[test][DNM]Move sandbox cgroup from pause to parent

virtcontainers/cgroups.go

@@ -143,7 +143,7 @@ func (s *Sandbox) updateCgroups() error {
 		s.Logger().Warn("sandbox's cgroup won't be updated: cgroup path is empty")
 		return nil
 	}
-
+	s.Logger().Info("DEBUG loading cgroup:", s.state.CgroupPath)
 	cgroup, err := cgroupsLoadFunc(V1Constraints, cgroups.StaticPath(s.state.CgroupPath))
 	if err != nil {
 		return fmt.Errorf("Could not load cgroup %v: %v", s.state.CgroupPath, err)
@@ -221,31 +221,8 @@ func (s *Sandbox) constrainHypervisor(cgroup cgroups.Cgroup) error {
 		return fmt.Errorf("Could not add hypervisor PID %d to cgroup %v: %v", pid, path, err)
 	}
 
-	// when new container joins, new CPU could be hotplugged, so we
-	// have to query fresh vcpu info from hypervisor for every time.
-	tids, err := s.hypervisor.getThreadIDs()
-	if err != nil {
-		return fmt.Errorf("failed to get thread ids from hypervisor: %v", err)
-	}
-	if len(tids.vcpus) == 0 {
-		// If there's no tid returned from the hypervisor, this is not
-		// a bug. It simply means there is nothing to constrain, hence
-		// let's return without any error from here.
-		return nil
-	}
-
-	// We are about to move just the vcpus (threads) into cgroups with constraints.
-	// Move whole hypervisor process whould be easier but the IO/network performance
-	// whould be impacted.
-	for _, i := range tids.vcpus {
-		// In contrast, AddTask will write thread id to `tasks`
-		// After this, vcpu threads are in "vcpu" sub-cgroup, other threads in
-		// qemu will be left in parent cgroup untouched.
-		if err := cgroup.AddTask(cgroups.Process{
-			Pid: i,
-		}); err != nil {
-			return err
-		}
+	if err := cgroup.Add(cgroups.Process{Pid: pid}); err != nil {
+		return fmt.Errorf("Could not add hypervisor PID %d to cgroup %v: %v", pid, path, err)
 	}
 
 	return nil

virtcontainers/sandbox.go

@@ -12,9 +12,11 @@ import (
 	"io"
 	"net"
 	"os"
+	"path/filepath"
 	"sync"
 	"syscall"
 
+	"github.com/containerd/cgroups"
 	"github.com/containernetworking/plugins/pkg/ns"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	opentracing "github.com/opentracing/opentracing-go"
@@ -1009,7 +1011,12 @@ func (s *Sandbox) addContainer(c *Container) error {
 
 	ann := c.GetAnnotations()
 	if ann[annotations.ContainerTypeKey] == string(PodSandbox) {
-		s.state.CgroupPath = c.state.CgroupPath
+		parent := filepath.Dir(c.state.CgroupPath)
+		sandboxCgroupPath := filepath.Join(parent, "/kata-sandbox")
+		s.state.CgroupPath = sandboxCgroupPath
+		if err := s.newCgroups(); err != nil {
+			return err
+		}
 		return s.store.Store(store.State, s.state)
 	}
 
@@ -1713,3 +1720,29 @@ func (s *Sandbox) calculateSandboxCPUs() uint32 {
 	}
 	return utils.CalculateVCpusFromMilliCpus(mCPU)
 }
+
+// creates a new cgroup and return the cgroups path
+func (s *Sandbox) newCgroups() error {
+
+	var spec specs.Spec
+
+	// https://github.com/kata-containers/runtime/issues/168
+	resources := specs.LinuxResources{
+		CPU: nil,
+	}
+
+	resources.CPU = s.cpuResources()
+
+	if spec.Linux != nil && spec.Linux.Resources != nil {
+		resources.CPU = validCPUResources(spec.Linux.Resources.CPU)
+	}
+
+	s.state.CgroupPath = utils.ValidCgroupPath(s.state.CgroupPath)
+	_, err := cgroupsNewFunc(cgroups.V1,
+		cgroups.StaticPath(s.state.CgroupPath), &resources)
+	if err != nil {
+		return fmt.Errorf("Could not create cgroup for %v: %v", s.state.CgroupPath, err)
+	}
+
+	return nil
+}