kata agent CreateSandbox & CreateContainer

虚拟机rootfs

root@25a725e7599e:/# ls
bin   dev  home  lost+found  mnt  proc  run   srv  tmp  var
boot  etc  lib   media       opt  root  sbin  sys  usr
root@25a725e7599e:/# ls lib/  
aarch64-linux-gnu  ld-linux-aarch64.so.1  modprobe.d  terminfo
init               lsb                    systemd     udev
root@25a725e7599e:/# ls      
bin   dev  home  lost+found  mnt  proc  run   srv  tmp  var
boot  etc  lib   media       opt  root  sbin  sys  usr
root@25a725e7599e:/# ls bin/ps 
bin/ps
root@25a725e7599e:/# ps -elf | grep nginx
4 S root        71    50  0  80   0 -  2069 arm64_ Oct31 ?        00:00:00 nginx: master process nginx -g daemon off;
5 S systemd+    99    71  0  80   0 -  2164 ep_pol Oct31 ?        00:00:00 nginx: worker process
0 S root       201    57  0  80   0 -   676 pipe_w 04:54 hvc0     00:00:00 grep --color=auto nginx
root@25a725e7599e:/# ls run/
kata-containers  kata1.txt  libcontainer  lock  mount  sandbox-ns  systemd
root@25a725e7599e:/# 

容器 rootfs

root@fa55c7478feb:/# ls bin/ps
ls: cannot access 'bin/ps': No such file or directory
root@fa55c7478feb:/# ls
bin   docker-entrypoint.d   home   mnt   root  srv  usr
boot  docker-entrypoint.sh  lib    opt   run   sys  var
dev   etc                   media  proc  sbin  tmp
root@fa55c7478feb:/# ps -elf | grep nginx
bash: ps: command not found
root@fa55c7478feb:/# ls run/
lock  nginx.pid  utmp
root@fa55c7478feb:/# 

func (a *agentGRPC) CreateSandbox(ctx context.Context, req *pb.CreateSandboxRequest) (*gpb.Empty, error) {
    if a.sandbox.running {
        return emptyResp, grpcStatus.Error(codes.AlreadyExists, "Sandbox already started, impossible to start again")
    }

    a.sandbox.hostname = req.Hostname
    a.sandbox.containers = make(map[string]*container)
    a.sandbox.network.ifaces = make(map[string]*types.Interface)
    a.sandbox.network.dns = req.Dns
    a.sandbox.running = true
    a.sandbox.sandboxPidNs = req.SandboxPidns
    a.sandbox.storages = make(map[string]*sandboxStorage)
    a.sandbox.guestHooks = &specs.Hooks{}
    a.sandbox.guestHooksPresent = false

    for _, m := range req.KernelModules {
        if err := loadKernelModule(m); err != nil {
            return emptyResp, err
        }
    }

    if req.GuestHookPath != "" {
        a.sandbox.scanGuestHooks(req.GuestHookPath)
    }

    if req.SandboxId != "" {
        a.sandbox.id = req.SandboxId
        agentLog = agentLog.WithField("sandbox", a.sandbox.id)
    }

    // Set up shared UTS and IPC namespaces
    if err := a.sandbox.setupSharedNamespaces(ctx); err != nil {
        return emptyResp, err
    }

    if req.SandboxPidns {
        if err := a.sandbox.setupSharedPidNs(); err != nil {
            return emptyResp, err
        }
    }

    mountList, err := addStorages(ctx, req.Storages, a.sandbox)
    if err != nil {
        return emptyResp, err
    }

    a.sandbox.mounts = mountList

    if err := setupDNS(a.sandbox.network.dns); err != nil {
        return emptyResp, err
    }

    return emptyResp, nil
}

func (a *agentGRPC) CreateContainer(ctx context.Context, req *pb.CreateContainerRequest) (resp *gpb.Empty, err error) {
    if err := a.createContainerChecks(req); err != nil {
        return emptyResp, err
    }

