From 1034cd29fac5a044a506be25c056fc857e5f291c Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Thu, 15 Aug 2019 13:23:30 -0700
Subject: [PATCH 1/6] Use syscall.Setrlimit instead of direct RawSyscall6

This syscall is implemented in libraries we use anyway, so we can
easily avoid dealing with unsafe pointers etc.
---
 cmd/chroot/main.go | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/cmd/chroot/main.go b/cmd/chroot/main.go
index 457d4683f380..0e552fa2f2a0 100644
--- a/cmd/chroot/main.go
+++ b/cmd/chroot/main.go
@@ -8,7 +8,6 @@ import (
 	"strconv"
 	"strings"
 	"syscall"
-	"unsafe"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/sys/unix"
@@ -61,10 +60,9 @@ func main() {
 					Cur: uint64(cpuTime),
 					Max: uint64(cpuTime),
 				}
-				// PID 0 means that we assign the limit to us, all commands will inherit it
-				_, _, e1 := syscall.RawSyscall6(syscall.SYS_PRLIMIT64, uintptr(0), uintptr(unix.RLIMIT_CPU), uintptr(unsafe.Pointer(value)), 0, 0, 0)
-				if e1 != 0 {
-					return fmt.Errorf("error setting prlimit on cpu time with value %d: %v", value, e1)
+				err := syscall.Setrlimit(unix.RLIMIT_CPU, value)
+				if err != nil {
+					return fmt.Errorf("error setting prlimit on cpu time with value %d: %v", value, err)
 				}
 			}
 
@@ -73,10 +71,9 @@ func main() {
 					Cur: uint64(megabyte) * 1000000,
 					Max: uint64(megabyte) * 1000000,
 				}
-				// PID 0 means that we assign the limit to us, all commands will inherit it
-				_, _, e1 := syscall.RawSyscall6(syscall.SYS_PRLIMIT64, uintptr(0), uintptr(unix.RLIMIT_AS), uintptr(unsafe.Pointer(value)), 0, 0, 0)
-				if e1 != 0 {
-					return fmt.Errorf("error setting prlimit on virtual memory with value %d: %v", value, e1)
+				err := syscall.Setrlimit(unix.RLIMIT_AS, value)
+				if err != nil {
+					return fmt.Errorf("error setting prlimit on virtual memory with value %d: %v", value, err)
 				}
 			}
 

From dc7fa755b2f8ba8c5c50a094a2ff632cc6755903 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Tue, 6 Aug 2019 13:47:33 -0700
Subject: [PATCH 2/6] Remove SYS_RESOURCE capability from launcher pod

Instead, set the (unlimited) limit for libvirtd from handler pod that
is already privileged.
---
 go.mod                                        |   1 +
 go.sum                                        |   2 +
 pkg/virt-controller/services/template.go      |   7 -
 pkg/virt-handler/isolation/BUILD.bazel        |   2 +
 .../isolation/generated_mock_isolation.go     |  10 +
 pkg/virt-handler/isolation/isolation.go       |  61 ++++
 pkg/virt-handler/vm.go                        |   5 +
 pkg/virt-handler/vm_test.go                   |  22 +-
 pkg/virt-operator/creation/components/scc.go  |   2 +-
 vendor/github.com/mitchellh/go-ps/.gitignore  |   1 +
 vendor/github.com/mitchellh/go-ps/.travis.yml |   4 +
 vendor/github.com/mitchellh/go-ps/BUILD.bazel |  17 ++
 vendor/github.com/mitchellh/go-ps/LICENSE.md  |  21 ++
 vendor/github.com/mitchellh/go-ps/README.md   |  34 +++
 vendor/github.com/mitchellh/go-ps/Vagrantfile |  43 +++
 vendor/github.com/mitchellh/go-ps/process.go  |  40 +++
 .../mitchellh/go-ps/process_darwin.go         | 138 ++++++++++
 .../mitchellh/go-ps/process_freebsd.go        | 260 ++++++++++++++++++
 .../mitchellh/go-ps/process_linux.go          |  35 +++
 .../mitchellh/go-ps/process_solaris.go        |  96 +++++++
 .../mitchellh/go-ps/process_unix.go           | 101 +++++++
 .../mitchellh/go-ps/process_windows.go        | 119 ++++++++
 vendor/modules.txt                            |  28 +-
 23 files changed, 1027 insertions(+), 22 deletions(-)
 create mode 100644 vendor/github.com/mitchellh/go-ps/.gitignore
 create mode 100644 vendor/github.com/mitchellh/go-ps/.travis.yml
 create mode 100644 vendor/github.com/mitchellh/go-ps/BUILD.bazel
 create mode 100644 vendor/github.com/mitchellh/go-ps/LICENSE.md
 create mode 100644 vendor/github.com/mitchellh/go-ps/README.md
 create mode 100644 vendor/github.com/mitchellh/go-ps/Vagrantfile
 create mode 100644 vendor/github.com/mitchellh/go-ps/process.go
 create mode 100644 vendor/github.com/mitchellh/go-ps/process_darwin.go
 create mode 100644 vendor/github.com/mitchellh/go-ps/process_freebsd.go
 create mode 100644 vendor/github.com/mitchellh/go-ps/process_linux.go
 create mode 100644 vendor/github.com/mitchellh/go-ps/process_solaris.go
 create mode 100644 vendor/github.com/mitchellh/go-ps/process_unix.go
 create mode 100644 vendor/github.com/mitchellh/go-ps/process_windows.go

diff --git a/go.mod b/go.mod
index b7e7d63c649b..a477f1c4c3d7 100644
--- a/go.mod
+++ b/go.mod
@@ -39,6 +39,7 @@ require (
 	github.com/libvirt/libvirt-go v5.0.0+incompatible
 	github.com/mattn/go-colorable v0.1.1 // indirect
 	github.com/mattn/go-runewidth v0.0.0-20181218000649-703b5e6b11ae // indirect
+	github.com/mitchellh/go-ps v0.0.0-20190716172923-621e5597135b
 	github.com/onsi/ginkgo v1.8.0
 	github.com/onsi/gomega v1.5.1-0.20190515112211-6a48b4839f85
 	github.com/openshift/api v3.9.1-0.20190401220125-3a6077f1f910+incompatible
diff --git a/go.sum b/go.sum
index fab0bea414a3..fa6f25cad09a 100644
--- a/go.sum
+++ b/go.sum
@@ -194,6 +194,8 @@ github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsO
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/maxbrunsfeld/counterfeiter v0.0.0-20181017030959-1aadac120687/go.mod h1:aoVsckWnsNzazwF2kmD+bzgdr4GBlbK91zsdivQJ2eU=
+github.com/mitchellh/go-ps v0.0.0-20190716172923-621e5597135b h1:9+ke9YJ9KGWw5ANXK6ozjoK47uI3uNbXv4YVINBnGm8=
+github.com/mitchellh/go-ps v0.0.0-20190716172923-621e5597135b/go.mod h1:r1VsdOzOPt1ZSrGZWFoNhsAedKnEd6r9Np1+5blZCWk=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
diff --git a/pkg/virt-controller/services/template.go b/pkg/virt-controller/services/template.go
index a7a90c40ddc5..8a5707c8a093 100644
--- a/pkg/virt-controller/services/template.go
+++ b/pkg/virt-controller/services/template.go
@@ -60,7 +60,6 @@ const GenieNetworksAnnotation = "cni"
 
 const CAP_NET_ADMIN = "NET_ADMIN"
 const CAP_SYS_NICE = "SYS_NICE"
-const CAP_SYS_RESOURCE = "SYS_RESOURCE"
 
