Merge pull request #224 from Netflix/run-tmpfs

Mount /run as tmpfs, and default to 128MiB of size
Netflix · Feb 12, 2019 · 91a8bed · 91a8bed
2 parents 697d762 + 9b9386a
commit 91a8bed
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/executor/mock/jobrunner.go b/executor/mock/jobrunner.go
@@ -64,6 +64,8 @@ type JobInput struct {
 	Tty bool
 	// MetatronEnabled enables running with the metatron sidecar container
 	MetatronEnabled bool
+	// Mem sets the memory resource attribute in MiB
+	Mem *int64
 }
 
 // JobRunResponse returned from RunJob
@@ -303,6 +305,9 @@ func (jobRunner *JobRunner) StartJob(jobInput *JobInput) *JobRunResponse { // no
 		cpu = *jobInput.CPU
 	}
 	memMiB := int64(400)
+	if jobInput.Mem != nil {
+		memMiB = *jobInput.Mem
+	}
 	diskMiB := uint64(100)
 
 	// Get a reference to the executor and somewhere to stash results

diff --git a/executor/mock/standalone/standalone_test.go b/executor/mock/standalone/standalone_test.go
@@ -140,6 +140,7 @@ func TestStandalone(t *testing.T) {
 		testTtyNegative,
 		testCachedDockerPull,
 		testMetatron,
+		testRunTmpFsMount,
 	}
 	for _, fun := range testFunctions {
 		fullName := runtime.FuncForPC(reflect.ValueOf(fun).Pointer()).Name()
@@ -961,3 +962,18 @@ func testMetatron(t *testing.T, jobID string) {
 		t.Fail()
 	}
 }
+
+// Test that `/run` is a tmpfs mount, and has the default size
+func testRunTmpFsMount(t *testing.T, jobID string) {
+	var mem int64 = 256
+	ji := &mock.JobInput{
+		ImageName:     ubuntu.name,
+		Version:       ubuntu.tag,
+		Mem:           &mem,
+		EntrypointOld: `/bin/bash -c 'findmnt -l -t tmpfs -o target,size | grep -e "/run[^/]" | grep 128M'`,
+		JobID:         jobID,
+	}
+	if !mock.RunJobExpectingSuccess(ji) {
+		t.Fail()
+	}
+}
diff --git a/executor/runtime/docker/docker.go b/executor/runtime/docker/docker.go
@@ -59,6 +59,7 @@ const (
 	builtInDiskBuffer       = 1100 // In megabytes, includes extra space for /logs.
 	defaultNetworkBandwidth = 128 * MB
 	defaultKillWait         = 10 * time.Second
+	defaultRunTmpFsSize     = "134217728" // 128 MiB
 	trueString              = "true"
 	jumboFrameParam         = "titusParameter.agent.allowNetworkJumbo"
 )
@@ -484,6 +485,11 @@ func (r *DockerRuntime) dockerConfig(c *runtimeTypes.Container, binds []string,
 	// Maybe set cfs bandwidth has to be called _after_
 	maybeSetCFSBandwidth(r.dockerCfg.cfsBandwidthPeriod, c, hostCfg)
 
+	// Always setup tmpfs: it's needed to ensure Metatron credentials don't persist across reboots and for SystemD to work
+	hostCfg.Tmpfs = map[string]string{
+		"/run": "rw,noexec,nosuid,size=" + defaultRunTmpFsSize,
+	}
+
 	if r.storageOptEnabled {
 		hostCfg.StorageOpt = map[string]string{
 			"size": fmt.Sprintf("%dM", c.Resources.Disk+builtInDiskBuffer+uint64(imageSize/MiB)),