    // re-scan PCI bus
    // looking for hidden devices
    if err = rescanPciBus(); err != nil {
        agentLog.WithError(err).Warn("Could not rescan PCI bus")
    }

    // Some devices need some extra processing (the ones invoked with
    // --device for instance), and that's what this call is doing. It
    // updates the devices listed in the OCI spec, so that they actually
    // match real devices inside the VM. This step is necessary since we
    // cannot predict everything from the caller.
    if err = addDevices(ctx, req.Devices, req.OCI, a.sandbox); err != nil {
        return emptyResp, err
    }

    // Both rootfs and volumes (invoked with --volume for instance) will
    // be processed the same way. The idea is to always mount any provided
    // storage to the specified MountPoint, so that it will match what's
    // inside oci.Mounts.
    // After all those storages have been processed, no matter the order
    // here, the agent will rely on libcontainer (using the oci.Mounts
    // list) to bind mount all of them inside the container.
    mountList, err := addStorages(ctx, req.Storages, a.sandbox)
    if err != nil {
        return emptyResp, err
    }

    ctr := &container{
        id:              req.ContainerId,
        processes:       make(map[string]*process),
        mounts:          mountList,
        useSandboxPidNs: req.SandboxPidns,
        agentPidNs:      req.AgentPidns,
        ctx:             ctx,
    }

    // In case the container creation failed, make sure we cleanup
    // properly by rolling back the actions previously performed.
    defer func() {
        if err != nil {
            a.rollbackFailingContainerCreation(ctr)
        }
    }()

    // Add the nvdimm root partition to the device cgroup to prevent access
    updateDeviceCgroupForGuestRootfs(req.OCI)

    // Convert the spec to an actual OCI specification structure.
    ociSpec, err := pb.GRPCtoOCI(req.OCI)
    if err != nil {
        return emptyResp, err
    }

    if err := a.handleCPUSet(ociSpec); err != nil {
        return emptyResp, err
    }

    if err := a.applyNetworkSysctls(ociSpec); err != nil {
        return emptyResp, err
    }

    if a.sandbox.guestHooksPresent {
        // Add any custom OCI hooks to the spec
        a.sandbox.addGuestHooks(ociSpec)

        // write the OCI spec to a file so that hooks can read it
        err = writeSpecToFile(ociSpec, req.ContainerId)
        if err != nil {
            return emptyResp, err
        }

        // Change cwd because libcontainer assumes the bundle path is the cwd:
        // https://github.com/opencontainers/runc/blob/v1.0.0-rc5/libcontainer/specconv/spec_linux.go#L157
        oldcwd, err := changeToBundlePath(ociSpec, req.ContainerId)
        if err != nil {
            return emptyResp, err
        }
        defer os.Chdir(oldcwd)
    }

    // Convert the OCI specification into a libcontainer configuration.
    config, err := specconv.CreateLibcontainerConfig(&specconv.CreateOpts{
        CgroupName:   req.ContainerId,
        NoNewKeyring: true,
        Spec:         ociSpec,
        NoPivotRoot:  a.sandbox.noPivotRoot,
    })
    if err != nil {
        return emptyResp, err
    }

    // apply rlimits
    config.Rlimits = posixRlimitsToRlimits(ociSpec.Process.Rlimits)

    // Update libcontainer configuration for specific cases not handled
    // by the specconv converter.
    if err = a.updateContainerConfig(ociSpec, config, ctr); err != nil {
        return emptyResp, err
    }

    return a.finishCreateContainer(ctr, req, config)
}

root@ubuntu:~# ls kata
go  go1.15.2.linux-arm64.tar.gz  go_package  go_source  go.tar.gz  images  kata_package  linux_signing_key.pub  nemu  qemu  qemu4.0  qemu-lite  runtime  typescript
root@ubuntu:~# docker run -d -it --runtime=kata-runtime -v  /root/kata/:/containerdir nginx:latest