 // LibvirtStartupDelay is added to custom liveness and readiness probes initial delay value.
 // Libvirt needs roughly 10 seconds to start.
@@ -945,12 +944,6 @@ func getRequiredCapabilities(vmi *v1.VirtualMachineInstance) []k8sv1.Capability
 	}
 	// add a CAP_SYS_NICE capability to allow setting cpu affinity
 	res = append(res, CAP_SYS_NICE)
-
-	if isSRIOVVmi(vmi) {
-		// this capability is needed for libvirt to be able to change ulimits for device passthrough:
-		// "error : cannot limit locked memory to 2098200576: Operation not permitted"
-		res = append(res, CAP_SYS_RESOURCE)
-	}
 	return res
 }
 
diff --git a/pkg/virt-handler/isolation/BUILD.bazel b/pkg/virt-handler/isolation/BUILD.bazel
index 4ff5a1bba3c9..6a32631ae04a 100644
--- a/pkg/virt-handler/isolation/BUILD.bazel
+++ b/pkg/virt-handler/isolation/BUILD.bazel
@@ -15,6 +15,8 @@ go_library(
         "//staging/src/kubevirt.io/client-go/api/v1:go_default_library",
         "//staging/src/kubevirt.io/client-go/log:go_default_library",
         "//vendor/github.com/golang/mock/gomock:go_default_library",
+        "//vendor/github.com/mitchellh/go-ps:go_default_library",
+        "//vendor/golang.org/x/sys/unix:go_default_library",
     ],
 )
 
diff --git a/pkg/virt-handler/isolation/generated_mock_isolation.go b/pkg/virt-handler/isolation/generated_mock_isolation.go
index ad98ad9bf604..37c5f32b3a9b 100644
--- a/pkg/virt-handler/isolation/generated_mock_isolation.go
+++ b/pkg/virt-handler/isolation/generated_mock_isolation.go
@@ -61,3 +61,13 @@ func (_m *MockPodIsolationDetector) Whitelist(controller []string) PodIsolationD
 func (_mr *_MockPodIsolationDetectorRecorder) Whitelist(arg0 interface{}) *gomock.Call {
 	return _mr.mock.ctrl.RecordCall(_mr.mock, "Whitelist", arg0)
 }
+
+func (_m *MockPodIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error {
+	ret := _m.ctrl.Call(_m, "AdjustResources", vm)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+func (_mr *_MockPodIsolationDetectorRecorder) AdjustResources(arg0 interface{}) *gomock.Call {
+	return _mr.mock.ctrl.RecordCall(_mr.mock, "AdjustResources", arg0)
+}
diff --git a/pkg/virt-handler/isolation/isolation.go b/pkg/virt-handler/isolation/isolation.go
index 2c1d4bb95ef8..399be4a40e72 100644
--- a/pkg/virt-handler/isolation/isolation.go
+++ b/pkg/virt-handler/isolation/isolation.go
@@ -35,6 +35,11 @@ import (
 	"path/filepath"
 	"strings"
 	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/unix"
+
+	ps "github.com/mitchellh/go-ps"
 
 	v1 "kubevirt.io/client-go/api/v1"
 	"kubevirt.io/client-go/log"
@@ -53,6 +58,9 @@ type PodIsolationDetector interface {
 	// Whitelist allows specifying cgroup controller which should be considered to detect the cgroup slice
 	// It returns a PodIsolationDetector to allow configuring the PodIsolationDetector via the builder pattern.
 	Whitelist(controller []string) PodIsolationDetector
+
+	// Adjust system resources to run the passed VM
+	AdjustResources(vm *v1.VirtualMachineInstance) error
 }
 
 type MountInfo struct {
@@ -120,6 +128,59 @@ func (s *socketBasedIsolationDetector) Detect(vm *v1.VirtualMachineInstance) (*I
 	return NewIsolationResult(pid, slice, controller), nil
 }
 
+// standard golang libraries don't provide API to set runtime limits
+// for other processes, so we have to directly call to kernel
+func prLimit(pid int, limit uintptr, rlimit *unix.Rlimit) error {
+	_, _, errno := unix.RawSyscall6(unix.SYS_PRLIMIT64,
+		uintptr(pid),
+		limit,
+		uintptr(unsafe.Pointer(rlimit)),
+		0, 0, 0)
+	if errno != 0 {
+		return fmt.Errorf("Error setting prlimit: %v", errno)
+	}
+	return nil
+}
+
+func (s *socketBasedIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error {
+	// bump memlock ulimit for libvirtd
+	res, err := s.Detect(vm)
+	if err != nil {
+		return err
+	}
+	launcherPid := res.Pid()
+
+	processes, err := ps.Processes()
+	if err != nil {
+		return fmt.Errorf("failed to get all processes: %v", err)
+	}
+
+	for _, process := range processes {
+		// consider all processes that are virt-launcher children
+		if process.PPid() != launcherPid {
+			continue
+		}
+
+		// libvirtd process sets the memory lock limit before fork/exec-ing into qemu
+		if process.Executable() != "libvirtd" {
+			continue
+		}
+
+		// TODO estimate actual memory size needed
+		rLimit := unix.Rlimit{
+			Max: unix.RLIM_INFINITY,
+			Cur: unix.RLIM_INFINITY,
+		}
+		err = prLimit(process.Pid(), unix.RLIMIT_MEMLOCK, &rLimit)
+		if err != nil {
+			return fmt.Errorf("failed to set rlimit for memory lock: %v", err)
+		}
+		// we assume a single process should match
+		break
+	}
+	return nil
+}
+
 func NewIsolationResult(pid int, slice string, controller []string) *IsolationResult {
 	return &IsolationResult{pid: pid, slice: slice, controller: controller}
 }
diff --git a/pkg/virt-handler/vm.go b/pkg/virt-handler/vm.go
index c01612122e45..0b24019d47e9 100644
--- a/pkg/virt-handler/vm.go
+++ b/pkg/virt-handler/vm.go
@@ -1414,6 +1414,11 @@ func (d *VirtualMachineController) processVmUpdate(origVMI *v1.VirtualMachineIns
 			}
 		}
 
+		err = d.podIsolationDetector.AdjustResources(vmi)
+		if err != nil {
+			return fmt.Errorf("failed to adjust resources: %v", err)
+		}
+
 		options := &cmdv1.VirtualMachineOptions{
 			VirtualMachineSMBios: &cmdv1.SMBios{
 				Family:       d.clusterConfig.GetSMBIOS().Family,
diff --git a/pkg/virt-handler/vm_test.go b/pkg/virt-handler/vm_test.go
index 0f2628dcd105..bd6c9fd8b75a 100644
--- a/pkg/virt-handler/vm_test.go
+++ b/pkg/virt-handler/vm_test.go
@@ -73,6 +73,7 @@ var _ = Describe("VirtualMachineInstance", func() {
 	var mockQueue *testutils.MockWorkQueue
 	var mockWatchdog *MockWatchdog
 	var mockGracefulShutdown *MockGracefulShutdown
+	var mockIsolationDetector *MockIsolationDetector
 
 	var vmiFeeder *testutils.VirtualMachineFeeder
 	var domainFeeder *testutils.DomainFeeder
@@ -127,6 +128,7 @@ var _ = Describe("VirtualMachineInstance", func() {
 		mockGracefulShutdown = &MockGracefulShutdown{shareDir}
 		config, _, _ := testutils.NewFakeClusterConfig(&k8sv1.ConfigMap{})
 
+		mockIsolationDetector = &MockIsolationDetector{}
 		controller = NewController(recorder,
 			virtClient,
 			host,
@@ -140,7 +142,7 @@ var _ = Describe("VirtualMachineInstance", func() {
 			10,
 			config,
 			tlsConfig,
-			isolation.NewSocketBasedIsolationDetector(shareDir),
+			mockIsolationDetector,
 		)
 
 		testUUID = uuid.NewUUID()
@@ -1302,6 +1304,24 @@ func (m *MockGracefulShutdown) TriggerShutdown(vmi *v1.VirtualMachineInstance) {
 	Expect(err).NotTo(HaveOccurred())
 }
 
