Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add stats support for job containers #979

Merged
merged 1 commit into from
Apr 2, 2021

Conversation

dcantah
Copy link
Contributor

@dcantah dcantah commented Mar 19, 2021

  • Add PropertiesV2 and Properties calls for host process containers. The only supported queries for them are
    PropertiesV2: Statistics
    Properties: ProcessList
  • Add NtQuerySystemInformation and SYSTEM_PROCESS_INFORMATION binds.

This work will be utilized in the containerd shim just as the PropertiesV2 and Properties calls
are today for process and hv isolated containers.

Signed-off-by: Daniel Canter [email protected]

@dcantah dcantah requested a review from a team as a code owner March 19, 2021 23:49
@dcantah
Copy link
Contributor Author

dcantah commented Mar 19, 2021

Should we just rename the jobcontainers package to hostprocess, this is so confusing making a PR for this stuff everytime haha

@dcantah dcantah force-pushed the hostprocess-stats branch from 91ff222 to 6066d2b Compare March 19, 2021 23:54
@kevpar
Copy link
Member

kevpar commented Mar 22, 2021

Should we just rename the jobcontainers package to hostprocess, this is so confusing making a PR for this stuff everytime haha

My opinion is we should keep job containers used as the name here. The fact that this low-level implementation is surfaced via a different name is kind of something we shouldn't care about. Just like how enabling many capabilities is called "privileged" at a high level for Linux containers.

@dcantah
Copy link
Contributor Author

dcantah commented Mar 22, 2021

Should we just rename the jobcontainers package to hostprocess, this is so confusing making a PR for this stuff everytime haha

My opinion is we should keep job containers used as the name here. The fact that this low-level implementation is surfaced via a different name is kind of something we shouldn't care about. Just like how enabling many capabilities is called "privileged" at a high level for Linux containers.

That sounds fine to me (and makes sense), just might be a bit odd for "job container" to pop up in error strings for k8s

@dcantah dcantah changed the title Add stats support for host process containers Add stats support for job containers Mar 23, 2021
if systemProcInfo.NextEntryOffset == 0 {
break
}
systemProcInfo = (*winapi.SYSTEM_PROCESS_INFORMATION)(unsafe.Pointer(uintptr(unsafe.Pointer(systemProcInfo)) + uintptr(systemProcInfo.NextEntryOffset)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's unclear to me if this is a safe operation. According to the unsafe package description:

Unlike in C, it is not valid to advance a pointer just beyond the end of its original allocation:

// INVALID: end points outside allocated space.
var s thing
end = unsafe.Pointer(uintptr(unsafe.Pointer(&s)) + unsafe.Sizeof(s))

// INVALID: end points outside allocated space.
b := make([]byte, n)
end = unsafe.Pointer(uintptr(unsafe.Pointer(&b[0])) + uintptr(n))

So I would think that since you previously cast systemProcInfo to a SYSTEM_PROCESS_INFORMATION pointer, then using pointer arithmetic with that beyond it's size would be invalid too even though we know that there's memory there that we've allocated and can access. IDK this may not be super relevant in this case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a couple iterations of this that failed checkptr, but this passes so I'm erring on the side of this is fine but I'm open to keep digging here

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My take is this is okay because the "original allocation" in this case is the make([]byte, size) on line 566, and we never advance past that allocation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the other hand, it would probably be a good idea to validate each NextEntryOffset and make sure it's still within the bounds of size.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevpar Done, sorry for delay

@dcantah dcantah force-pushed the hostprocess-stats branch 3 times, most recently from 92cff66 to f260fa0 Compare March 30, 2021 07:23
* Add PropertiesV2 and Properties calls for host process containers. The only supported queries for them are
PropertiesV2: Statistics
Properties: ProcessList
* Add NtQuerySystemInformation and SYSTEM_PROCESS_INFORMATION binds.

This work will be utilized in the containerd shim just as the PropertiesV2 and Properties calls
are today for process and hv isolated containers.

Signed-off-by: Daniel Canter <[email protected]>
@dcantah dcantah force-pushed the hostprocess-stats branch from f260fa0 to 012856b Compare March 30, 2021 23:46
Copy link
Contributor

@katiewasnothere katiewasnothere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants