From d34a3bbb09413d01e550f8bcf3e27d908287b104 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 13 Jan 2020 13:47:50 -0500 Subject: [PATCH] vtpm: Put vTPMs into container's cgroup Put vTPMs into a container's cgroup to limits their CPU usage. Signed-off-by: Stefan Berger --- libcontainer/container_linux.go | 6 ++++++ libcontainer/vtpm/vtpm-helper/vtpm_helper.go | 11 +++++++++++ 2 files changed, 17 insertions(+) diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go index 05cf32e9c9f..b71f65a3553 100644 --- a/libcontainer/container_linux.go +++ b/libcontainer/container_linux.go @@ -24,6 +24,7 @@ import ( "github.com/opencontainers/runc/libcontainer/intelrdt" "github.com/opencontainers/runc/libcontainer/system" "github.com/opencontainers/runc/libcontainer/utils" + "github.com/opencontainers/runc/libcontainer/vtpm/vtpm-helper" "github.com/opencontainers/runtime-spec/specs-go" "github.com/checkpoint-restore/go-criu/v4" @@ -391,6 +392,11 @@ func (c *linuxContainer) start(process *Process) error { return err } } + if len(c.config.VTPMs) > 0 { + if err := vtpmhelper.ApplyCGroupVTPMs(c.config.VTPMs, c.cgroupManager); err != nil { + return err + } + } } return nil } diff --git a/libcontainer/vtpm/vtpm-helper/vtpm_helper.go b/libcontainer/vtpm/vtpm-helper/vtpm_helper.go index 64e89055668..fe97b5b95e1 100644 --- a/libcontainer/vtpm/vtpm-helper/vtpm_helper.go +++ b/libcontainer/vtpm/vtpm-helper/vtpm_helper.go @@ -10,6 +10,7 @@ import ( "strings" "syscall" + "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/vtpm" @@ -153,3 +154,13 @@ func DestroyVTPMs(vtpms []*vtpm.VTPM) { vtpm.Stop(vtpm.CreatedStatepath) } } + +// ApplyCGroupVTPMs puts all VTPMs into the given Cgroup manager's cgroup +func ApplyCGroupVTPMs(vtpms []*vtpm.VTPM, cgroupManager cgroups.Manager) error { + for _, vtpm := range vtpms { + if err := cgroupManager.Apply(vtpm.Pid); err != nil { + return fmt.Errorf("cGroupManager failed to apply vtpm with pid %d: %v", vtpm.Pid, err) + } + } + return nil +}