+type MockIsolationDetector struct{}
+
+func (_m *MockIsolationDetector) Detect(vm *v1.VirtualMachineInstance) (*isolation.IsolationResult, error) {
+	return &isolation.IsolationResult{}, nil
+}
+
+func (_m *MockIsolationDetector) DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (*isolation.IsolationResult, error) {
+	return nil, nil
+}
+
+func (_m *MockIsolationDetector) Whitelist(controller []string) isolation.PodIsolationDetector {
+	return _m
+}
+
+func (_m *MockIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error {
+	return nil
+}
+
 type MockWatchdog struct {
 	baseDir string
 }
diff --git a/pkg/virt-operator/creation/components/scc.go b/pkg/virt-operator/creation/components/scc.go
index 3d156771cbb3..51ad11b4e094 100644
--- a/pkg/virt-operator/creation/components/scc.go
+++ b/pkg/virt-operator/creation/components/scc.go
@@ -74,7 +74,7 @@ func NewKubeVirtControllerSCC(namespace string) *secv1.SecurityContextConstraint
 	scc.SELinuxContext = secv1.SELinuxContextStrategyOptions{
 		Type: secv1.SELinuxStrategyRunAsAny,
 	}
-	scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "SYS_NICE", "SYS_RESOURCE"}
+	scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "SYS_NICE"}
 	scc.AllowHostDirVolumePlugin = true
 	scc.Users = []string{fmt.Sprintf("system:serviceaccount:%s:kubevirt-controller", namespace)}
 
