kata agent CreateSandbox & CreateContainer
虚拟机rootfs
root@25a725e7599e:/# ls
bin dev home lost+found mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr
root@25a725e7599e:/# ls lib/
aarch64-linux-gnu ld-linux-aarch64.so.1 modprobe.d terminfo
init lsb systemd udev
root@25a725e7599e:/# ls
bin dev home lost+found mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr
root@25a725e7599e:/# ls bin/ps
bin/ps
root@25a725e7599e:/# ps -elf | grep nginx
4 S root 71 50 0 80 0 - 2069 arm64_ Oct31 ? 00:00:00 nginx: master process nginx -g daemon off;
5 S systemd+ 99 71 0 80 0 - 2164 ep_pol Oct31 ? 00:00:00 nginx: worker process
0 S root 201 57 0 80 0 - 676 pipe_w 04:54 hvc0 00:00:00 grep --color=auto nginx
root@25a725e7599e:/# ls run/
kata-containers kata1.txt libcontainer lock mount sandbox-ns systemd
root@25a725e7599e:/#
容器 rootfs
root@fa55c7478feb:/# ls bin/ps
ls: cannot access 'bin/ps': No such file or directory
root@fa55c7478feb:/# ls
bin docker-entrypoint.d home mnt root srv usr
boot docker-entrypoint.sh lib opt run sys var
dev etc media proc sbin tmp
root@fa55c7478feb:/# ps -elf | grep nginx
bash: ps: command not found
root@fa55c7478feb:/# ls run/
lock nginx.pid utmp
root@fa55c7478feb:/#
func (a *agentGRPC) CreateSandbox(ctx context.Context, req *pb.CreateSandboxRequest) (*gpb.Empty, error) { if a.sandbox.running { return emptyResp, grpcStatus.Error(codes.AlreadyExists, "Sandbox already started, impossible to start again") } a.sandbox.hostname = req.Hostname a.sandbox.containers = make(map[string]*container) a.sandbox.network.ifaces = make(map[string]*types.Interface) a.sandbox.network.dns = req.Dns a.sandbox.running = true a.sandbox.sandboxPidNs = req.SandboxPidns a.sandbox.storages = make(map[string]*sandboxStorage) a.sandbox.guestHooks = &specs.Hooks{} a.sandbox.guestHooksPresent = false for _, m := range req.KernelModules { if err := loadKernelModule(m); err != nil { return emptyResp, err } } if req.GuestHookPath != "" { a.sandbox.scanGuestHooks(req.GuestHookPath) } if req.SandboxId != "" { a.sandbox.id = req.SandboxId agentLog = agentLog.WithField("sandbox", a.sandbox.id) } // Set up shared UTS and IPC namespaces if err := a.sandbox.setupSharedNamespaces(ctx); err != nil { return emptyResp, err } if req.SandboxPidns { if err := a.sandbox.setupSharedPidNs(); err != nil { return emptyResp, err } } mountList, err := addStorages(ctx, req.Storages, a.sandbox) if err != nil { return emptyResp, err } a.sandbox.mounts = mountList if err := setupDNS(a.sandbox.network.dns); err != nil { return emptyResp, err } return emptyResp, nil }
func (a *agentGRPC) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (resp *gpb.Empty, err error) { if err := a.createContainerChecks(req); err != nil { return emptyResp, err } // re-scan PCI bus // looking for hidden devices if err = rescanPciBus(); err != nil { agentLog.WithError(err).Warn("Could not rescan PCI bus") } // Some devices need some extra processing (the ones invoked with // --device for instance), and that's what this call is doing. It // updates the devices listed in the OCI spec, so that they actually // match real devices inside the VM. This step is necessary since we // cannot predict everything from the caller. if err = addDevices(ctx, req.Devices, req.OCI, a.sandbox); err != nil { return emptyResp, err } // Both rootfs and volumes (invoked with --volume for instance) will // be processed the same way. The idea is to always mount any provided // storage to the specified MountPoint, so that it will match what's // inside oci.Mounts. // After all those storages have been processed, no matter the order // here, the agent will rely on libcontainer (using the oci.Mounts // list) to bind mount all of them inside the container. mountList, err := addStorages(ctx, req.Storages, a.sandbox) if err != nil { return emptyResp, err } ctr := &container{ id: req.ContainerId, processes: make(map[string]*process), mounts: mountList, useSandboxPidNs: req.SandboxPidns, agentPidNs: req.AgentPidns, ctx: ctx, } // In case the container creation failed, make sure we cleanup // properly by rolling back the actions previously performed. defer func() { if err != nil { a.rollbackFailingContainerCreation(ctr) } }() // Add the nvdimm root partition to the device cgroup to prevent access updateDeviceCgroupForGuestRootfs(req.OCI) // Convert the spec to an actual OCI specification structure. ociSpec, err := pb.GRPCtoOCI(req.OCI) if err != nil { return emptyResp, err } if err := a.handleCPUSet(ociSpec); err != nil { return emptyResp, err } if err := a.applyNetworkSysctls(ociSpec); err != nil { return