Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing composer specification equivalent for --cgroupns=[host|private]/API1.41 #148

Closed
thediveo opened this issue Mar 4, 2021 · 4 comments · Fixed by #292
Closed

Missing composer specification equivalent for --cgroupns=[host|private]/API1.41 #148

thediveo opened this issue Mar 4, 2021 · 4 comments · Fixed by #292

Comments

@thediveo
Copy link

thediveo commented Mar 4, 2021

On hosts with "only" a unified cgroup v2 controller hierarchy (that is, a "pure" cgroups v2 hierarchy) Docker now defaults (unless configured otherwise) to automatically creating private cgroup namespaces for created containers. The rationale here is to reduce leakage of potentially sensitive information about the cgroup hierarchy and configuration of the host, and thus other containers. Still, there are valid usecases to allow only specific containers to use the initial (host) cgroup namespace, especially for system diagnosis containers. For instance, the well-known cAdvisor ("provides container users an understanding of the resource usage and performance characteristics of their running containers").

For such usecases, docker run introduced the CLI flag --cgroupns=[host|private] as of Docker-CE 20.0.0 and API 1.41.

Unfortunately, the current compose specification doesn't provide any means to controlling cgroup namespace creation or sharing. This makes it impossible to use system diagnosis containers, such as cAdvisor, ... on cgroup v2 unified hierarchy-only systems anymore with compose-based deployment tools.

This situation would be solved by adding a cgroup field to service objects that would allow to specify the values of either "private" or "host", mirroring today's CLI flag functionality for handling the cgroup namespace creation for new containers.

services:
  foo:
    pid: host
    cgroup: host # might be "cgroupns" instead if parity with CLI flag is sought after, but breaks symmetry with pid namespaces.

Nota bene: mirror docker/compose issue #8167
@thediveo thediveo changed the title Missing composer sepcification equivalent for --cgroupns=[host|private]/API1.41 Missing composer specification equivalent for --cgroupns=[host|private]/API1.41 Mar 12, 2021
@mlilien mlilien mentioned this issue Apr 30, 2021
Open
@EricHripko
Copy link
Collaborator

Thank for you for suggesting this @thediveo 👍 For the benefit of the readers, here's the CLI argument (Docker docs don't seem to have it yet):

docker run --help | grep cgroup
      --cgroupns string                Cgroup namespace to use (host|private)
                                       'host':    Run the container in the Docker host's cgroup namespace
                                       'private': Run the container in its own private cgroup namespace
                                       '':        Use the cgroup namespace as configured by the
                                                  default-cgroupns-mode option on the daemon (default)

@guard43ru
Copy link

Docker Desktop 4.3.0 now uses cgroupv2 (https://docs.docker.com/desktop/mac/release-notes/#docker-desktop-430)
I can run container (with systemd) from docker run (with --cgroupns=host), but can't start from docker-compose

@MarkKoz MarkKoz mentioned this issue Dec 19, 2021
Closed
@thediveo thediveo mentioned this issue Jan 17, 2022
Closed
@lukts30 lukts30 mentioned this issue Feb 10, 2022
Closed
bernardko added a commit to bernardko/mullvad-proxy that referenced this issue Mar 30, 2022
@bernardko
Implemented a temporary fix to make it work when cgroup v2 is required
172fa89 
When cgroup v2 is required by default by docker or the OS we need to use the --cgroupns=host to allow the mullvad app to startup correctly. However, the cgroupns switch is not implemented in the docker compose spec, so we have to wait for its implementation.

To get around this problem, the main mullvad container is taken out of the docker compose file and we run it on its own in the setup.sh script using docker run with the --cgroupns=host switch. After the container is setup, we then use the docker compose file to setup the rest of the containers.

Reference:

docker/for-mac#6073
compose-spec/compose-spec#148
docker/compose#8167
@nurturenature nurturenature mentioned this issue May 16, 2022
Closed
@graphaelli graphaelli mentioned this issue Jun 15, 2022
Open
@vboulineau vboulineau mentioned this issue Jul 7, 2022
Merged
4 tasks
@calebbrown calebbrown mentioned this issue Sep 30, 2022
Open
@rijnhard
Copy link

rijnhard commented Dec 6, 2022

This is seriously madness-inducing.
One of the benefits of docker being able to align local env's with production, and in cases where PaaS solutions use centos 7 systemd-based containers, there really is no hope for me to make a compose file to simplify the local envs for developers.

@ndeloof ndeloof mentioned this issue Dec 16, 2022
Merged
@ndeloof
Copy link
Collaborator

ndeloof commented Dec 16, 2022

so much votes on this issue, and nobody took a few minutes to propose a PR ? 😅
so, here it is: #292 🎅

@xF4m3 xF4m3 mentioned this issue Aug 3, 2023
Open
@paologallinaharbur paologallinaharbur mentioned this issue May 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

introduce support for cgroup=host|private ndeloof/compose-spec
5 participants
@ndeloof @EricHripko @rijnhard @thediveo @guard43ru