diff --git a/vendor/github.com/mitchellh/go-ps/.gitignore b/vendor/github.com/mitchellh/go-ps/.gitignore
new file mode 100644
index 000000000000..a977916f6583
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/.gitignore
@@ -0,0 +1 @@
+.vagrant/
diff --git a/vendor/github.com/mitchellh/go-ps/.travis.yml b/vendor/github.com/mitchellh/go-ps/.travis.yml
new file mode 100644
index 000000000000..8f794f71da43
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/.travis.yml
@@ -0,0 +1,4 @@
+language: go
+
+go:
+  - 1.2.1
diff --git a/vendor/github.com/mitchellh/go-ps/BUILD.bazel b/vendor/github.com/mitchellh/go-ps/BUILD.bazel
new file mode 100644
index 000000000000..9e24fb5e23f4
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/BUILD.bazel
@@ -0,0 +1,17 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "process.go",
+        "process_darwin.go",
+        "process_freebsd.go",
+        "process_linux.go",
+        "process_solaris.go",
+        "process_unix.go",
+        "process_windows.go",
+    ],
+    importmap = "kubevirt.io/kubevirt/vendor/github.com/mitchellh/go-ps",
+    importpath = "github.com/mitchellh/go-ps",
+    visibility = ["//visibility:public"],
+)
diff --git a/vendor/github.com/mitchellh/go-ps/LICENSE.md b/vendor/github.com/mitchellh/go-ps/LICENSE.md
new file mode 100644
index 000000000000..229851590442
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/LICENSE.md
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Mitchell Hashimoto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/vendor/github.com/mitchellh/go-ps/README.md b/vendor/github.com/mitchellh/go-ps/README.md
new file mode 100644
index 000000000000..4e3d0e146343
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/README.md
@@ -0,0 +1,34 @@
+# Process List Library for Go [![GoDoc](https://godoc.org/github.com/mitchellh/go-ps?status.png)](https://godoc.org/github.com/mitchellh/go-ps)
+
+go-ps is a library for Go that implements OS-specific APIs to list and
+manipulate processes in a platform-safe way. The library can find and
+list processes on Linux, Mac OS X, Solaris, and Windows.
+
+If you're new to Go, this library has a good amount of advanced Go educational
+value as well. It uses some advanced features of Go: build tags, accessing
+DLL methods for Windows, cgo for Darwin, etc.
+
+How it works:
+
+  * **Darwin** uses the `sysctl` syscall to retrieve the process table.
+  * **Unix** uses the procfs at `/proc` to inspect the process tree.
+  * **Windows** uses the Windows API, and methods such as
+    `CreateToolhelp32Snapshot` to get a point-in-time snapshot of
+    the process table.
+
+## Installation
+
+Install using standard `go get`:
+
+```
+$ go get github.com/mitchellh/go-ps
+...
+```
+
+## TODO
+
+Want to contribute? Here is a short TODO list of things that aren't
+implemented for this library that would be nice:
+
+  * FreeBSD support
+  * Plan9 support
diff --git a/vendor/github.com/mitchellh/go-ps/Vagrantfile b/vendor/github.com/mitchellh/go-ps/Vagrantfile
new file mode 100644
index 000000000000..61662ab1e3e7
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/Vagrantfile
@@ -0,0 +1,43 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = "chef/ubuntu-12.04"
+
+  config.vm.provision "shell", inline: $script
+
+  ["vmware_fusion", "vmware_workstation"].each do |p|
+    config.vm.provider "p" do |v|
+      v.vmx["memsize"] = "1024"
+      v.vmx["numvcpus"] = "2"
+      v.vmx["cpuid.coresPerSocket"] = "1"
+    end
+  end
+end
+
+$script = <<SCRIPT
+SRCROOT="/opt/go"
+
+# Install Go
+sudo apt-get update
+sudo apt-get install -y build-essential mercurial
+sudo hg clone -u release https://code.google.com/p/go ${SRCROOT}
+cd ${SRCROOT}/src
+sudo ./all.bash
+
+# Setup the GOPATH
+sudo mkdir -p /opt/gopath
+cat <<EOF >/tmp/gopath.sh
+export GOPATH="/opt/gopath"
+export PATH="/opt/go/bin:\$GOPATH/bin:\$PATH"
+EOF
+sudo mv /tmp/gopath.sh /etc/profile.d/gopath.sh
+sudo chmod 0755 /etc/profile.d/gopath.sh
+
+# Make sure the gopath is usable by bamboo
+sudo chown -R vagrant:vagrant $SRCROOT
+sudo chown -R vagrant:vagrant /opt/gopath
+SCRIPT
diff --git a/vendor/github.com/mitchellh/go-ps/process.go b/vendor/github.com/mitchellh/go-ps/process.go
new file mode 100644
index 000000000000..2b5e8ed2323b
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process.go
@@ -0,0 +1,40 @@
+// ps provides an API for finding and listing processes in a platform-agnostic
+// way.
+//
+// NOTE: If you're reading these docs online via GoDocs or some other system,
+// you might only see the Unix docs. This project makes heavy use of
+// platform-specific implementations. We recommend reading the source if you
+// are interested.
+package ps
+
+// Process is the generic interface that is implemented on every platform
+// and provides common operations for processes.
+type Process interface {
+	// Pid is the process ID for this process.
+	Pid() int
+
+	// PPid is the parent process ID for this process.
+	PPid() int
+
+	// Executable name running this process. This is not a path to the
+	// executable.
+	Executable() string
+}
+
+// Processes returns all processes.
+//
+// This of course will be a point-in-time snapshot of when this method was
+// called. Some operating systems don't provide snapshot capability of the
+// process table, in which case the process table returned might contain
+// ephemeral entities that happened to be running when this was called.
+func Processes() ([]Process, error) {
+	return processes()
+}
+
+// FindProcess looks up a single process by pid.
+//
+// Process will be nil and error will be nil if a matching process is
+// not found.
+func FindProcess(pid int) (Process, error) {
+	return findProcess(pid)
+}
diff --git a/vendor/github.com/mitchellh/go-ps/process_darwin.go b/vendor/github.com/mitchellh/go-ps/process_darwin.go
new file mode 100644
index 000000000000..5ee87fb68a8e
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process_darwin.go
@@ -0,0 +1,138 @@
+// +build darwin
+
+package ps
+
+import (
+	"bytes"
+	"encoding/binary"
+	"syscall"
+	"unsafe"
+)
+
+type DarwinProcess struct {
+	pid    int
+	ppid   int
+	binary string
+}
+
+func (p *DarwinProcess) Pid() int {
+	return p.pid
+}
+
+func (p *DarwinProcess) PPid() int {
+	return p.ppid
+}
+
+func (p *DarwinProcess) Executable() string {
+	return p.binary
+}
+
+func findProcess(pid int) (Process, error) {
+	ps, err := processes()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, p := range ps {
+		if p.Pid() == pid {
+			return p, nil
+		}
+	}
+
+	return nil, nil
+}
+
+func processes() ([]Process, error) {
+	buf, err := darwinSyscall()
+	if err != nil {
+		return nil, err
+	}
+
+	procs := make([]*kinfoProc, 0, 50)
+	k := 0
+	for i := _KINFO_STRUCT_SIZE; i < buf.Len(); i += _KINFO_STRUCT_SIZE {
+		proc := &kinfoProc{}
+		err = binary.Read(bytes.NewBuffer(buf.Bytes()[k:i]), binary.LittleEndian, proc)
+		if err != nil {
+			return nil, err
+		}
+
+		k = i
+		procs = append(procs, proc)
+	}
+
+	darwinProcs := make([]Process, len(procs))
+	for i, p := range procs {
+		darwinProcs[i] = &DarwinProcess{
+			pid:    int(p.Pid),
+			ppid:   int(p.PPid),
+			binary: darwinCstring(p.Comm),
+		}
+	}
+
+	return darwinProcs, nil
+}
+
+func darwinCstring(s [16]byte) string {
+	i := 0
+	for _, b := range s {
+		if b != 0 {
+			i++
+		} else {
+			break
+		}
+	}
+
+	return string(s[:i])
+}
+
+func darwinSyscall() (*bytes.Buffer, error) {
+	mib := [4]int32{_CTRL_KERN, _KERN_PROC, _KERN_PROC_ALL, 0}
+	size := uintptr(0)
+
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS___SYSCTL,
+		uintptr(unsafe.Pointer(&mib[0])),
+		4,
+		0,
+		uintptr(unsafe.Pointer(&size)),
+		0,
+		0)
+
+	if errno != 0 {
+		return nil, errno
+	}
+
+	bs := make([]byte, size)
+	_, _, errno = syscall.Syscall6(
+		syscall.SYS___SYSCTL,
+		uintptr(unsafe.Pointer(&mib[0])),
+		4,
+		uintptr(unsafe.Pointer(&bs[0])),
+		uintptr(unsafe.Pointer(&size)),
+		0,
+		0)
+
+	if errno != 0 {
+		return nil, errno
+	}
+
+	return bytes.NewBuffer(bs[0:size]), nil
+}
+
+const (
+	_CTRL_KERN         = 1
+	_KERN_PROC         = 14
+	_KERN_PROC_ALL     = 0
+	_KINFO_STRUCT_SIZE = 648
+)
+
+type kinfoProc struct {
+	_    [40]byte
+	Pid  int32
+	_    [199]byte
+	Comm [16]byte
+	_    [301]byte
+	PPid int32
+	_    [84]byte
+}
diff --git a/vendor/github.com/mitchellh/go-ps/process_freebsd.go b/vendor/github.com/mitchellh/go-ps/process_freebsd.go
new file mode 100644
index 000000000000..130acbe6c64d
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process_freebsd.go
@@ -0,0 +1,260 @@
+// +build freebsd
+
+package ps
+
+import (
+	"bytes"
+	"encoding/binary"
+	"syscall"
+	"unsafe"
+)
+
+// copied from sys/sysctl.h
+const (
+	CTL_KERN           = 1  // "high kernel": proc, limits
+	KERN_PROC          = 14 // struct: process entries
+	KERN_PROC_PID      = 1  // by process id
+	KERN_PROC_PROC     = 8  // only return procs
+	KERN_PROC_PATHNAME = 12 // path to executable
+)
+
+// copied from sys/user.h
+type Kinfo_proc struct {
+	Ki_structsize   int32
+	Ki_layout       int32
+	Ki_args         int64
+	Ki_paddr        int64
+	Ki_addr         int64
+	Ki_tracep       int64
+	Ki_textvp       int64
+	Ki_fd           int64
+	Ki_vmspace      int64
+	Ki_wchan        int64
+	Ki_pid          int32
+	Ki_ppid         int32
+	Ki_pgid         int32
+	Ki_tpgid        int32
+	Ki_sid          int32
+	Ki_tsid         int32
+	Ki_jobc         [2]byte
+	Ki_spare_short1 [2]byte
+	Ki_tdev         int32
+	Ki_siglist      [16]byte
+	Ki_sigmask      [16]byte
+	Ki_sigignore    [16]byte
+	Ki_sigcatch     [16]byte
+	Ki_uid          int32
+	Ki_ruid         int32
+	Ki_svuid        int32
+	Ki_rgid         int32
+	Ki_svgid        int32
+	Ki_ngroups      [2]byte
+	Ki_spare_short2 [2]byte
+	Ki_groups       [64]byte
+	Ki_size         int64
+	Ki_rssize       int64
+	Ki_swrss        int64
+	Ki_tsize        int64
+	Ki_dsize        int64
+	Ki_ssize        int64
+	Ki_xstat        [2]byte
+	Ki_acflag       [2]byte
+	Ki_pctcpu       int32
+	Ki_estcpu       int32
+	Ki_slptime      int32
+	Ki_swtime       int32
+	Ki_cow          int32
+	Ki_runtime      int64
+	Ki_start        [16]byte
+	Ki_childtime    [16]byte
+	Ki_flag         int64
+	Ki_kiflag       int64
+	Ki_traceflag    int32
+	Ki_stat         [1]byte
+	Ki_nice         [1]byte
+	Ki_lock         [1]byte
+	Ki_rqindex      [1]byte
+	Ki_oncpu        [1]byte
+	Ki_lastcpu      [1]byte
+	Ki_ocomm        [17]byte
+	Ki_wmesg        [9]byte
+	Ki_login        [18]byte
+	Ki_lockname     [9]byte
+	Ki_comm         [20]byte
+	Ki_emul         [17]byte
+	Ki_sparestrings [68]byte
+	Ki_spareints    [36]byte
+	Ki_cr_flags     int32
+	Ki_jid          int32
+	Ki_numthreads   int32
+	Ki_tid          int32
+	Ki_pri          int32
+	Ki_rusage       [144]byte
+	Ki_rusage_ch    [144]byte
+	Ki_pcb          int64
+	Ki_kstack       int64
+	Ki_udata        int64
+	Ki_tdaddr       int64
+	Ki_spareptrs    [48]byte
+	Ki_spareint64s  [96]byte
+	Ki_sflag        int64
+	Ki_tdflags      int64
+}
+
+// UnixProcess is an implementation of Process that contains Unix-specific
+// fields and information.
+type UnixProcess struct {
+	pid   int
+	ppid  int
+	state rune
+	pgrp  int
+	sid   int
+
+	binary string
+}
+
+func (p *UnixProcess) Pid() int {
+	return p.pid
+}
+
+func (p *UnixProcess) PPid() int {
+	return p.ppid
+}
+
+func (p *UnixProcess) Executable() string {
+	return p.binary
+}
+
+// Refresh reloads all the data associated with this process.
+func (p *UnixProcess) Refresh() error {
+
+	mib := []int32{CTL_KERN, KERN_PROC, KERN_PROC_PID, int32(p.pid)}
+
+	buf, length, err := call_syscall(mib)
+	if err != nil {
+		return err
+	}
+	proc_k := Kinfo_proc{}
+	if length != uint64(unsafe.Sizeof(proc_k)) {
+		return err
+	}
+
+	k, err := parse_kinfo_proc(buf)
+	if err != nil {
+		return err
+	}
+
+	p.ppid, p.pgrp, p.sid, p.binary = copy_params(&k)
+	return nil
+}
+
+func copy_params(k *Kinfo_proc) (int, int, int, string) {
+	n := -1
+	for i, b := range k.Ki_comm {
+		if b == 0 {
+			break
+		}
+		n = i + 1
+	}
+	comm := string(k.Ki_comm[:n])
+
+	return int(k.Ki_ppid), int(k.Ki_pgid), int(k.Ki_sid), comm
+}
+
+func findProcess(pid int) (Process, error) {
+	mib := []int32{CTL_KERN, KERN_PROC, KERN_PROC_PATHNAME, int32(pid)}
+
+	_, _, err := call_syscall(mib)
+	if err != nil {
+		return nil, err
+	}
+
+	return newUnixProcess(pid)
+}
+
+func processes() ([]Process, error) {
+	results := make([]Process, 0, 50)
+
+	mib := []int32{CTL_KERN, KERN_PROC, KERN_PROC_PROC, 0}
+	buf, length, err := call_syscall(mib)
+	if err != nil {
+		return results, err
+	}
+
+	// get kinfo_proc size
+	k := Kinfo_proc{}
+	procinfo_len := int(unsafe.Sizeof(k))
+	count := int(length / uint64(procinfo_len))
+
+	// parse buf to procs
+	for i := 0; i < count; i++ {
+		b := buf[i*procinfo_len : i*procinfo_len+procinfo_len]
+		k, err := parse_kinfo_proc(b)
+		if err != nil {
+			continue
+		}
+		p, err := newUnixProcess(int(k.Ki_pid))
+		if err != nil {
+			continue
+		}
+		p.ppid, p.pgrp, p.sid, p.binary = copy_params(&k)
+
+		results = append(results, p)
+	}
+
+	return results, nil
+}
+
+func parse_kinfo_proc(buf []byte) (Kinfo_proc, error) {
+	var k Kinfo_proc
+	br := bytes.NewReader(buf)
+	err := binary.Read(br, binary.LittleEndian, &k)
+	if err != nil {
+		return k, err
+	}
+
+	return k, nil
+}
+
+func call_syscall(mib []int32) ([]byte, uint64, error) {
+	miblen := uint64(len(mib))
+
+	// get required buffer size
+	length := uint64(0)
+	_, _, err := syscall.RawSyscall6(
+		syscall.SYS___SYSCTL,
+		uintptr(unsafe.Pointer(&mib[0])),
+		uintptr(miblen),
+		0,
+		uintptr(unsafe.Pointer(&length)),
+		0,
+		0)
+	if err != 0 {
+		b := make([]byte, 0)
+		return b, length, err
+	}
+	if length == 0 {
+		b := make([]byte, 0)
+		return b, length, err
+	}
+	// get proc info itself
+	buf := make([]byte, length)
+	_, _, err = syscall.RawSyscall6(
+		syscall.SYS___SYSCTL,
+		uintptr(unsafe.Pointer(&mib[0])),
+		uintptr(miblen),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(unsafe.Pointer(&length)),
+		0,
+		0)
+	if err != 0 {
+		return buf, length, err