虚拟机

root@25a725e7599e:/# 
root@25a725e7599e:/# find ./ -name containerdir
./run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc/rootfs/containerdir
fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc/rootfs/containerdir70596e0b829af5f
root@25a725e7599e:/# 
root@25a725e7599e:/# ls run/kata-containers/shared/containers/*/rootfs         --------容器的
bin           dev                   etc   media  proc  sbin  tmp
boot          docker-entrypoint.d   home  mnt    root  srv   usr
containerdir  docker-entrypoint.sh  lib   opt    run   sys   var
dirt@25a725e7599e:/# ls run/kata-containers/shared/containers/*/rootfs/container 
root@25a725e7599e:/# 
root@25a725e7599e:/# 

root@25a725e7599e:/# find ./run/kata-containers -name  go.tar.gz
./run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-da0bf2558a65810c-containerdir/go.tar.gz
root@25a725e7599e:/# 

root@25a725e7599e:/# ls run/
kata-containers  libcontainer  lock  mount  sandbox-ns  systemd
root@25a725e7599e:/# ls run/libcontainer/
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
d22ea1f23e83b14384fa4f1cc/n/libcontainer/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
root@25a725e7599e:/# 
root@25a725e7599e:/# 
root@25a725e7599e:/# 
root@25a725e7599e:/# ls run/libcontainer/*/
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
root@25a725e7599e:/# ls run/libcontainer/*/*/
state.json
root@25a725e7599e:/# ls run/sandbox-ns/
ipc  uts
root@25a725e7599e:/# 

root@25a725e7599e:/# cat run/libcontainer/*/*/state.json
{"id":"ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc","init_process_pid":71,"init_process_start":76,"created":"2020-11-01T05:01:25.22615616Z","config":{"no_pivot_root":false,"parent_death_signal":0,"rootfs":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc/rootfs","readonlyfs":false,"rootPropagation":0,"mounts":[{"source":"proc","destination":"/proc","device":"proc","flags":14,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"tmpfs","destination":"/dev","device":"tmpfs","flags":16777218,"propagation_flags":null,"data":"mode=755,size=65536k","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"devpts","destination":"/dev/pts","device":"devpts","flags":10,"propagation_flags":null,"data":"newinstance,ptmxmode=0666,mode=0620,gid=5","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"sysfs","destination":"/sys","device":"sysfs","flags":15,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"cgroup","destination":"/sys/fs/cgroup","device":"cgroup","flags":15,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"mqueue","destination":"/dev/mqueue","device":"mqueue","flags":14,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/sandbox/shm","destination":"/dev/shm","device":"bind","flags":20480,"propagation_flags":null,"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-da0bf2558a65810c-containerdir",