emptyResp, err } if a.sandbox.guestHooksPresent { // Add any custom OCI hooks to the spec a.sandbox.addGuestHooks(ociSpec) // write the OCI spec to a file so that hooks can read it err = writeSpecToFile(ociSpec, req.ContainerId) if err != nil { return emptyResp, err } // Change cwd because libcontainer assumes the bundle path is the cwd: // https://github.com/opencontainers/runc/blob/v1.0.0-rc5/libcontainer/specconv/spec_linux.go#L157 oldcwd, err := changeToBundlePath(ociSpec, req.ContainerId) if err != nil { return emptyResp, err } defer os.Chdir(oldcwd) } // Convert the OCI specification into a libcontainer configuration. config, err := specconv.CreateLibcontainerConfig(&specconv.CreateOpts{ CgroupName: req.ContainerId, NoNewKeyring: true, Spec: ociSpec, NoPivotRoot: a.sandbox.noPivotRoot, }) if err != nil { return emptyResp, err } // apply rlimits config.Rlimits = posixRlimitsToRlimits(ociSpec.Process.Rlimits) // Update libcontainer configuration for specific cases not handled // by the specconv converter. if err = a.updateContainerConfig(ociSpec, config, ctr); err != nil { return emptyResp, err } return a.finishCreateContainer(ctr, req, config) }
root@ubuntu:~# ls kata go go1.15.2.linux-arm64.tar.gz go_package go_source go.tar.gz images kata_package linux_signing_key.pub nemu qemu qemu4.0 qemu-lite runtime typescript root@ubuntu:~# docker run -d -it --runtime=kata-runtime -v /root/kata/:/containerdir nginx:latest
虚拟机
root@25a725e7599e:/# root@25a725e7599e:/# find ./ -name containerdir ./run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc/rootfs/containerdir fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc/rootfs/containerdir70596e0b829af5f root@25a725e7599e:/# root@25a725e7599e:/# ls run/kata-containers/shared/containers/*/rootfs --------容器的 bin dev etc media proc sbin tmp boot docker-entrypoint.d home mnt root srv usr containerdir docker-entrypoint.sh lib opt run sys var dirt@25a725e7599e:/# ls run/kata-containers/shared/containers/*/rootfs/container root@25a725e7599e:/# root@25a725e7599e:/#
root@25a725e7599e:/# find ./run/kata-containers -name go.tar.gz ./run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-da0bf2558a65810c-containerdir/go.tar.gz root@25a725e7599e:/#
root@25a725e7599e:/# ls run/ kata-containers libcontainer lock mount sandbox-ns systemd root@25a725e7599e:/# ls run/libcontainer/ ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc d22ea1f23e83b14384fa4f1cc/n/libcontainer/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc root@25a725e7599e:/# root@25a725e7599e:/# root@25a725e7599e:/# root@25a725e7599e:/# ls run/libcontainer/*/ ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc root@25a725e7599e:/# ls run/libcontainer/*/*/ state.json root@25a725e7599e:/# ls run/sandbox-ns/ ipc uts root@25a725e7599e:/#
root@25a725e7599e:/# cat run/libcontainer/*/*/state.json {"id":"ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc","init_process_pid":71,"init_process_start":76,"created":"2020-11-01T05:01:25.22615616Z","config":{"no_pivot_root":false,"parent_death_signal":0,"rootfs":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc/rootfs","readonlyfs":false,"rootPropagation":0,"mounts":[{"source":"proc","destination":"/proc","device":"proc","flags":14,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"tmpfs","destination":"/dev","device":"tmpfs","flags":16777218,"propagation_flags":null,"data":"mode=755,size=65536k","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"devpts","destination":"/dev/pts","device":"devpts","flags":10,"propagation_flags":null,"data":"newinstance,ptmxmode=0666,mode=0620,gid=5","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"sysfs","destination":"/sys","device":"sysfs","flags":15,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"cgroup","destination":"/sys/fs/cgroup","device":"cgroup","flags":15,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"mqueue","destination":"/dev/mqueue","device":"mqueue","flags":14,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/sandbox/shm","destination":"/dev/shm","device":"bind","flags":20480,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-da0bf2558a65810c-containerdir",
