JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present

[casparcwang]

Similar to JDK-8253435, when setting the mount path of cgroup controller "memory/cpu/cpuacct/pids", it should also discard duplicate items.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present

Reviewers

• Severin Gehwolf (@jerboaa - Reviewer)
• Ioi Lam (@iklam - Reviewer) ⚠️ Review applies to c4109d65

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10193/head:pull/10193
$ git checkout pull/10193

Update a local copy of the PR:
$ git checkout pull/10193
$ git pull https://git.openjdk.org/jdk pull/10193/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 10193

View PR using the GUI difftool:
$ git pr show -t 10193

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10193.diff

[bridgekeeper]

👋 Welcome back casparcwang! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@casparcwang The following label will be automatically applied to this pull request:

• hotspot-runtime

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 12: Full - Incremental (8170214f)
• 11: Full - Incremental (c4109d65)
• 10: Full - Incremental (9bc1f325)
• 09: Full - Incremental (68507d02)
• 08: Full - Incremental (380054b4)
• 07: Full - Incremental (20cc4853)
• 06: Full - Incremental (68008b00)
• 05: Full - Incremental (5b73d9dd)
• 04: Full - Incremental (338a0954)
• 03: Full - Incremental (3eed0907)
• 02: Full - Incremental (87306283)
• 01: Full - Incremental (f989ad13)
• 00: Full (eb9c58b0)

[jerboaa]

Looks mostly good. https://bugs.openjdk.org/browse/JDK-8270087 seems to be an early sighting of this. It mentions a reproducer, manually mount /sys/fs/cgroup from the host into the container. Please write a container test asserting that no warnings get produced. Perhaps use test/hotspot/jtreg/containers/docker/DockerBasicTest.java and write a new test method javaVersionWithCgMounts or some such, which verifies no warning shows up on stdout.

[jerboaa]

My testing on cgv2 and cgv1 indicates that we might have a container resource limit detection problem depending on the order of mountinfo entries are observed at runtime. Please add memory and cpu limit container detection tests which do -v /sys/fs/cgroup:/cgroups-in:ro as a volume mount in addition. Thanks!

[casparcwang]

Looks mostly good. https://bugs.openjdk.org/browse/JDK-8270087 seems to be an early sighting of this. It mentions a reproducer, manually mount /sys/fs/cgroup from the host into the container. Please write a container test asserting that no warnings get produced. Perhaps use test/hotspot/jtreg/containers/docker/DockerBasicTest.java and write a new test method javaVersionWithCgMounts or some such, which verifies no warning shows up on stdout.

Thank you very much for the reviewing. I have not noticed JDK-8270087 before, sorry about filing a duplicate jdk bug.

My testing on cgv2 and cgv1 indicates that we might have a container resource limit detection problem depending on the order of mountinfo entries are observed at runtime. Please add memory and cpu limit container detection tests which do -v /sys/fs/cgroup:/cgroups-in:ro as a volume mount in addition. Thanks!

The container resource limit detection problem is also fixed when there are multiple cgroup fs mount entries, it is caused by multiple setting of root mount path in function CgroupSubsystemFactory::determine_type.

[jerboaa]

We definitely need regression tests for memory/cpu limits with those additional cgroup mounts.
Please take a look at test/hotspot/jtreg/containers/docker/TestCPUAwareness.java and test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java

For cgroups v2 the issues isn't fixed. The paths for cg v2 are being set here:
https://github.com/openjdk/jdk/blob/98da03af50e2372817a7b5e381eea5ee6f2cb919/src/hotspot/os/linux/cgroupSubsystem_linux.cpp#L303..L313.

Example of running (with your patch on a cg v2 system):

$ sudo podman run --rm -ti --memory=300M --memory-swap=300M -v /sys/fs/cgroup:/cgroup-in:ro -v $(pwd)/jdk20-jdk:/opt/jdk:z fedora:36 /opt/jdk/bin/java -Xlog:os+container=trace -version 2>&1 | grep 'Memory Limit'
[0.001s][trace][os,container] Memory Limit is: -2
[0.055s][trace][os,container] Memory Limit is: -2

Expected:

[0.001s][trace][os,container] Memory Limit is: 314572800
[0.068s][trace][os,container] Memory Limit is: 314572800

[casparcwang]

We definitely need regression tests for memory/cpu limits with those additional cgroup mounts. Please take a look at test/hotspot/jtreg/containers/docker/TestCPUAwareness.java and test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java

For cgroups v2 the issues isn't fixed. The paths for cg v2 are being set here: https://github.com/openjdk/jdk/blob/98da03af50e2372817a7b5e381eea5ee6f2cb919/src/hotspot/os/linux/cgroupSubsystem_linux.cpp#L303..L313.