+	}
+
+	return buf, length, nil
+}
+
+func newUnixProcess(pid int) (*UnixProcess, error) {
+	p := &UnixProcess{pid: pid}
+	return p, p.Refresh()
+}
diff --git a/vendor/github.com/mitchellh/go-ps/process_linux.go b/vendor/github.com/mitchellh/go-ps/process_linux.go
new file mode 100644
index 000000000000..c1558f783466
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process_linux.go
@@ -0,0 +1,35 @@
+// +build linux
+
+package ps
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+)
+
+// Refresh reloads all the data associated with this process.
+func (p *UnixProcess) Refresh() error {
+	statPath := fmt.Sprintf("/proc/%d/stat", p.pid)
+	dataBytes, err := ioutil.ReadFile(statPath)
+	if err != nil {
+		return err
+	}
+
+	// First, parse out the image name
+	data := string(dataBytes)
+	binStart := strings.IndexRune(data, '(') + 1
+	binEnd := strings.IndexRune(data[binStart:], ')')
+	p.binary = data[binStart : binStart+binEnd]
+
+	// Move past the image name and start parsing the rest
+	data = data[binStart+binEnd+2:]
+	_, err = fmt.Sscanf(data,
+		"%c %d %d %d",
+		&p.state,
+		&p.ppid,
+		&p.pgrp,
+		&p.sid)
+
+	return err
+}
diff --git a/vendor/github.com/mitchellh/go-ps/process_solaris.go b/vendor/github.com/mitchellh/go-ps/process_solaris.go
new file mode 100644
index 000000000000..014c41611de3
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process_solaris.go
@@ -0,0 +1,96 @@
+// +build solaris
+
+package ps
+
+import (
+	"encoding/binary"
+	"fmt"
+	"os"
+)
+
+type ushort_t uint16
+
+type id_t int32
+type pid_t int32
+type uid_t int32
+type gid_t int32
+
+type dev_t uint64
+type size_t uint64
+type uintptr_t uint64
+
+type timestruc_t [16]byte
+
+// This is copy from /usr/include/sys/procfs.h
+type psinfo_t struct {
+	Pr_flag   int32     /* process flags (DEPRECATED; do not use) */
+	Pr_nlwp   int32     /* number of active lwps in the process */
+	Pr_pid    pid_t     /* unique process id */
+	Pr_ppid   pid_t     /* process id of parent */
+	Pr_pgid   pid_t     /* pid of process group leader */
+	Pr_sid    pid_t     /* session id */
+	Pr_uid    uid_t     /* real user id */
+	Pr_euid   uid_t     /* effective user id */
+	Pr_gid    gid_t     /* real group id */
+	Pr_egid   gid_t     /* effective group id */
+	Pr_addr   uintptr_t /* address of process */
+	Pr_size   size_t    /* size of process image in Kbytes */
+	Pr_rssize size_t    /* resident set size in Kbytes */
+	Pr_pad1   size_t
+	Pr_ttydev dev_t /* controlling tty device (or PRNODEV) */
+
+	// Guess this following 2 ushort_t values require a padding to properly
+	// align to the 64bit mark.
+	Pr_pctcpu   ushort_t /* % of recent cpu time used by all lwps */
+	Pr_pctmem   ushort_t /* % of system memory used by process */
+	Pr_pad64bit [4]byte
+
+	Pr_start    timestruc_t /* process start time, from the epoch */
+	Pr_time     timestruc_t /* usr+sys cpu time for this process */
+	Pr_ctime    timestruc_t /* usr+sys cpu time for reaped children */
+	Pr_fname    [16]byte    /* name of execed file */
+	Pr_psargs   [80]byte    /* initial characters of arg list */
+	Pr_wstat    int32       /* if zombie, the wait() status */
+	Pr_argc     int32       /* initial argument count */
+	Pr_argv     uintptr_t   /* address of initial argument vector */
+	Pr_envp     uintptr_t   /* address of initial environment vector */
+	Pr_dmodel   [1]byte     /* data model of the process */
+	Pr_pad2     [3]byte
+	Pr_taskid   id_t      /* task id */
+	Pr_projid   id_t      /* project id */
+	Pr_nzomb    int32     /* number of zombie lwps in the process */
+	Pr_poolid   id_t      /* pool id */
+	Pr_zoneid   id_t      /* zone id */
+	Pr_contract id_t      /* process contract */
+	Pr_filler   int32     /* reserved for future use */
+	Pr_lwp      [128]byte /* information for representative lwp */
+}
+
+func (p *UnixProcess) Refresh() error {
+	var psinfo psinfo_t
+
+	path := fmt.Sprintf("/proc/%d/psinfo", p.pid)
+	fh, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer fh.Close()
+
+	err = binary.Read(fh, binary.LittleEndian, &psinfo)
+	if err != nil {
+		return err
+	}
+
+	p.ppid = int(psinfo.Pr_ppid)
+	p.binary = toString(psinfo.Pr_fname[:], 16)
+	return nil
+}
+
+func toString(array []byte, len int) string {
+	for i := 0; i < len; i++ {
+		if array[i] == 0 {
+			return string(array[:i])
+		}
+	}
+	return string(array[:])
+}
diff --git a/vendor/github.com/mitchellh/go-ps/process_unix.go b/vendor/github.com/mitchellh/go-ps/process_unix.go
new file mode 100644
index 000000000000..3b733cec4067
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process_unix.go
@@ -0,0 +1,101 @@
+// +build linux solaris
+
+package ps
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+)
+
+// UnixProcess is an implementation of Process that contains Unix-specific
+// fields and information.
+type UnixProcess struct {
+	pid   int
+	ppid  int
+	state rune
+	pgrp  int
+	sid   int
+
+	binary string
+}
+
+func (p *UnixProcess) Pid() int {
+	return p.pid
+}
+
+func (p *UnixProcess) PPid() int {
+	return p.ppid
+}
+
+func (p *UnixProcess) Executable() string {
+	return p.binary
+}
+
+func findProcess(pid int) (Process, error) {
+	dir := fmt.Sprintf("/proc/%d", pid)
+	_, err := os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+
+		return nil, err
+	}
+
+	return newUnixProcess(pid)
+}
+
+func processes() ([]Process, error) {
+	d, err := os.Open("/proc")
+	if err != nil {
+		return nil, err
+	}
+	defer d.Close()
+
+	results := make([]Process, 0, 50)
+	for {
+		fis, err := d.Readdir(10)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		for _, fi := range fis {
+			// We only care about directories, since all pids are dirs
+			if !fi.IsDir() {
+				continue
+			}
+
+			// We only care if the name starts with a numeric
+			name := fi.Name()
+			if name[0] < '0' || name[0] > '9' {
+				continue
+			}
+
+			// From this point forward, any errors we just ignore, because
+			// it might simply be that the process doesn't exist anymore.
+			pid, err := strconv.ParseInt(name, 10, 0)
+			if err != nil {
+				continue
+			}
+
+			p, err := newUnixProcess(int(pid))
+			if err != nil {
+				continue
+			}
+
+			results = append(results, p)
+		}
+	}
+
+	return results, nil
+}
+
+func newUnixProcess(pid int) (*UnixProcess, error) {
+	p := &UnixProcess{pid: pid}
+	return p, p.Refresh()
+}
diff --git a/vendor/github.com/mitchellh/go-ps/process_windows.go b/vendor/github.com/mitchellh/go-ps/process_windows.go
new file mode 100644
index 000000000000..f151974e380c
--- /dev/null
+++ b/vendor/github.com/mitchellh/go-ps/process_windows.go
@@ -0,0 +1,119 @@
+// +build windows
+
+package ps
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+)
+
+// Windows API functions
+var (
+	modKernel32                  = syscall.NewLazyDLL("kernel32.dll")
+	procCloseHandle              = modKernel32.NewProc("CloseHandle")
+	procCreateToolhelp32Snapshot = modKernel32.NewProc("CreateToolhelp32Snapshot")
+	procProcess32First           = modKernel32.NewProc("Process32FirstW")
+	procProcess32Next            = modKernel32.NewProc("Process32NextW")
+)
+
+// Some constants from the Windows API
+const (
+	ERROR_NO_MORE_FILES = 0x12
+	MAX_PATH            = 260
+)
+
+// PROCESSENTRY32 is the Windows API structure that contains a process's
+// information.
+type PROCESSENTRY32 struct {
+	Size              uint32
+	CntUsage          uint32
+	ProcessID         uint32
+	DefaultHeapID     uintptr
+	ModuleID          uint32
+	CntThreads        uint32
+	ParentProcessID   uint32
+	PriorityClassBase int32
+	Flags             uint32
+	ExeFile           [MAX_PATH]uint16
+}
+
+// WindowsProcess is an implementation of Process for Windows.
+type WindowsProcess struct {
+	pid  int
+	ppid int
+	exe  string
+}
+
+func (p *WindowsProcess) Pid() int {
+	return p.pid
+}
+
+func (p *WindowsProcess) PPid() int {
+	return p.ppid
+}
+
+func (p *WindowsProcess) Executable() string {
+	return p.exe
+}
+
+func newWindowsProcess(e *PROCESSENTRY32) *WindowsProcess {
+	// Find when the string ends for decoding
+	end := 0
+	for {
+		if e.ExeFile[end] == 0 {
+			break
+		}
+		end++
+	}
+
+	return &WindowsProcess{
+		pid:  int(e.ProcessID),
+		ppid: int(e.ParentProcessID),
+		exe:  syscall.UTF16ToString(e.ExeFile[:end]),
+	}
+}
+
+func findProcess(pid int) (Process, error) {
+	ps, err := processes()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, p := range ps {
+		if p.Pid() == pid {
+			return p, nil
+		}
+	}
+
+	return nil, nil
+}
+
+func processes() ([]Process, error) {
+	handle, _, _ := procCreateToolhelp32Snapshot.Call(
+		0x00000002,
+		0)
+	if handle < 0 {
+		return nil, syscall.GetLastError()
+	}
+	defer procCloseHandle.Call(handle)
+
+	var entry PROCESSENTRY32
+	entry.Size = uint32(unsafe.Sizeof(entry))
+	ret, _, _ := procProcess32First.Call(handle, uintptr(unsafe.Pointer(&entry)))
+	if ret == 0 {
+		return nil, fmt.Errorf("Error retrieving process info.")
+	}
+
+	results := make([]Process, 0, 50)
+	for {
+		results = append(results, newWindowsProcess(&entry))
+
+		ret, _, _ := procProcess32Next.Call(handle, uintptr(unsafe.Pointer(&entry)))
+		if ret == 0 {
+			break
+		}
+	}
+
+	return results, nil
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index da26f6927aba..be5eb9107de7 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -160,6 +160,8 @@ github.com/mailru/easyjson/buffer
 github.com/mattn/go-runewidth
 # github.com/matttproud/golang_protobuf_extensions v1.0.1
 github.com/matttproud/golang_protobuf_extensions/pbutil
+# github.com/mitchellh/go-ps v0.0.0-20190716172923-621e5597135b
+github.com/mitchellh/go-ps
 # github.com/mitchellh/mapstructure v1.1.2
 github.com/mitchellh/mapstructure
 # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
@@ -419,7 +421,6 @@ k8s.io/apimachinery/pkg/util/sets
 k8s.io/apimachinery/pkg/util/json
 k8s.io/apimachinery/pkg/util/rand
 k8s.io/apimachinery/pkg/util/validation
-k8s.io/apimachinery/pkg/runtime/serializer
 k8s.io/apimachinery/pkg/util/validation/field
 k8s.io/apimachinery/pkg/util/yaml
 k8s.io/apimachinery/pkg/util/intstr
@@ -427,6 +428,7 @@ k8s.io/apimachinery/pkg/api/meta
 k8s.io/apimachinery/pkg/apis/meta/v1/unstructured
 k8s.io/apimachinery/pkg/util/strategicpatch
 k8s.io/apimachinery/pkg/version
+k8s.io/apimachinery/pkg/runtime/serializer
 k8s.io/apimachinery/pkg/runtime/serializer/streaming
 k8s.io/apimachinery/pkg/util/net
 k8s.io/apimachinery/pkg/conversion
@@ -437,20 +439,20 @@ k8s.io/apimachinery/pkg/util/diff
 k8s.io/apimachinery/pkg/util/naming
 k8s.io/apimachinery/pkg/conversion/queryparams
 k8s.io/apimachinery/pkg/util/uuid
+k8s.io/apimachinery/pkg/apis/meta/v1beta1
+k8s.io/apimachinery/pkg/util/mergepatch
+k8s.io/apimachinery/third_party/forked/golang/json
+k8s.io/apimachinery/pkg/util/httpstream
+k8s.io/apimachinery/pkg/util/remotecommand
+k8s.io/apimachinery/pkg/util/httpstream/spdy
 k8s.io/apimachinery/pkg/runtime/serializer/json
 k8s.io/apimachinery/pkg/runtime/serializer/protobuf
 k8s.io/apimachinery/pkg/runtime/serializer/recognizer
 k8s.io/apimachinery/pkg/runtime/serializer/versioning
-k8s.io/apimachinery/pkg/util/httpstream
-k8s.io/apimachinery/pkg/util/remotecommand
-k8s.io/apimachinery/pkg/util/httpstream/spdy
-k8s.io/apimachinery/pkg/apis/meta/v1beta1
-k8s.io/apimachinery/pkg/util/mergepatch
-k8s.io/apimachinery/third_party/forked/golang/json
 k8s.io/apimachinery/third_party/forked/golang/reflect
 k8s.io/apimachinery/pkg/apis/meta/internalversion
-k8s.io/apimachinery/pkg/util/framer
 k8s.io/apimachinery/third_party/forked/golang/netutil
+k8s.io/apimachinery/pkg/util/framer
 # k8s.io/client-go v8.0.0+incompatible => k8s.io/client-go v0.0.0-20190228174230-b40b2a5939e4
 k8s.io/client-go/rest
 k8s.io/client-go/kubernetes/scheme
@@ -458,14 +460,13 @@ k8s.io/client-go/kubernetes/typed/core/v1
 k8s.io/client-go/tools/cache
 k8s.io/client-go/tools/record
 k8s.io/client-go/util/cert
-k8s.io/client-go/plugin/pkg/client/auth
 k8s.io/client-go/util/certificate
+k8s.io/client-go/plugin/pkg/client/auth
 k8s.io/client-go/informers
 k8s.io/client-go/util/workqueue
 k8s.io/client-go/tools/metrics
 k8s.io/client-go/tools/cache/testing
 k8s.io/client-go/kubernetes/typed/authorization/v1beta1
-k8s.io/client-go/tools/remotecommand
 k8s.io/client-go/tools/leaderelection/resourcelock
 k8s.io/client-go/tools/leaderelection
 k8s.io/client-go/tools/reference
@@ -473,6 +474,7 @@ k8s.io/client-go/discovery
 k8s.io/client-go/tools/clientcmd
 k8s.io/client-go/kubernetes
 k8s.io/client-go/tools/portforward
+k8s.io/client-go/tools/remotecommand
 k8s.io/client-go/transport/spdy
 k8s.io/client-go/pkg/version
 k8s.io/client-go/plugin/pkg/client/auth/exec
@@ -513,11 +515,11 @@ k8s.io/client-go/kubernetes/typed/storage/v1beta1
 k8s.io/client-go/tools/pager
 k8s.io/client-go/util/buffer
 k8s.io/client-go/util/retry
+k8s.io/client-go/util/certificate/csr
 k8s.io/client-go/plugin/pkg/client/auth/azure
 k8s.io/client-go/plugin/pkg/client/auth/gcp
 k8s.io/client-go/plugin/pkg/client/auth/oidc
 k8s.io/client-go/plugin/pkg/client/auth/openstack
-k8s.io/client-go/util/certificate/csr
 k8s.io/client-go/kubernetes/fake
 k8s.io/client-go/informers/admissionregistration
 k8s.io/client-go/informers/apps
@@ -536,19 +538,19 @@ k8s.io/client-go/informers/rbac
 k8s.io/client-go/informers/scheduling
 k8s.io/client-go/informers/settings
 k8s.io/client-go/informers/storage
-k8s.io/client-go/util/exec
 k8s.io/client-go/testing
 k8s.io/client-go/discovery/fake
 k8s.io/client-go/tools/auth
 k8s.io/client-go/tools/clientcmd/api/latest
 k8s.io/client-go/util/homedir
+k8s.io/client-go/util/exec
 k8s.io/client-go/pkg/apis/clientauthentication
 k8s.io/client-go/pkg/apis/clientauthentication/v1alpha1
 k8s.io/client-go/pkg/apis/clientauthentication/v1beta1
 k8s.io/client-go/util/connrotation
 k8s.io/client-go/util/integer
-k8s.io/client-go/util/jsonpath
 k8s.io/client-go/tools/watch
+k8s.io/client-go/util/jsonpath
 k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/fake
 k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1/fake
 k8s.io/client-go/kubernetes/typed/apps/v1/fake

