F #4089: add CPU limitations

share/pkgs/sudoers/centos/opennebula

@@ -2,7 +2,7 @@ Defaults:oneadmin !requiretty
 Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin
 
 Cmnd_Alias ONE_CEPH = /usr/bin/rbd
-Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /usr/bin/mount, /usr/sbin/one-clean-firecracker-domain
+Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /usr/bin/mount, /usr/sbin/one-clean-firecracker-domain, /usr/sbin/one-prepare-firecracker-domain
 Cmnd_Alias ONE_HA = /usr/bin/systemctl start opennebula-flow, /usr/bin/systemctl stop opennebula-flow, /usr/bin/systemctl start opennebula-gate, /usr/bin/systemctl stop opennebula-gate, /usr/bin/systemctl start opennebula-hem, /usr/bin/systemctl stop opennebula-hem, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/sbin/arping, /usr/sbin/ip address *
 Cmnd_Alias ONE_LVM = /usr/sbin/lvcreate, /usr/sbin/lvremove, /usr/sbin/lvs, /usr/sbin/vgdisplay, /usr/sbin/lvchange, /usr/sbin/lvscan, /usr/sbin/lvextend
 Cmnd_Alias ONE_MARKET = /usr/lib/one/sh/create_container_image.sh, /usr/lib/one/sh/create_docker_image.sh

share/pkgs/sudoers/debian/opennebula

@@ -2,7 +2,7 @@ Defaults:oneadmin !requiretty
 Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin
 
 Cmnd_Alias ONE_CEPH = /usr/bin/rbd
-Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /bin/mount, /usr/sbin/one-clean-firecracker-domain
+Cmnd_Alias ONE_FIRECRACKER = /usr/bin/jailer, /bin/mount, /usr/sbin/one-clean-firecracker-domain, /usr/sbin/one-prepare-firecracker-domain
 Cmnd_Alias ONE_HA = /bin/systemctl start opennebula-flow, /bin/systemctl stop opennebula-flow, /bin/systemctl start opennebula-gate, /bin/systemctl stop opennebula-gate, /bin/systemctl start opennebula-hem, /bin/systemctl stop opennebula-hem, /usr/sbin/service opennebula-flow start, /usr/sbin/service opennebula-flow stop, /usr/sbin/service opennebula-gate start, /usr/sbin/service opennebula-gate stop, /usr/sbin/service opennebula-hem start, /usr/sbin/service opennebula-hem stop, /usr/bin/arping, /sbin/ip address *
 Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan, /sbin/lvextend
 Cmnd_Alias ONE_LXD = /snap/bin/lxc, /usr/bin/catfstab, /bin/mount, /bin/umount, /bin/mkdir, /bin/lsblk, /sbin/losetup, /sbin/kpartx, /usr/bin/qemu-nbd, /sbin/blkid, /sbin/e2fsck, /sbin/resize2fs, /usr/sbin/xfs_growfs, /usr/bin/rbd-nbd, /usr/sbin/xfs_admin, /sbin/tune2fs

share/sudoers/sudoers.rb

@@ -61,8 +61,8 @@ def initialize(lib_location)
             :MARKET => %W[#{lib_location}/sh/create_container_image.sh
                           #{lib_location}/sh/create_docker_image.sh  ],
             :FIRECRACKER => %w[/usr/bin/jailer
-                               mount
-                               /usr/sbin/one-clean-firecracker-domain]
+                               /usr/sbin/one-clean-firecracker-domain
+                               /usr/sbin/one-prepare-firecracker-domain]
         }
     end
 

src/vmm_mad/remotes/firecracker/firecrackerrc

@@ -58,6 +58,11 @@
 #
 # Timeout to wait a cgroup to be empty after shutdown/cancel a microVM
 :cgroup_delete_timeout: 60
+#
+# If true the cpu.shares will be set acording to the VM CPU value if false the
+# cpu.shares is left by default which means that all the resources are shared
+# equally acrros the VMs
+:cgroup_cpu_shares: true
 
 ################################################################################
 # NUMA placement Options

src/vmm_mad/remotes/lib/firecracker/microvm.rb

@@ -31,8 +31,9 @@ class MicroVM
     #   List of commands executed by the driver.
     #---------------------------------------------------------------------------
     COMMANDS = {
-        :clean       => 'sudo -n /usr/sbin/one-clean-firecracker-domain',
-        :map_context => '/var/tmp/one/vmm/firecracker/map_context'
+        :clean          => 'sudo -n /usr/sbin/one-clean-firecracker-domain',
+        :map_context    => '/var/tmp/one/vmm/firecracker/map_context',
+        :prepare_domain => 'sudo -n /usr/sbin/one-prepare-firecracker-domain'
     }
 
     #---------------------------------------------------------------------------
@@ -91,15 +92,6 @@ def vm_location
         "#{@one.sysds_path}/#{@one.vm_id}"
     end
 
