Merge pull request #26391 from timstclair/containerd

Automatic merge from submit-queue

Move containerd process into docker cgroup for versions >= v1.11

Addresses https://github.com/kubernetes/kubernetes/issues/23397#issuecomment-209583923

/cc @vishh @kubernetes/sig-node

pkg/kubelet/cm/container_manager_linux.go

@@ -29,6 +29,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/blang/semver"
 	"github.com/golang/glog"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
@@ -56,6 +57,13 @@ const (
 
 	dockerProcessName     = "docker"
 	dockerPidFile         = "/var/run/docker.pid"
+	containerdProcessName = "docker-containerd"
+	containerdPidFile     = "/run/docker/libcontainerd/docker-containerd.pid"
+)
+
+var (
+	// The docker version in which containerd was introduced.
+	containerdVersion = semver.MustParse("1.11.0")
 )
 
 // A non-user container tracked by the Kubelet.
@@ -261,8 +269,9 @@ func (cm *containerManagerImpl) setupNode() error {
 					},
 				},
 			}
+			dockerVersion := getDockerVersion(cm.cadvisorInterface)
 			cont.ensureStateFunc = func(manager *fs.Manager) error {
-				return ensureDockerInContainer(cm.cadvisorInterface, -900, dockerContainer)
+				return ensureDockerInContainer(dockerVersion, -900, dockerContainer)
 			}
 			systemContainers = append(systemContainers, cont)
 		} else {
@@ -370,6 +379,7 @@ func (cm *containerManagerImpl) Start() error {
 		}
 	}
 	if numEnsureStateFuncs >= 0 {
+		// Run ensure state functions every minute.
 		go wait.Until(func() {
 			for _, cont := range cm.systemContainers {
 				if cont.ensureStateFunc != nil {
@@ -382,7 +392,6 @@ func (cm *containerManagerImpl) Start() error {
 
 	}
 
-	// Run ensure state functions every minute.
 	if len(cm.periodicTasks) > 0 {
 		go wait.Until(func() {
 			for _, task := range cm.periodicTasks {
@@ -472,23 +481,41 @@ func getPidsForProcess(name, pidFile string) ([]int, error) {
 }
 
 // Ensures that the Docker daemon is in the desired container.
-func ensureDockerInContainer(cadvisor cadvisor.Interface, oomScoreAdj int, manager *fs.Manager) error {
+func ensureDockerInContainer(dockerVersion semver.Version, oomScoreAdj int, manager *fs.Manager) error {
-	pids, err := getPidsForProcess(dockerProcessName, dockerPidFile)
+	type process struct{ name, file string }
-	if err != nil {
+	dockerProcs := []process{{dockerProcessName, dockerPidFile}}
-		return err
+	if dockerVersion.GTE(containerdVersion) {
+		dockerProcs = append(dockerProcs, process{containerdProcessName, containerdPidFile})
 	}
-	// Move if the pid is not already in the desired container.
+
-	errs := []error{}
+	var errs []error
-	for _, pid := range pids {
+	for _, proc := range dockerProcs {
-		if runningInHost, err := isProcessRunningInHost(pid); err != nil {
+		pids, err := getPidsForProcess(proc.name, proc.file)
-			errs = append(errs, err)
+		if err != nil {
-			// Err on the side of caution. Avoid moving the docker daemon unless we are able to identify its context.
+			errs = append(errs, fmt.Errorf("failed to get pids for %q: %v", proc.name, err))
-			continue
-		} else if !runningInHost {
-			// Docker daemon is running inside a container. Don't touch that.
 			continue
 		}
 
+		// Move if the pid is not already in the desired container.
+		for _, pid := range pids {
+			if err := ensureProcessInContainer(pid, oomScoreAdj, manager); err != nil {
+				errs = append(errs, fmt.Errorf("errors moving %q pid: %v", proc.name, err))
+			}
+		}
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+func ensureProcessInContainer(pid int, oomScoreAdj int, manager *fs.Manager) error {
+	if runningInHost, err := isProcessRunningInHost(pid); err != nil {
+		// Err on the side of caution. Avoid moving the docker daemon unless we are able to identify its context.
+		return err
+	} else if !runningInHost {
+		// Process is running inside a container. Don't touch that.
+		return nil
+	}
+
+	var errs []error
 	cont, err := getContainer(pid)
 	if err != nil {
 		errs = append(errs, fmt.Errorf("failed to find container of PID %d: %v", pid, err))
@@ -506,8 +533,6 @@ func ensureDockerInContainer(cadvisor cadvisor.Interface, oomScoreAdj int, manag
 	if err := oomAdjuster.ApplyOOMScoreAdj(pid, oomScoreAdj); err != nil {
 		errs = append(errs, fmt.Errorf("failed to apply oom score %d to PID %d", oomScoreAdj, pid))
 	}
-	}
-
 	return utilerrors.NewAggregate(errs)
 }
 
@@ -585,3 +610,19 @@ func isKernelPid(pid int) bool {
 	_, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", pid))
 	return err != nil
 }
+
+// Helper for getting the docker version.
+func getDockerVersion(cadvisor cadvisor.Interface) semver.Version {
+	var fallback semver.Version // Fallback to zero-value by default.
+	versions, err := cadvisor.VersionInfo()
+	if err != nil {
+		glog.Errorf("Error requesting cAdvisor VersionInfo: %v", err)
+		return fallback
+	}
+	dockerVersion, err := semver.Parse(versions.DockerVersion)
+	if err != nil {
+		glog.Errorf("Error parsing docker version %q: %v", versions.DockerVersion, err)
+		return fallback
+	}
+	return dockerVersion
+}