From 822f904ae4c8c21fad8a15c5a7e98fa7f2f36970 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Thu, 15 Aug 2019 13:57:37 -0700
Subject: [PATCH 3/6] Estimate rlimit for memlock for vfio backed SR-IOV
 interfaces

Instead of setting to unlimited, try to estimate the actual amount
libvirtd may need for the VM. The actual formula in libvirtd code is
very complex and hard to reproduce (it involves estimating necessary
resources based on NUMA topology, number of CPUs, platform specific
requirements for memory alignment etc.) We are not going to reproduce it
in kubevirt, instead making our best conservative guess and then
allowing libvirtd to set the actual calculated value (that should work
as long as the value used by libvirtd is lower than the limit we set in
kubevirt).
---
 pkg/virt-handler/isolation/BUILD.bazel       |  1 +
 pkg/virt-handler/isolation/isolation.go      | 32 ++++++++++++++++++--
 pkg/virt-handler/isolation/isolation_test.go | 11 +++++++
 3 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/pkg/virt-handler/isolation/BUILD.bazel b/pkg/virt-handler/isolation/BUILD.bazel
index 6a32631ae04a..3e8e371d7c8d 100644
--- a/pkg/virt-handler/isolation/BUILD.bazel
+++ b/pkg/virt-handler/isolation/BUILD.bazel
@@ -17,6 +17,7 @@ go_library(
         "//vendor/github.com/golang/mock/gomock:go_default_library",
         "//vendor/github.com/mitchellh/go-ps:go_default_library",
         "//vendor/golang.org/x/sys/unix:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
     ],
 )
 
