package container
import (
"context"
"fmt"
"os"
"strconv"
"strings"
"testing"
"time"
"github.com/moby/moby/api/types/blkiodev"
containertypes "github.com/moby/moby/api/types/container"
"github.com/moby/moby/client"
"github.com/moby/moby/v2/integration/internal/container"
"github.com/moby/moby/v2/internal/testutil"
"github.com/moby/moby/v2/internal/testutil/request"
"golang.org/x/sys/unix"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/skip"
)
func TestUpdateMemory(t *testing.T) {
skip.If(t, testEnv.DaemonInfo.OSType == "windows")
skip.If(t, testEnv.DaemonInfo.CgroupDriver == "none")
skip.If(t, !testEnv.DaemonInfo.MemoryLimit)
skip.If(t, !testEnv.DaemonInfo.SwapLimit)
ctx := setupTest(t)
apiClient := testEnv.APIClient()
cID := container.Run(ctx, t, apiClient, func(c *container.TestContainerConfig) {
c.HostConfig.Resources = containertypes.Resources{
Memory: 200 * 1024 * 1024,
}
})
const (
setMemory int64 = 314572800
setMemorySwap int64 = 524288000
)
_, err := apiClient.ContainerUpdate(ctx, cID, client.ContainerUpdateOptions{
Resources: &containertypes.Resources{
Memory: setMemory,
MemorySwap: setMemorySwap,
},
})
assert.NilError(t, err)
inspect, err := apiClient.ContainerInspect(ctx, cID, client.ContainerInspectOptions{})
assert.NilError(t, err)
assert.Check(t, is.Equal(setMemory, inspect.Container.HostConfig.Memory))
assert.Check(t, is.Equal(setMemorySwap, inspect.Container.HostConfig.MemorySwap))
memoryFile := "/sys/fs/cgroup/memory/memory.limit_in_bytes"
if testEnv.DaemonInfo.CgroupVersion == "2" {
memoryFile = "/sys/fs/cgroup/memory.max"
}
res, err := container.Exec(ctx, apiClient, cID,
[]string{"cat", memoryFile})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
assert.Equal(t, 0, res.ExitCode)
assert.Check(t, is.Equal(strconv.FormatInt(setMemory, 10), strings.TrimSpace(res.Stdout())))
// see ConvertMemorySwapToCgroupV2Value() for the convention:
// https://github.com/opencontainers/runc/commit/c86be8a2c118ca7bad7bbe9eaf106c659a83940d
if testEnv.DaemonInfo.CgroupVersion == "2" {
res, err = container.Exec(ctx, apiClient, cID,
[]string{"cat", "/sys/fs/cgroup/memory.swap.max"})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
assert.Equal(t, 0, res.ExitCode)
assert.Check(t, is.Equal(strconv.FormatInt(setMemorySwap-setMemory, 10), strings.TrimSpace(res.Stdout())))
} else {
res, err = container.Exec(ctx, apiClient, cID,
[]string{"cat", "/sys/fs/cgroup/memory/memory.memsw.limit_in_bytes"})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
assert.Equal(t, 0, res.ExitCode)
assert.Check(t, is.Equal(strconv.FormatInt(setMemorySwap, 10), strings.TrimSpace(res.Stdout())))
}
}
func TestUpdateCPUQuota(t *testing.T) {
skip.If(t, testEnv.DaemonInfo.CgroupDriver == "none")
ctx := setupTest(t)
apiClient := testEnv.APIClient()
cID := container.Run(ctx, t, apiClient)
for _, test := range []struct {
desc string
update int64
}{
{desc: "some random value", update: 15000},
{desc: "a higher value", update: 20000},
{desc: "a lower value", update: 10000},
{desc: "unset value", update: -1},
} {
if testEnv.DaemonInfo.CgroupVersion == "2" {
// On v2, specifying CPUQuota without CPUPeriod is currently broken:
// https://github.com/opencontainers/runc/issues/2456
// As a workaround we set them together.
