_CHECK'.
The migrate_opts{} structure is extended by the member features_to_check
which is a bitmask defining which CRIU features should be queried.
Currently only the querying of the features FEATURE_MEM_TRACK and
FEATURE_LAZY_PAGES is supported.
Signed-off-by: Adrian Reber <areber@redhat.com>
if user has lxc.rootfs.path = /some/path/foo, but can't access
some piece of that path, then we'll get an unhelpful "failed to
mount" without any indication of the problem.
At least show that there is a permission problem.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>
This can be used by scripts to detect what version of the hooks are used.
Unblocks #2013.
Unblocks #2015.
Closes#1766.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
...otherwise we'll kill everyone on the machine. Instead, let's explicitly
try to kill our children. Let's do a best effort against fork bombs by
disabling forking via the pids cgroup if it exists. This is best effort for
a number of reasons:
* the pids cgroup may not be available
* the container may have bind mounted /dev/null over pids.max, so the write
doesn't do anything
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