-    def map_chroot_path
-        rc = Command.execute_rc_log("mkdir -p #{@rootfs_dir}")
-
-        return false unless rc
-
-        # TODO, add option for hard links
-        Command.execute_rc_log("sudo -n mount -o bind #{@one.sysds_path}/#{@one.vm_id} #{@rootfs_dir}")
-    end
-
     def get_pid
         rc, stdout, = Command.execute('ps auxwww | grep ' \
             "\"^.*firecracker.*--id['\\\"=[[:space:]]]*#{@one.vm_name}\" " \
@@ -152,6 +144,33 @@ def wait_cgroup(path)
     # rubocop:enable Lint/SuppressedException
     # rubocop:enable Lint/RedundantCopDisableDirective
 
+    def cpu_shares(cpu)
+        # default value for cpu.shares
+        default_value = 1024
+        shares_enabled = @one.fcrc[:cgroup_cpu_shares] == true
+
+        return default_value if !shares_enabled || cpu.nil? || cpu == ''
+
+        shares_val = (cpu * default_value).round
+
+        # The value specified in the cpu.shares file must be 2 or higher.
+        shares_val = 2 if shares_val < 2
+
+        shares_val
+    end
+
+    def prepare_domain
+        cgroup_path = @one.fcrc[:cgroup_location]
+        cpu_val = cpu_shares(@one.get_cpu)
+
+        params = "-c #{cgroup_path} -p #{cpu_val} -s #{@one.sysds_path}"\
+                 " -v #{@one.vm_id}"
+
+        cmd = "#{COMMANDS[:prepare_domain]} #{params}"
+
+        Command.execute_rc_log(cmd)
+    end
+
     #---------------------------------------------------------------------------
     # VNC
     #---------------------------------------------------------------------------
@@ -214,7 +233,7 @@ def create
             cmd << " --#{key} #{val}"
         end
 
-        return false unless map_chroot_path
+        return false unless prepare_domain
 
         return false unless map_context
 

src/vmm_mad/remotes/lib/firecracker/one-prepare-firecracker-domain

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+# -------------------------------------------------------------------------- #
+# Copyright 2002-2020, OpenNebula Project, OpenNebula Systems                #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may    #
+# not use this file except in compliance with the License. You may obtain    #
+# a copy of the License at                                                   #
+#                                                                            #
+# http://www.apache.org/licenses/LICENSE-2.0                                 #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS,          #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+#--------------------------------------------------------------------------- #
+
+# exit when any command fails
+set -e
+
+CGROUP_PATH=""
+CPU_VAL=""
+SYSDS_PATH=""
+VM_ID=""
+
+while getopts ":c:p:s:v:" opt; do
+    case $opt in
+        c) CGROUP_PATH="$OPTARG" ;; # root of cgroup FS
+        p) CPU_VAL="$OPTARG" ;;     # cpu.shares value
+        s) SYSDS_PATH="$OPTARG" ;;  # system datastore path
+        v) VM_ID="$OPTARG" ;;       # VM id
+    esac
+done
+
+# Check $CGROUP_PATH is an existing directory
+if [ ! -d "$CGROUP_PATH" ]; then
+    exit -1
+fi
+
+# Check $SYSDS_PATH is an existing directory
+if [ ! -d "$SYSDS_PATH" ]; then
+    exit -1
+fi
+
+regex_num='^[0-9]+$'
+
+# Check $VM_ID is an integer
+if ! [[ "$VM_ID" =~ $regex_num ]]; then
+    exit -1
+fi
+
+# Check $CPU_VAL is an integer
+if ! [[ "$CPU_VAL" =~ $regex_num ]]; then
+    exit -1
+fi
+
+###############################################################################
+# Map the jailer chroot path to the OpenNebula VM location
+###############################################################################
+ROOTFS_PATH="/srv/jailer/firecracker/one-$VM_ID/root"
+mkdir -p "$ROOTFS_PATH"
+mount -o bind "$SYSDS_PATH/$VM_ID" "$ROOTFS_PATH"
+
+###############################################################################
+# Set cpu.shares value to restrict cpu usage
+###############################################################################
+mkdir -p "$CGROUP_PATH/cpu/firecracker/one-$VM_ID"
+echo "$CPU_VAL" > "$CGROUP_PATH/cpu/firecracker/one-$VM_ID/cpu.shares"
+

src/vmm_mad/remotes/lib/firecracker/opennebula_vm.rb

@@ -99,6 +99,10 @@ def wild?
         @vm_name && !@vm_name.include?('one-')
     end
 
+    def get_cpu
+        Float(@xml['//TEMPLATE/CPU'])
+    end
+
     # Returns a Hash representing the LXC configuration for this OpenNebulaVM
     def to_fc
         fc = {}
@@ -127,9 +131,10 @@ def to_fc
     end
 
     #---------------------------------------------------------------------------
-    # Container Attribute Mapping
+    # MicroVM Attribute Mapping
     #---------------------------------------------------------------------------
-    # Creates a dictionary for Firecracker containing $MEMORY RAM allocated
+    # Creates a dictionary for Firecracker containing vm information
+
     def boot_source(hash)
         hash['kernel_image_path'] = 'kernel'
         hash['boot_args'] = @boot_args