"destination":"/containerdir","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-f7faba68233284cf-resolv.conf","destination":"/etc/resolv.conf","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-5043e8bb14e2574a-hostname","destination":"/etc/hostname","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null},{"source":"/run/kata-containers/shared/containers/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc-ed8c152bff649fc4-hosts","destination":"/etc/hosts","device":"bind","flags":20480,"propagation_flags":[278528],"data":"","relabel":"","extensions":0,"premount_cmds":null,"postmount_cmds":null}],"devices":[{"type":99,"path":"/dev/null","major":1,"minor":3,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/random","major":1,"minor":8,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/full","major":1,"minor":7,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/tty","major":5,"minor":0,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/zero","major":1,"minor":5,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false},{"type":99,"path":"/dev/urandom","major":1,"minor":9,"permissions":"","file_mode":438,"uid":0,"gid":0,"allow":false}],"mount_label":"","hostname":"ef4b70596e0b","namespaces":[{"type":"NEWNS","path":""},
{"type":"NEWUTS","path":"/var/run/sandbox-ns/uts"},{"type":"NEWIPC","path":"/var/run/sandbox-ns/ipc"},{"type":"NEWPID","path":""}],"capabilities":{"Bounding":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Effective":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Inheritable":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Permitted":["CAP_CHOWN","CAP_DAC_OVERRIDE","CAP_FSETID","CAP_FOWNER","CAP_MKNOD","CAP_NET_RAW","CAP_SETGID","CAP_SETUID","CAP_SETFCAP","CAP_SETPCAP","CAP_NET_BIND_SERVICE","CAP_SYS_CHROOT","CAP_KILL","CAP_AUDIT_WRITE"],"Ambient":[]},"networks":null,"routes":null,"cgroups":{"path":"/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc","scope_prefix":"","Paths":null,"allowed_devices":[{"type":99,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":98,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/null","major":1,"minor":3,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/random","major":1,"minor":8,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/full","major":1,"minor":7,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/tty","major":5,"minor":0,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/zero","major":1,"minor":5,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/urandom","major":1,"minor":9,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/console","major":5,"minor":1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},
{"type":99,"path":"","major":136,"minor":-1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},
{"type":99,"path":"","major":5,"minor":2,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":10,"minor":200,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true}],"devices":[{"type":98,"path":"","major":254,"minor":1,"permissions":"rw","file_mode":0,"uid":0,"gid":0,"allow":false},
{"type":99,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},
{"type":98,"path":"","major":-1,"minor":-1,"permissions":"m","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/null","major":1,"minor":3,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/random","major":1,"minor":8,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/full","major":1,"minor":7,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/tty","major":5,"minor":0,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/zero","major":1,"minor":5,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/urandom","major":1,"minor":9,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"/dev/console","major":5,"minor":1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":136,"minor":-1,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":5,"minor":2,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true},{"type":99,"path":"","major":10,"minor":200,"permissions":"rwm","file_mode":0,"uid":0,"gid":0,"allow":true}],"memory":0,"memory_reservation":0,"memory_swap":0,"kernel_memory":0,"kernel_memory_tcp":0,"cpu_shares":0,"cpu_quota":0,"cpu_period":0,"cpu_rt_quota":0,"cpu_rt_period":0,"cpuset_cpus":"","cpuset_mems":"","pids_limit":0,"blkio_weight":0,"blkio_leaf_weight":0,"blkio_weight_device":null,"blkio_throttle_read_bps_device":null,"blkio_throttle_write_bps_device":null,"blkio_throttle_read_iops_device":null,"blkio_throttle_write_iops_device":null,"freezer":"","hugetlb_limit":null,"oom_kill_disable":false,"memory_swappiness":0,"net_prio_ifpriomap":null,"net_cls_classid_u":0,"cpu_weight":0,"cpu_max":""},"oom_score_adj":0,"uid_mappings":null,"gid_mappings":null,"mask_paths":["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"readonly_paths":["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"],"sysctl":{},"seccomp":null,"Hooks":{"poststart":null,"poststop":null,"prestart":null},
"version":"1.0.1-dev","labels":["bundle=/"],"no_new_keyring":true},"rootless":false,"cgroup_paths":
{"blkio":"/sys/fs/cgroup/blkio/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",

"cpu":"/sys/fs/cgroup/cpu,cpuacct/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"cpuacct":"/sys/fs/cgroup/cpu,cpuacct/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"cpuset":"/sys/fs/cgroup/cpuset/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"devices":"/sys/fs/cgroup/devices/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"freezer":"/sys/fs/cgroup/freezer/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"memory":"/sys/fs/cgroup/memory/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"name=systemd":"/sys/fs/cgroup/systemd/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"net_cls":"/sys/fs/cgroup/net_cls,net_prio/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"net_prio":"/sys/fs/cgroup/net_cls,net_prio/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"perf_event":"/sys/fs/cgroup/perf_event/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc",
"pids":"/sys/fs/cgroup/pids/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc"},

"namespace_paths":{"NEWCGROUP":"/proc/71/ns/cgroup",

"NEWIPC":"/proc/71/ns/ipc","NEWNET":"/proc/71/ns/net",

"NEWNS":"/proc/71/ns/mnt","NEWPID":"/proc/71/ns/pid","NEWUSER":"/proc/71/ns/user",