diff --git a/pkg/virt-handler/isolation/isolation.go b/pkg/virt-handler/isolation/isolation.go
index 399be4a40e72..7198081e81b2 100644
--- a/pkg/virt-handler/isolation/isolation.go
+++ b/pkg/virt-handler/isolation/isolation.go
@@ -40,6 +40,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	ps "github.com/mitchellh/go-ps"
+	"k8s.io/apimachinery/pkg/api/resource"
 
 	v1 "kubevirt.io/client-go/api/v1"
 	"kubevirt.io/client-go/log"
@@ -166,10 +167,14 @@ func (s *socketBasedIsolationDetector) AdjustResources(vm *v1.VirtualMachineInst
 			continue
 		}
 
-		// TODO estimate actual memory size needed
+		// make the best estimate for memory required by libvirt
+		memlockSize, err := getMemlockSize(vm)
+		if err != nil {
+			return err
+		}
 		rLimit := unix.Rlimit{
-			Max: unix.RLIM_INFINITY,
-			Cur: unix.RLIM_INFINITY,
+			Max: uint64(memlockSize),
+			Cur: uint64(memlockSize),
 		}
 		err = prLimit(process.Pid(), unix.RLIMIT_MEMLOCK, &rLimit)
 		if err != nil {
@@ -181,6 +186,27 @@ func (s *socketBasedIsolationDetector) AdjustResources(vm *v1.VirtualMachineInst
 	return nil
 }
 
+// consider reusing getMemoryOverhead()
+func getMemlockSize(vm *v1.VirtualMachineInstance) (int64, error) {
+	memlockSize := resource.NewQuantity(0, resource.DecimalSI)
+
+	// start with base memory requested for the VM
+	vmiMemoryReq := vm.Spec.Domain.Resources.Requests.Memory()
+	memlockSize.Add(*resource.NewScaledQuantity(vmiMemoryReq.ScaledValue(resource.Kilo), resource.Kilo))
+
+	// allocate 1Gb for VFIO needs
+	memlockSize.Add(resource.MustParse("1G"))
+
+	// add some more memory for NUMA / CPU topology, platform memory alignment and other needs
+	memlockSize.Add(resource.MustParse("256M"))
+
+	bytes_, ok := memlockSize.AsInt64()
+	if !ok {
+		return 0, fmt.Errorf("could not calculate memory lock size")
+	}
+	return bytes_, nil
+}
+
 func NewIsolationResult(pid int, slice string, controller []string) *IsolationResult {
 	return &IsolationResult{pid: pid, slice: slice, controller: controller}
 }
diff --git a/pkg/virt-handler/isolation/isolation_test.go b/pkg/virt-handler/isolation/isolation_test.go
index 49a291113af8..1480b3b01646 100644
--- a/pkg/virt-handler/isolation/isolation_test.go
+++ b/pkg/virt-handler/isolation/isolation_test.go
@@ -73,3 +73,14 @@ var _ = Describe("Isolation", func() {
 		})
 	})
 })
+
+var _ = Describe("getMemlockSize", func() {
+	vm := v1.NewMinimalVMIWithNS("default", "testvm")
+
+	It("Should return correct number of bytes for memlock limit", func() {
+		bytes_, err := getMemlockSize(vm)
+		Expect(err).ToNot(HaveOccurred())
+		// 1Gb (static part for vfio VMs) + 256Mb (estimated overhead) + 8 Mb (VM)
+		Expect(int(bytes_)).To(Equal(1264389000))
+	})
+})

From a3418f12b96795947bbb499836e5bdcc7a864f31 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Mon, 19 Aug 2019 12:26:15 -0700
Subject: [PATCH 4/6] Use generated mock for IsolationDetector instead of
 in-house

---
 pkg/virt-handler/vm_test.go | 25 +++++--------------------
 1 file changed, 5 insertions(+), 20 deletions(-)

diff --git a/pkg/virt-handler/vm_test.go b/pkg/virt-handler/vm_test.go
index bd6c9fd8b75a..7af9d67c2ed0 100644
--- a/pkg/virt-handler/vm_test.go
+++ b/pkg/virt-handler/vm_test.go
@@ -73,7 +73,7 @@ var _ = Describe("VirtualMachineInstance", func() {
 	var mockQueue *testutils.MockWorkQueue
 	var mockWatchdog *MockWatchdog
 	var mockGracefulShutdown *MockGracefulShutdown
-	var mockIsolationDetector *MockIsolationDetector
+	var mockIsolationDetector *isolation.MockPodIsolationDetector
 
 	var vmiFeeder *testutils.VirtualMachineFeeder
 	var domainFeeder *testutils.DomainFeeder
@@ -128,7 +128,10 @@ var _ = Describe("VirtualMachineInstance", func() {
 		mockGracefulShutdown = &MockGracefulShutdown{shareDir}
 		config, _, _ := testutils.NewFakeClusterConfig(&k8sv1.ConfigMap{})
 
-		mockIsolationDetector = &MockIsolationDetector{}
+		mockIsolationDetector = isolation.NewMockPodIsolationDetector(ctrl)
+		mockIsolationDetector.EXPECT().Detect(gomock.Any()).Return(&isolation.IsolationResult{}, nil).AnyTimes()
+		mockIsolationDetector.EXPECT().AdjustResources(gomock.Any()).Return(nil).AnyTimes()
+
 		controller = NewController(recorder,
 			virtClient,
 			host,
@@ -1304,24 +1307,6 @@ func (m *MockGracefulShutdown) TriggerShutdown(vmi *v1.VirtualMachineInstance) {
 	Expect(err).NotTo(HaveOccurred())
 }
 
