Hi all,
Just a quick note to let everyone know the next two weeks
will be quieter than usual with Dave and I both away. Kenj
has kindly offered to take on doing any merges if there are
any more arriving this year, and if he has time in-between
his own end of year party schedule. Dave and I have covered
all the current pending reviews/merges now, so its as good a
time as any to run away. :)
QA is in good shape too, with just a couple of known issues
that people are working on.
I've also just merged all of the work done so far on adding
a privileged co-process for pmcd(1), and initial namespace-
switching support APIs for PMDAs that will need this. It's
not currently active, until its complete (and even then, it
only comes into play for --container=NAME command lines, or
when container=NAME is used in a hostspec).
But, there is a new pmdaroot(1) that should be installed and
activated everywhere as of now. Details on this in its man
page, the detailed commit messages below, and yet more docs
will follow early in the new year as this work is completed.
I hope y'all have a wonderful end of year break and I'll see
you in the new year!!!
cheers.
commit 0d6a52065b8718ac76d0db1be9433e0cdd14647d
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Thu Dec 18 22:14:46 2014 +1100
pmda root: a privileged pmcd co-process
Initial implementation of "pmdaroot", a helper co-process
for pmcd that runs with elevated privileges and is able to
(well, will be able to soon) offer services to pmcd and to
other PMDAs where root access is required.
See http://www.pcp.io/pipermail/pcp/2014-June/005030.html
for additional rationale. I've implemented this as a PMDA
(rather than simply forking pmcd early and embedding all of
the code in pmcd itself, as considered earlier) as that has
a number of advantages:
- it can be switched off if there's a problem
- complete code and functional isolation from pmcd
- i.e. no changes required to pmcd to support it - safe!
- uses existing pmcd mechanisms to bootstrap, which means
less code was needed
- ability to export metrics about its operation, such as
the containers it has found and what state they're in.
I also recycled PMDA domain number 1 for this PMDA, because
IRIX is gone and this is hopefully going to become a widely
used piece of infrastructure over time, so it seems a good
candidate for using that number. It is enabled-by-default
for new installations, Install/Remove scripts are provided
for now also (but maybe not in the long term).
This initial version provides a simple mechanism to discover
information about Docker containers, in preparation for the
next stages. It will probably need to be enhanced to using
the Docker daemon at some point (via the remote Docker API &
AF_UNIX socket - see details on docker.io) instead of simply
grovelling around on-disk, but for now thats what it uses.
Support for exporting state about other styles of container
will also be added in due course I hope. The pmdaroot code
has been written such that drop-in container "drivers" for
any container technology could be added (there are many on
Linux now, Solaris Zones, and so on).
commit 8c99d82db6f75e91732326007d2ba79228d71b3f
Author: Nathan Scott <nathans@xxxxxxxxxx>
Date: Fri Dec 19 16:32:31 2014 +1100
pmdaroot/libpcp_pmda: interfaces for changing namespaces
Work-in-progress commit with the majority of the code behind
the PCP collector privilege escalation mechanism, and with a
Linux-kernel-namespace switching API for PMDAs with metrics
that need to be container namespace aware, as the first use
case. The pmcd.hostname metric from the pmcd DSO PMDA has
been converted over to using the new API - others remaining
to be tackled include network.interface.*, filesys.*, ipc.*
and one or two others. See also notes in the code as to some
other PMDAs that could use pmdaroot services (e.g. pmdaproc
restricting per-process indom to just processes from a given
containers cgroups, that sort of thing).
Committing it now, even though its not quite done, since it
has no impact on the code when not used (which it isn't yet)
and some people are interested in seeing how it fits together
while I'm away on vacation. In the couple of places where
more coding will be needed "TODO" markers have been inserted
to guide the way.
--
Nathan
|