_, err := apiClient.ContainerUpdate(ctx, cID, client.ContainerUpdateOptions{
Resources: &containertypes.Resources{
CPUQuota: test.update,
CPUPeriod: 100000,
},
})
assert.NilError(t, err)
} else {
_, err := apiClient.ContainerUpdate(ctx, cID, client.ContainerUpdateOptions{
Resources: &containertypes.Resources{
CPUQuota: test.update,
},
})
assert.NilError(t, err)
}
inspect, err := apiClient.ContainerInspect(ctx, cID, client.ContainerInspectOptions{})
assert.NilError(t, err)
assert.Check(t, is.Equal(test.update, inspect.Container.HostConfig.CPUQuota))
if testEnv.DaemonInfo.CgroupVersion == "2" {
res, err := container.Exec(ctx, apiClient, cID,
[]string{"/bin/cat", "/sys/fs/cgroup/cpu.max"})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
assert.Equal(t, 0, res.ExitCode)
quotaPeriodPair := strings.Fields(res.Stdout())
quota := quotaPeriodPair[0]
if test.update == -1 {
assert.Check(t, is.Equal("max", quota))
} else {
assert.Check(t, is.Equal(strconv.FormatInt(test.update, 10), quota))
}
} else {
res, err := container.Exec(ctx, apiClient, cID,
[]string{"/bin/cat", "/sys/fs/cgroup/cpu/cpu.cfs_quota_us"})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
assert.Equal(t, 0, res.ExitCode)
assert.Check(t, is.Equal(strconv.FormatInt(test.update, 10), strings.TrimSpace(res.Stdout())))
}
}
}
func TestUpdatePidsLimit(t *testing.T) {
skip.If(t, testEnv.DaemonInfo.OSType == "windows")
skip.If(t, testEnv.DaemonInfo.CgroupDriver == "none")
skip.If(t, !testEnv.DaemonInfo.PidsLimit)
ctx := setupTest(t)
apiClient := testEnv.APIClient()
oldAPIClient := request.NewAPIClient(t, client.WithAPIVersion("1.24"))
intPtr := func(i int64) *int64 {
return &i
}
for _, test := range []struct {
desc string
oldAPI bool
initial *int64
update *int64
expect int64
expectCg string
}{
{desc: "update from none", update: intPtr(32), expect: 32, expectCg: "32"},
{desc: "no change", initial: intPtr(32), expect: 32, expectCg: "32"},
{desc: "update lower", initial: intPtr(32), update: intPtr(16), expect: 16, expectCg: "16"},
{desc: "update on old api ignores value", oldAPI: true, initial: intPtr(32), update: intPtr(16), expect: 32, expectCg: "32"},
{desc: "unset limit with zero", initial: intPtr(32), update: intPtr(0), expect: 0, expectCg: "max"},
{desc: "unset limit with minus one", initial: intPtr(32), update: intPtr(-1), expect: 0, expectCg: "max"},
{desc: "unset limit with minus two", initial: intPtr(32), update: intPtr(-2), expect: 0, expectCg: "max"},
} {
c := apiClient
if test.oldAPI {
c = oldAPIClient
}
t.Run(test.desc, func(t *testing.T) {
ctx := testutil.StartSpan(ctx, t)
// Using "network=host" to speed up creation (13.96s vs 6.54s)
cID := container.Run(ctx, t, apiClient, container.WithPidsLimit(test.initial), container.WithNetworkMode("host"))
_, err := c.ContainerUpdate(ctx, cID, client.ContainerUpdateOptions{
Resources: &containertypes.Resources{
PidsLimit: test.update,
},
})
assert.NilError(t, err)
inspect, err := c.ContainerInspect(ctx, cID, client.ContainerInspectOptions{})
assert.NilError(t, err)
assert.Assert(t, inspect.Container.HostConfig.Resources.PidsLimit != nil)
assert.Equal(t, *inspect.Container.HostConfig.Resources.PidsLimit, test.expect)
ctx, cancel := context.WithTimeout(ctx, 60*time.Second)
defer cancel()
pidsFile := "/sys/fs/cgroup/pids/pids.max"
if testEnv.DaemonInfo.CgroupVersion == "2" {
pidsFile = "/sys/fs/cgroup/pids.max"
}
res, err := container.Exec(ctx, c, cID, []string{"cat", pidsFile})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
out := strings.TrimSpace(res.Stdout())
assert.Equal(t, out, test.expectCg)
})
}
}
// blkioTestDevice finds a usable block device on the host by examining the
// device backing the root filesystem. The returned path (e.g. "/dev/sda")
// and the decimal major:minor string are suitable for docker update flags and
// cgroup file lookups respectively.
func blkioTestDevice(t *testing.T) (devPath, majMin string) {
t.Helper()
var st unix.Stat_t
assert.NilError(t, unix.Stat("/", &st), "stat /")
major := unix.Major(st.Dev)
minor := unix.Minor(st.Dev)
// Resolve the device name via sysfs so we get a real /dev/… path.
uevent, err := os.ReadFile(fmt.Sprintf("/sys/dev/block/%d:%d/uevent", major, minor))
if err != nil {
t.Skipf("cannot resolve block device for / from sysfs: %v", err)
}
var name string
for _, line := range strings.Split(string(uevent), "\n") {
if after, ok := strings.CutPrefix(line, "DEVNAME="); ok {
name = strings.TrimSpace(after)
break
}
}
if name == "" {
t.Skip("DEVNAME not found in sysfs uevent for / block device")
}
return "/dev/" + name, fmt.Sprintf("%d:%d", major, minor)
}
// parseIOMax returns the value of field (rbps/wbps/riops/wiops) for the given
// major:minor device from a cgroup v2 io.max file content.