-type MockIsolationDetector struct{}
-
-func (_m *MockIsolationDetector) Detect(vm *v1.VirtualMachineInstance) (*isolation.IsolationResult, error) {
-	return &isolation.IsolationResult{}, nil
-}
-
-func (_m *MockIsolationDetector) DetectForSocket(vm *v1.VirtualMachineInstance, socket string) (*isolation.IsolationResult, error) {
-	return nil, nil
-}
-
-func (_m *MockIsolationDetector) Whitelist(controller []string) isolation.PodIsolationDetector {
-	return _m
-}
-
-func (_m *MockIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error {
-	return nil
-}
-
 type MockWatchdog struct {
 	baseDir string
 }

From 228587f908ed3304a926d7a9d1cc34ba93698d86 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar@redhat.com>
Date: Thu, 22 Aug 2019 23:04:18 +0300
Subject: [PATCH 5/6] Don't adjust RLIMIT_MEMLOCK for libvirtd unless VFIO is
 attached

Libvirtd configures the limit in particular domain configurations
only. This limit adjustment is of no use for VMIs not attached to
VFIO.
---
 pkg/util/BUILD.bazel                     |  1 +
 pkg/util/util.go                         | 13 +++++++++++++
 pkg/virt-controller/services/BUILD.bazel |  1 +
 pkg/virt-controller/services/template.go | 12 ++----------
 pkg/virt-handler/isolation/BUILD.bazel   |  1 +
 pkg/virt-handler/isolation/isolation.go  |  6 ++++++
 6 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/pkg/util/BUILD.bazel b/pkg/util/BUILD.bazel
index b7f0f4afd4f9..0eb66ebdb53a 100644
--- a/pkg/util/BUILD.bazel
+++ b/pkg/util/BUILD.bazel
@@ -8,4 +8,5 @@ go_library(
     ],
     importpath = "kubevirt.io/kubevirt/pkg/util",
     visibility = ["//visibility:public"],
+    deps = ["//staging/src/kubevirt.io/client-go/api/v1:go_default_library"],
 )
diff --git a/pkg/util/util.go b/pkg/util/util.go
index 27e15d73e456..ef43c7d7f209 100644
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -1,6 +1,19 @@
 package util
 
+import (
+	v1 "kubevirt.io/client-go/api/v1"
+)
+
 const ExtensionAPIServerAuthenticationConfigMap = "extension-apiserver-authentication"
 const RequestHeaderClientCAFileKey = "requestheader-client-ca-file"
 const VirtShareDir = "/var/run/kubevirt"
 const VirtLibDir = "/var/lib/kubevirt"
+
+func IsSRIOVVmi(vmi *v1.VirtualMachineInstance) bool {
+	for _, iface := range vmi.Spec.Domain.Devices.Interfaces {
+		if iface.SRIOV != nil {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/virt-controller/services/BUILD.bazel b/pkg/virt-controller/services/BUILD.bazel
index 897ce5e7dcaa..6c1015e11682 100644
--- a/pkg/virt-controller/services/BUILD.bazel
+++ b/pkg/virt-controller/services/BUILD.bazel
@@ -10,6 +10,7 @@ go_library(
         "//pkg/container-disk:go_default_library",
         "//pkg/hooks:go_default_library",
         "//pkg/host-disk:go_default_library",
+        "//pkg/util:go_default_library",
         "//pkg/util/hardware:go_default_library",
         "//pkg/util/net/dns:go_default_library",
         "//pkg/util/types:go_default_library",
diff --git a/pkg/virt-controller/services/template.go b/pkg/virt-controller/services/template.go
index 8a5707c8a093..8142d99563fb 100644
--- a/pkg/virt-controller/services/template.go
+++ b/pkg/virt-controller/services/template.go
@@ -42,6 +42,7 @@ import (
 	"kubevirt.io/kubevirt/pkg/config"
 	containerdisk "kubevirt.io/kubevirt/pkg/container-disk"
 	"kubevirt.io/kubevirt/pkg/hooks"
+	"kubevirt.io/kubevirt/pkg/util"
 	"kubevirt.io/kubevirt/pkg/util/hardware"
 	"kubevirt.io/kubevirt/pkg/util/net/dns"
 	"kubevirt.io/kubevirt/pkg/util/types"
@@ -97,15 +98,6 @@ type templateService struct {
 
 type PvcNotFoundError error
 
-func isSRIOVVmi(vmi *v1.VirtualMachineInstance) bool {
-	for _, iface := range vmi.Spec.Domain.Devices.Interfaces {
-		if iface.SRIOV != nil {
-			return true
-		}
-	}
-	return false
-}
-
 func isFeatureStateEnabled(fs *v1.FeatureState) bool {
 	return fs != nil && fs.Enabled != nil && *fs.Enabled
 }
@@ -354,7 +346,7 @@ func (t *templateService) RenderLaunchManifest(vmi *v1.VirtualMachineInstance) (
 		MountPath: "/var/run/libvirt",
 	})
 
-	if isSRIOVVmi(vmi) {
+	if util.IsSRIOVVmi(vmi) {
 		// libvirt needs this volume to access PCI device config;
 		// note that the volume should not be read-only because libvirt
 		// opens the config for writing
diff --git a/pkg/virt-handler/isolation/BUILD.bazel b/pkg/virt-handler/isolation/BUILD.bazel
index 3e8e371d7c8d..39cd40b439a6 100644
--- a/pkg/virt-handler/isolation/BUILD.bazel
+++ b/pkg/virt-handler/isolation/BUILD.bazel
@@ -11,6 +11,7 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/container-disk:go_default_library",
+        "//pkg/util:go_default_library",
         "//pkg/virt-handler/cmd-client:go_default_library",
         "//staging/src/kubevirt.io/client-go/api/v1:go_default_library",
         "//staging/src/kubevirt.io/client-go/log:go_default_library",
diff --git a/pkg/virt-handler/isolation/isolation.go b/pkg/virt-handler/isolation/isolation.go
index 7198081e81b2..8383e38baf44 100644
--- a/pkg/virt-handler/isolation/isolation.go
+++ b/pkg/virt-handler/isolation/isolation.go
@@ -44,6 +44,7 @@ import (
 
 	v1 "kubevirt.io/client-go/api/v1"
 	"kubevirt.io/client-go/log"
+	"kubevirt.io/kubevirt/pkg/util"
 	cmdclient "kubevirt.io/kubevirt/pkg/virt-handler/cmd-client"
 )
 
@@ -144,6 +145,11 @@ func prLimit(pid int, limit uintptr, rlimit *unix.Rlimit) error {
 }
 
 func (s *socketBasedIsolationDetector) AdjustResources(vm *v1.VirtualMachineInstance) error {
+	// only VFIO attached domains require MEMLOCK adjustment
+	if !util.IsSRIOVVmi(vm) {
+		return nil
+	}
+
 	// bump memlock ulimit for libvirtd
 	res, err := s.Detect(vm)
 	if err != nil {

From 17db9749fc3411bd0daa84022ebbff4e4411f255 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihrachys@redhat.com>
Date: Mon, 26 Aug 2019 07:03:29 -0700
Subject: [PATCH 6/6] Document how we estimate memory lock size for libvirtd

---
 pkg/virt-handler/isolation/isolation.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/virt-handler/isolation/isolation.go b/pkg/virt-handler/isolation/isolation.go
index 8383e38baf44..5f0be2517af3 100644
--- a/pkg/virt-handler/isolation/isolation.go
+++ b/pkg/virt-handler/isolation/isolation.go
@@ -193,6 +193,8 @@ func (s *socketBasedIsolationDetector) AdjustResources(vm *v1.VirtualMachineInst
 }
 
 // consider reusing getMemoryOverhead()
+// This is not scientific, but neither what libvirtd does is. See details in:
+// https://www.redhat.com/archives/libvirt-users/2019-August/msg00051.html
 func getMemlockSize(vm *v1.VirtualMachineInstance) (int64, error) {
 	memlockSize := resource.NewQuantity(0, resource.DecimalSI)