"destination":"/containerdir","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-f7faba68233284cf-resolv.conf","destination":"/etc/resolv.conf","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-5043e8bb14e2574a-hostname","destination":"/etc/hostname","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-ed8c152bff649fc4-hosts","destination":"/etc/hosts","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null}],"devices":[{"type":99,"path":"/dev/null","major":1,"minor":3,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/random","major":1,"minor":8,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/full","major":1,"minor":7,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/tty","major":5,"minor":0,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/zero","major":1,"minor":5,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/urandom","major":1,"minor":9,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false}],"mount_label":"","hostname":"ef4b70596e0b","namespaces":[{"type":"NEWNS","path":""},
{"type":"NEWUTS","path":"/var/run/sandbox-ns/uts"},{"type":"NEWIPC","path":"/var/run/sandbox-ns/ipc"},{"type":"NEWPID","path":""}],"capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"networks":null,"routes":null,"cgroups":{"path":"/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc","scope_prefix":"","Paths":null,"allowed_devices":[{"type":99,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":98,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/null","major":1,"minor":3,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/random","major":1,"minor":8,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/full","major":1,"minor":7,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/tty","major":5,"minor":0,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/zero","major":1,"minor":5,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/urandom","major":1,"minor":9,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/console","major":5,"minor":1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},
{"type":99,"path":"","major":136,"minor":-1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},
{"type":99,"path":"","major":5,"minor":2,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":10,"minor":200,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true}],"devices":[{"type":98,"path":"","major":254,"minor":1,"permissions":"rw","file_mode":0,"uid":0,"gid":0,"allow":false},
{"type":99,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},
{"type":98,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/null","major":1,"minor":3,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/random","major":1,"minor":8,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/full","major":1,"minor":7,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/tty","major":5,"minor":0,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/zero","major":1,"minor":5,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/urandom","major":1,"minor":9,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/console","major":5,"minor":1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":136,"minor":-1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":5,"minor":2,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":10,"minor":200,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true}],"memory":0,"memory_reservation":0,"memory_swap":0,"kernel_memory":0,"kernel_memory_tcp":0,"cpu_shares":0,"cpu_quota":0,"cpu_period":0,"cpu_rt_quota":0,"cpu_rt_period":0,"cpuset_cpus":"","cpuset_mems":"","pids_limit":0,"blkio_weight":0,"blkio_leaf_weight":0,"blkio_weight_device":null,"blkio_throttle_read_bps_device":null,"blkio_throttle_write_bps_device":null,"blkio_throttle_read_iops_device":null,"blkio_throttle_write_iops_device":null,"freezer":"","hugetlb_limit":null,"oom_kill_disable":false,"memory_swappiness":0,"net_prio_ifpriomap":null,"net_cls_classid_u":0,"cpu_weight":0,"cpu_max":""},"oom_score_adj":0,"uid_mappings":null,"gid_mappings":null,"mask_paths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"readonly_paths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"sysctl":{},"seccomp":null,"Hooks":{"poststart":null,"poststop":null,"prestart":null},
"version":"1.0.1-dev","labels":["bundle=/"],"no_new_keyring":true},"rootless":false,"cgroup_paths":
{"blkio":"/sys/fs/cgroup/blkio/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"cpu":"/sys/fs/cgroup/cpu,cpuacct/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"cpuacct":"/sys/fs/cgroup/cpu,cpuacct/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"cpuset":"/sys/fs/cgroup/cpuset/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"devices":"/sys/fs/cgroup/devices/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"freezer":"/sys/fs/cgroup/freezer/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"memory":"/sys/fs/cgroup/memory/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"name=systemd":"/sys/fs/cgroup/systemd/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"net_cls":"/sys/fs/cgroup/net_cls,net_prio/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"net_prio":"/sys/fs/cgroup/net_cls,net_prio/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"perf_event":"/sys/fs/cgroup/perf_event/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"pids":"/sys/fs/cgroup/pids/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc"},
