From e92d0a65f835bc63ecf42c52eb4c0c246a919de7 Mon Sep 17 00:00:00 2001
From: Diptanu Choudhury <diptanuc@gmail.com>
Date: Wed, 17 Feb 2016 21:20:22 -0800
Subject: [PATCH] Enabling cgroups and chroot on linux

---
 client/driver/java.go      | 16 +++++++++++++---
 client/driver/java_test.go | 14 ++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/client/driver/java.go b/client/driver/java.go
index 3c5f441a7..657cd8e2e 100644
--- a/client/driver/java.go
+++ b/client/driver/java.go
@@ -61,8 +61,8 @@ func NewJavaDriver(ctx *DriverContext) Driver {
 }
 
 func (d *JavaDriver) Fingerprint(cfg *config.Config, node *structs.Node) (bool, error) {
-	// Only enable if we are root when running on non-windows systems.
-	if runtime.GOOS == "linux" && syscall.Geteuid() != 0 {
+	// Only enable if we are root and cgroups are mounted when running on linux systems.
+	if runtime.GOOS == "linux" && (syscall.Geteuid() != 0 || !d.cgroupsMounted(node)) {
 		d.logger.Printf("[DEBUG] driver.java: must run as root user on linux, disabling")
 		return false, nil
 	}
@@ -167,9 +167,12 @@ func (d *JavaDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle,
 		AllocDir:         ctx.AllocDir,
 		TaskName:         task.Name,
 		TaskResources:    task.Resources,
-		UnprivilegedUser: true,
 		LogConfig:        task.LogConfig,
+		FSIsolation:      true,
+		UnprivilegedUser: true,
+		ResourceLimits:   true,
 	}
+
 	ps, err := exec.LaunchCmd(&executor.ExecCommand{Cmd: "java", Args: args}, executorCtx)
 	if err != nil {
 		pluginClient.Kill()
@@ -195,6 +198,13 @@ func (d *JavaDriver) Start(ctx *ExecContext, task *structs.Task) (DriverHandle,
 	return h, nil
 }
 
+// cgroupsMounted returns true if the cgroups are mounted on a system otherwise
+// returns false
+func (d *JavaDriver) cgroupsMounted(node *structs.Node) bool {
+	_, ok := node.Attributes["unique.cgroup.mountpoint"]
+	return ok
+}
+
 type javaId struct {
 	KillTimeout     time.Duration
 	PluginConfig    *PluginReattachConfig
diff --git a/client/driver/java_test.go b/client/driver/java_test.go
index cc3421014..b06a54d19 100644
--- a/client/driver/java_test.go
+++ b/client/driver/java_test.go
@@ -1,10 +1,13 @@
 package driver
 
 import (
+	"os"
 	"os/exec"
+	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/hashicorp/nomad/client/allocdir"
 	"github.com/hashicorp/nomad/client/config"
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/nomad/testutil"
@@ -137,6 +140,17 @@ func TestJavaDriver_Start_Wait(t *testing.T) {
 		break
 	}
 
+	// Get the stdout of the process and assrt that it's not empty
+	taskDir := execCtx.AllocDir.TaskDirs["demo-app"]
+	stdout := filepath.Join(taskDir, allocdir.TaskLocal, "demo-app.stdout.0")
+	fInfo, err := os.Stat(stdout)
+	if err != nil {
+		t.Fatalf("failed to get stdout of process: %v", err)
+	}
+	if fInfo.Size() == 0 {
+		t.Fatalf("stdout of process is empty")
+	}
+
 	// need to kill long lived process
 	err = handle.Kill()
 	if err != nil {