Sometimes the benchmarked process wants to use cgroups itself. BenchExec prevents this (in container mode) by mounting the cgroup hierarchy read-only. If we would not do this, the benchmarked process could interfere with the benchmarking (e.g., by moving itself out of our cgroup, or changing the memory limit).
To fully support this, the following needs to be done:
- We need to mount the cgroup mounts in the namespace such that all other cgroups are invisible.
- We need to prevent the process from interfering with the limits set in the cgroup that is now the root of the visible hierarchy.
/proc/self/cgroup needs to show the cgroups relative to the new root cgroup.
Item 3. can be achieved with cgroup namespaces. Originally this was planned only for cgroup-v2, which we do not support yet (#133), but reworked for cgroup-v1 and at least on Ubuntu 18.04 it is usable.
With cgroup namespaces, Item 1. should also be possible if we remount the cgroup hierarchy. However, I did not yet manage to the example from the man page working with unprivileged (user) namespaces. An alternative could be bind-mounting the cgroups of the existing hierarchy to the cgroup root.
Item 2. would be doable with cgroup-v2 and nsdelegate (cf. man page). Without cgroup-v2 we could probably do it by using a nested cgroup, where we set the limits in the outer cgroup and make only the inner cgroup available in the container.
Sometimes the benchmarked process wants to use cgroups itself. BenchExec prevents this (in container mode) by mounting the cgroup hierarchy read-only. If we would not do this, the benchmarked process could interfere with the benchmarking (e.g., by moving itself out of our cgroup, or changing the memory limit).
To fully support this, the following needs to be done:
/proc/self/cgroupneeds to show the cgroups relative to the new root cgroup.Item 3. can be achieved with cgroup namespaces. Originally this was planned only for cgroup-v2, which we do not support yet (#133), but reworked for cgroup-v1 and at least on Ubuntu 18.04 it is usable.
With cgroup namespaces, Item 1. should also be possible if we remount the cgroup hierarchy. However, I did not yet manage to the example from the man page working with unprivileged (user) namespaces. An alternative could be bind-mounting the cgroups of the existing hierarchy to the cgroup root.
Item 2. would be doable with cgroup-v2 and
nsdelegate(cf. man page). Without cgroup-v2 we could probably do it by using a nested cgroup, where we set the limits in the outer cgroup and make only the inner cgroup available in the container.