func parseIOMax(content, majMin, field string) string {
for _, line := range strings.Split(content, "\n") {
if !strings.HasPrefix(line, majMin+" ") {
continue
}
for _, part := range strings.Fields(line[len(majMin)+1:]) {
if k, v, ok := strings.Cut(part, "="); ok && k == field {
return v
}
}
}
return ""
}
// TestUpdateBlkioThrottleDevices verifies that docker update correctly applies
// per-device blkio throttle limits to the container's cgroup.
//
// On cgroup v2 the limits are reflected in /sys/fs/cgroup/io.max inside the
// container. On cgroup v1 only the API-level values are verified (the blkio
// throttle files are not bind-mounted into the container namespace).
func TestUpdateBlkioThrottleDevices(t *testing.T) {
skip.If(t, testEnv.DaemonInfo.OSType == "windows")
skip.If(t, testEnv.DaemonInfo.CgroupDriver == "none")
devPath, majMin := blkioTestDevice(t)
ctx := setupTest(t)
apiClient := testEnv.APIClient()
cID := container.Run(ctx, t, apiClient)
const (
readBps uint64 = 5 * 1024 * 1024 // 5 MiB/s
writeBps uint64 = 2 * 1024 * 1024 // 2 MiB/s
readIops uint64 = 100
writeIops uint64 = 50
)
_, err := apiClient.ContainerUpdate(ctx, cID, client.ContainerUpdateOptions{
Resources: &containertypes.Resources{
BlkioDeviceReadBps: []*blkiodev.ThrottleDevice{{Path: devPath, Rate: readBps}},
BlkioDeviceWriteBps: []*blkiodev.ThrottleDevice{{Path: devPath, Rate: writeBps}},
BlkioDeviceReadIOps: []*blkiodev.ThrottleDevice{{Path: devPath, Rate: readIops}},
BlkioDeviceWriteIOps: []*blkiodev.ThrottleDevice{{Path: devPath, Rate: writeIops}},
},
})
assert.NilError(t, err)
// Verify API-level values are persisted.
inspect, err := apiClient.ContainerInspect(ctx, cID, client.ContainerInspectOptions{})
assert.NilError(t, err)
assert.Assert(t, is.Len(inspect.Container.HostConfig.BlkioDeviceReadBps, 1))
assert.Check(t, is.Equal(inspect.Container.HostConfig.BlkioDeviceReadBps[0].Rate, readBps))
assert.Assert(t, is.Len(inspect.Container.HostConfig.BlkioDeviceWriteBps, 1))
assert.Check(t, is.Equal(inspect.Container.HostConfig.BlkioDeviceWriteBps[0].Rate, writeBps))
assert.Assert(t, is.Len(inspect.Container.HostConfig.BlkioDeviceReadIOps, 1))
assert.Check(t, is.Equal(inspect.Container.HostConfig.BlkioDeviceReadIOps[0].Rate, readIops))
assert.Assert(t, is.Len(inspect.Container.HostConfig.BlkioDeviceWriteIOps, 1))
assert.Check(t, is.Equal(inspect.Container.HostConfig.BlkioDeviceWriteIOps[0].Rate, writeIops))
// On cgroup v2 verify the limits landed in io.max inside the container.
if testEnv.DaemonInfo.CgroupVersion != "2" {
return
}
ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
defer cancel()
res, err := container.Exec(ctx, apiClient, cID, []string{"cat", "/sys/fs/cgroup/io.max"})
assert.NilError(t, err)
assert.Assert(t, is.Len(res.Stderr(), 0))
assert.Equal(t, 0, res.ExitCode)
ioMax := res.Stdout()
assert.Check(t, is.Equal(parseIOMax(ioMax, majMin, "rbps"), strconv.FormatUint(readBps, 10)),
"io.max rbps for %s (io.max content: %q)", majMin, ioMax)
assert.Check(t, is.Equal(parseIOMax(ioMax, majMin, "wbps"), strconv.FormatUint(writeBps, 10)),
"io.max wbps for %s (io.max content: %q)", majMin, ioMax)
assert.Check(t, is.Equal(parseIOMax(ioMax, majMin, "riops"), strconv.FormatUint(readIops, 10)),
"io.max riops for %s (io.max content: %q)", majMin, ioMax)
assert.Check(t, is.Equal(parseIOMax(ioMax, majMin, "wiops"), strconv.FormatUint(writeIops, 10)),
"io.max wiops for %s (io.max content: %q)", majMin, ioMax)
}