"namespace_paths":{"NEWCGROUP":"/proc/71/ns/cgroup",
"NEWIPC":"/proc/71/ns/ipc","NEWNET":"/proc/71/ns/net",
"NEWNS":"/proc/71/ns/mnt","NEWPID":"/proc/71/ns/pid","NEWUSER":"/proc/71/ns/user",
"NEWUTS":"/proc/71/ns/uts"},"external_descriptors":["/dev/null","/dev/null","/dev/null"],"intel_rdt_path":""}
root@25a725e7599e:/#
root@25a725e7599e:/# ps -elf | grep 71 4 S root 71 50 0 80 0 - 2069 arm64_ 05:01 ? 00:00:00 nginx: master process nginx -g daemon off; 5 S systemd+ 99 71 0 80 0 - 2164 ep_pol 05:01 ? 00:00:00 nginx: worker process 0 S root 166 57 0 80 0 - 676 pipe_w 05:25 hvc0 00:00:00 grep --color=auto 71 root@25a725e7599e:/#
root@25a725e7599e:/# cat /proc/71/cgroup 10:pids:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 9:perf_event:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 8:cpu,cpuacct:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 7:blkio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 6:net_cls,net_prio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 5:freezer:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 4:cpuset:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 3:devices:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 2:memory:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 1:name=systemd:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 0::/system.slice/kata-agent.service root@25a725e7599e:/# cat /proc/99/cgroup 10:pids:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 9:perf_event:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 8:cpu,cpuacct:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 7:blkio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 6:net_cls,net_prio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 5:freezer:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 4:cpuset:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 3:devices:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 2:memory:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 1:name=systemd:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc 0::/system.slice/kata-agent.service root@25a725e7599e:/#
root@25a725e7599e:/# ls /sys/fs/cgroup/memory/docker/
cgroup.clone_children
cgroup.event_control
cgroup.procs
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
memory.failcnt
memory.force_empty
memory.kmem.failcnt
memory.kmem.limit_in_bytes
memory.kmem.max_usage_in_bytes
memory.kmem.slabinfo
memory.kmem.tcp.failcnt
memory.kmem.tcp.limit_in_bytes
memory.kmem.tcp.max_usage_in_bytes
memory.kmem.tcp.usage_in_bytes
memory.kmem.usage_in_bytes
memory.limit_in_bytes
memory.max_usage_in_bytes
memory.memsw.failcnt
memory.memsw.limit_in_bytes
memory.memsw.max_usage_in_bytes
memory.memsw.usage_in_bytes
memory.move_charge_at_immigrate
memory.oom_control
memory.pressure_level
memory.soft_limit_in_bytes
memory.stat
memory.swappiness
memory.usage_in_bytes
memory.use_hierarchy
notify_on_release
tasks
root@25a725e7599e:/#
root@25a725e7599e:/# ls /sys/fs/cgroup/cpu,cpuacct/docker/
cgroup.clone_children
cgroup.procs
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.shares
cpu.stat
cpuacct.stat
cpuacct.usage
cpuacct.usage_all
cpuacct.usage_percpu
cpuacct.usage_percpu_sys
cpuacct.usage_percpu_user
cpuacct.usage_sys
cpuacct.usage_user
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
notify_on_release
tasks
root@25a725e7599e:/#
root@25a725e7599e:/# ls /sys/fs/cgroup/cpu,cpuacct/docker/e*/
cgroup.clone_children cpuacct.stat cpuacct.usage_sys
cgroup.procs cpuacct.usage cpuacct.usage_user
cpu.cfs_period_us cpuacct.usage_all notify_on_release
cpu.cfs_quota_us cpuacct.usage_percpu tasks
cpu.shares cpuacct.usage_percpu_sys
cpu.stat cpuacct.usage_percpu_user
root@25a725e7599e:/#
docker 容器
root@ubuntu:~# docker exec -it pensive_meninsky sh # ls bin dev etc media proc sbin tmp boot docker-entrypoint.d home mnt root srv usr containerdir docker-entrypoint.sh lib opt run sys var # ls con ^H^H^H^H ls: cannot access 'con': No such file or directory ls: cannot access ''$'\b\b\b\b': No such file or directory # ls containerdir go go_source nemu runtime go.tar.gz images qemu typescript go1.15.2.linux-arm64.tar.gz kata_package qemu-lite go_package linux_signing_key.pub qemu4.0 #
浙公网安备 33010602011771号