"NEWUTS":"/proc/71/ns/uts"},"external_descriptors":["/dev/null","/dev/null","/dev/null"],"intel_rdt_path":""}
root@25a725e7599e:/# 

root@25a725e7599e:/# ps -elf | grep 71
4 S root        71    50  0  80   0 -  2069 arm64_ 05:01 ?        00:00:00 nginx: master process nginx -g daemon off;
5 S systemd+    99    71  0  80   0 -  2164 ep_pol 05:01 ?        00:00:00 nginx: worker process
0 S root       166    57  0  80   0 -   676 pipe_w 05:25 hvc0     00:00:00 grep --color=auto 71
root@25a725e7599e:/# 

root@25a725e7599e:/# cat /proc/71/cgroup   
10:pids:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
9:perf_event:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
8:cpu,cpuacct:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
7:blkio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
6:net_cls,net_prio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
5:freezer:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
4:cpuset:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
3:devices:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
2:memory:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
1:name=systemd:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
0::/system.slice/kata-agent.service
root@25a725e7599e:/# cat /proc/99/cgroup  
10:pids:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
9:perf_event:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
8:cpu,cpuacct:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
7:blkio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
6:net_cls,net_prio:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
5:freezer:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
4:cpuset:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
3:devices:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
2:memory:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
1:name=systemd:/docker/ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
0::/system.slice/kata-agent.service
root@25a725e7599e:/# 

root@25a725e7599e:/# ls /sys/fs/cgroup/memory/docker/  
cgroup.clone_children
cgroup.event_control
cgroup.procs
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
memory.failcnt
memory.force_empty
memory.kmem.failcnt
memory.kmem.limit_in_bytes
memory.kmem.max_usage_in_bytes
memory.kmem.slabinfo
memory.kmem.tcp.failcnt
memory.kmem.tcp.limit_in_bytes
memory.kmem.tcp.max_usage_in_bytes
memory.kmem.tcp.usage_in_bytes
memory.kmem.usage_in_bytes
memory.limit_in_bytes
memory.max_usage_in_bytes
memory.memsw.failcnt
memory.memsw.limit_in_bytes
memory.memsw.max_usage_in_bytes
memory.memsw.usage_in_bytes
memory.move_charge_at_immigrate
memory.oom_control
memory.pressure_level
memory.soft_limit_in_bytes
memory.stat
memory.swappiness
memory.usage_in_bytes
memory.use_hierarchy
notify_on_release
tasks
root@25a725e7599e:/#

root@25a725e7599e:/# ls /sys/fs/cgroup/cpu,cpuacct/docker/
cgroup.clone_children
cgroup.procs
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.shares
cpu.stat
cpuacct.stat
cpuacct.usage
cpuacct.usage_all
cpuacct.usage_percpu
cpuacct.usage_percpu_sys
cpuacct.usage_percpu_user
cpuacct.usage_sys
cpuacct.usage_user
ef4b70596e0b829af5fd9f14343f2c92a8da3d0d22ea1f23e83b14384fa4f1cc
notify_on_release
tasks
root@25a725e7599e:/#

root@25a725e7599e:/# ls /sys/fs/cgroup/cpu,cpuacct/docker/e*/
cgroup.clone_children  cpuacct.stat               cpuacct.usage_sys
cgroup.procs           cpuacct.usage              cpuacct.usage_user
cpu.cfs_period_us      cpuacct.usage_all          notify_on_release
cpu.cfs_quota_us       cpuacct.usage_percpu       tasks
cpu.shares             cpuacct.usage_percpu_sys
cpu.stat               cpuacct.usage_percpu_user
root@25a725e7599e:/# 

docker 容器

root@ubuntu:~# docker exec -it pensive_meninsky sh
# ls
bin           dev                   etc   media  proc  sbin  tmp
boot          docker-entrypoint.d   home  mnt    root  srv   usr
containerdir  docker-entrypoint.sh  lib   opt    run   sys   var
# ls con        ^H^H^H^H
ls: cannot access 'con': No such file or directory
ls: cannot access ''$'': No such file or directory
# ls containerdir
go                           go_source              nemu       runtime
go.tar.gz                    images                 qemu       typescript
go1.15.2.linux-arm64.tar.gz  kata_package           qemu-lite
go_package                   linux_signing_key.pub  qemu4.0
#