Example of running (with your patch on a cg v2 system):

$ sudo podman run --rm -ti --memory=300M --memory-swap=300M -v /sys/fs/cgroup:/cgroup-in:ro -v $(pwd)/jdk20-jdk:/opt/jdk:z fedora:36 /opt/jdk/bin/java -Xlog:os+container=trace -version 2>&1 | grep 'Memory Limit'
[0.001s][trace][os,container] Memory Limit is: -2
[0.055s][trace][os,container] Memory Limit is: -2

Expected:

[0.001s][trace][os,container] Memory Limit is: 314572800
[0.068s][trace][os,container] Memory Limit is: 314572800

I have add a cgroup v2 test with duplicate mount info, now it's working for cgroup v2.

[jerboaa]

Thanks for the updates! A few more thoughts.

[jerboaa]

Looks good to me. Feel free to add the suggestion.

[openjdk]

⚠️ @casparcwang the full name on your profile does not match the author name in this pull requests' HEAD commit. If this pull request gets integrated then the author name from this pull requests' HEAD commit will be used for the resulting commit. If you wish to push a new commit with a different author name, then please run the following commands in a local repository of your personal fork:

$ git checkout JDK-8293472
$ git commit --author='Preferred Full Name <you@example.com>' --allow-empty -m 'Update full name'
$ git push

[openjdk]

@casparcwang This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8293472: Incorrect container resource limit detection if manual cgroup fs mounts present

Reviewed-by: sgehwolf, iklam

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 105 new commits pushed to the master branch:

• 1caba0f: 8292948: JEditorPane ignores font-size styles in external linked css-file
• eeb625e: 8290169: adlc: Improve child constraints for vector unary operations
• 2057070: 8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
• 7376c55: 8293769: RISC-V: Add a second temporary register for BarrierSetAssembler::load_at
• d191e47: 8293768: Add links to JLS 19 and 20 from SourceVersion enum constants
• a75ddb8: 8293122: (fs) Use file cloning in macOS version of Files::copy method
• 95c7c55: 8293402: hs-err file printer should reattempt stack trace printing if it fails
• 211fab8: 8291669: [REDO] Fix array range check hoisting for some scaled loop iv
• 7f3250d: 8293787: Linux aarch64 build fails after 8292591
• 2a38791: 8292755: Non-default method in interface leads to a stack overflow in JShell
• ... and 95 more: https://git.openjdk.org/jdk/compare/ef20ffe4d222d48f0bdba81a0b864d9fb455e9a6...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@jerboaa, @iklam) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[casparcwang]

/integrate

[openjdk]

@casparcwang
Your change (at version 380054b) is now ready to be sponsored by a Committer.

[casparcwang]

Is it OK to be pushed? Or shall we wait for one more review?

[jerboaa]

Is it OK to be pushed? Or shall we wait for one more review?

A second review would be good. Perhaps @iklam has some cycles?

[iklam]

Looks good to me. Just a small nit on the test,

[jerboaa]

Still good for me.

[jerboaa]

@casparcwang Feel free to issue /integrate again and I'll sponsor. Thanks!

[casparcwang]

/integrate

[casparcwang]

@casparcwang Feel free to issue /integrate again and I'll sponsor. Thanks!

Thank you very much!

[openjdk]

@casparcwang
Your change (at version 8170214) is now ready to be sponsored by a Committer.

[jerboaa]

/sponsor

[openjdk]

Going to push as commit 8f3bbe9.
Since your change was applied there have been 105 commits pushed to the master branch:

• 1caba0f: 8292948: JEditorPane ignores font-size styles in external linked css-file
• eeb625e: 8290169: adlc: Improve child constraints for vector unary operations
• 2057070: 8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
• 7376c55: 8293769: RISC-V: Add a second temporary register for BarrierSetAssembler::load_at
• d191e47: 8293768: Add links to JLS 19 and 20 from SourceVersion enum constants
• a75ddb8: 8293122: (fs) Use file cloning in macOS version of Files::copy method
• 95c7c55: 8293402: hs-err file printer should reattempt stack trace printing if it fails
• 211fab8: 8291669: [REDO] Fix array range check hoisting for some scaled loop iv
• 7f3250d: 8293787: Linux aarch64 build fails after 8292591
• 2a38791: 8292755: Non-default method in interface leads to a stack overflow in JShell
• ... and 95 more: https://git.openjdk.org/jdk/compare/ef20ffe4d222d48f0bdba81a0b864d9fb455e9a6...master

Your commit was automatically rebased without conflicts.

[openjdk]

@jerboaa @casparcwang Pushed as commit 8f3bbe9.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.