From 9331b5cb808282269093bb4a115b9a17c13bbf46 Mon Sep 17 00:00:00 2001
From: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Date: Thu, 11 Apr 2019 15:28:16 -0500
Subject: [PATCH 1/3] cgroup: sandbox: create sandbox cgroup at parent level.

If a sandbox contaienr is created lets use its cgroupath
and use the parent to create kata sandbox cgroup.

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
---
 virtcontainers/sandbox.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go
index 7f88973adc..1cf9a3e955 100644
--- a/virtcontainers/sandbox.go
+++ b/virtcontainers/sandbox.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"net"
 	"os"
+	"path/filepath"
 	"sync"
 	"syscall"
 
@@ -1009,7 +1010,10 @@ func (s *Sandbox) addContainer(c *Container) error {
 
 	ann := c.GetAnnotations()
 	if ann[annotations.ContainerTypeKey] == string(PodSandbox) {
-		s.state.CgroupPath = c.state.CgroupPath
+		containerCgroup := filepath.Join("/", c.state.CgroupPath)
+		parent := filepath.Dir(containerCgroup)
+		sandboxCgroupPath := filepath.Join(parent, "/kata-sandbox")
+		s.state.CgroupPath = sandboxCgroupPath
 		return s.store.Store(store.State, s.state)
 	}
 

From 6aae88c615c2df7455d439dce26c0231741277f4 Mon Sep 17 00:00:00 2001
From: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Date: Thu, 11 Apr 2019 16:01:58 -0500
Subject: [PATCH 2/3] cgroups: move hypervisor to sandbox cgroup

The hypervisor will be limited at sandbox cgroup level.

Fixes: #1430

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
---
 virtcontainers/cgroups.go | 27 ++-------------------------
 1 file changed, 2 insertions(+), 25 deletions(-)

diff --git a/virtcontainers/cgroups.go b/virtcontainers/cgroups.go
index 46c46f0fb8..a840bc3a3a 100644
--- a/virtcontainers/cgroups.go
+++ b/virtcontainers/cgroups.go
@@ -221,31 +221,8 @@ func (s *Sandbox) constrainHypervisor(cgroup cgroups.Cgroup) error {
 		return fmt.Errorf("Could not add hypervisor PID %d to cgroup %v: %v", pid, path, err)
 	}
 
-	// when new container joins, new CPU could be hotplugged, so we
-	// have to query fresh vcpu info from hypervisor for every time.
-	tids, err := s.hypervisor.getThreadIDs()
-	if err != nil {
-		return fmt.Errorf("failed to get thread ids from hypervisor: %v", err)
-	}
-	if len(tids.vcpus) == 0 {
-		// If there's no tid returned from the hypervisor, this is not
-		// a bug. It simply means there is nothing to constrain, hence
-		// let's return without any error from here.
-		return nil
-	}
-
-	// We are about to move just the vcpus (threads) into cgroups with constraints.
-	// Move whole hypervisor process whould be easier but the IO/network performance
-	// whould be impacted.
-	for _, i := range tids.vcpus {
-		// In contrast, AddTask will write thread id to `tasks`
-		// After this, vcpu threads are in "vcpu" sub-cgroup, other threads in
-		// qemu will be left in parent cgroup untouched.
-		if err := cgroup.AddTask(cgroups.Process{
-			Pid: i,
-		}); err != nil {
-			return err
-		}
+	if err := cgroup.Add(cgroups.Process{Pid: pid}); err != nil {
+		return fmt.Errorf("Could not add hypervisor PID %d to cgroup %v: %v", pid, path, err)
 	}
 
 	return nil

From 864fc9867093277bff793116de81ba30e7121bca Mon Sep 17 00:00:00 2001
From: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
Date: Fri, 12 Apr 2019 17:19:21 -0500
Subject: [PATCH 3/3] sandbox: crete sandbox cgroup.

Based in sandbox cgroup path. Create a new cgroup .

Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
---
 virtcontainers/cgroups.go |  2 +-
 virtcontainers/sandbox.go | 33 +++++++++++++++++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/virtcontainers/cgroups.go b/virtcontainers/cgroups.go
index a840bc3a3a..522f118c7e 100644
--- a/virtcontainers/cgroups.go
+++ b/virtcontainers/cgroups.go
@@ -143,7 +143,7 @@ func (s *Sandbox) updateCgroups() error {
 		s.Logger().Warn("sandbox's cgroup won't be updated: cgroup path is empty")
 		return nil
 	}
-
+	s.Logger().Info("DEBUG loading cgroup:", s.state.CgroupPath)
 	cgroup, err := cgroupsLoadFunc(V1Constraints, cgroups.StaticPath(s.state.CgroupPath))
 	if err != nil {
 		return fmt.Errorf("Could not load cgroup %v: %v", s.state.CgroupPath, err)
diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go
index 1cf9a3e955..dbf8cd4f09 100644
--- a/virtcontainers/sandbox.go
+++ b/virtcontainers/sandbox.go
@@ -16,6 +16,7 @@ import (
 	"sync"
 	"syscall"
 
+	"github.com/containerd/cgroups"
 	"github.com/containernetworking/plugins/pkg/ns"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	opentracing "github.com/opentracing/opentracing-go"
@@ -1010,10 +1011,12 @@ func (s *Sandbox) addContainer(c *Container) error {
 
 	ann := c.GetAnnotations()
 	if ann[annotations.ContainerTypeKey] == string(PodSandbox) {
-		containerCgroup := filepath.Join("/", c.state.CgroupPath)
-		parent := filepath.Dir(containerCgroup)
+		parent := filepath.Dir(c.state.CgroupPath)
 		sandboxCgroupPath := filepath.Join(parent, "/kata-sandbox")
 		s.state.CgroupPath = sandboxCgroupPath
+		if err := s.newCgroups(); err != nil {
+			return err
+		}
 		return s.store.Store(store.State, s.state)
 	}
 
@@ -1717,3 +1720,29 @@ func (s *Sandbox) calculateSandboxCPUs() uint32 {
 	}
 	return utils.CalculateVCpusFromMilliCpus(mCPU)
 }
+
+// creates a new cgroup and return the cgroups path
+func (s *Sandbox) newCgroups() error {
+
+	var spec specs.Spec
+
+	// https://github.com/kata-containers/runtime/issues/168
+	resources := specs.LinuxResources{
+		CPU: nil,
+	}
+
+	resources.CPU = s.cpuResources()
+
+	if spec.Linux != nil && spec.Linux.Resources != nil {
+		resources.CPU = validCPUResources(spec.Linux.Resources.CPU)
+	}
+
+	s.state.CgroupPath = utils.ValidCgroupPath(s.state.CgroupPath)
+	_, err := cgroupsNewFunc(cgroups.V1,
+		cgroups.StaticPath(s.state.CgroupPath), &resources)
+	if err != nil {
+		return fmt.Errorf("Could not create cgroup for %v: %v", s.state.CgroupPath, err)
+	}
+
+	return nil
+}