Support for cgroups blockio

[askervin]

This PR implements support for the cgroup blockio controller.

How it is used

• User defines blockio classes, for example: ThrottledIO and LowLatency. Class names are not restricted, and the number of classes is not limited.
• Each class contains sets of devices (list of filenames, wildcards allowed) and blockio parameters for each set. For example, /etc/containers/blockio.yaml contains:

  Classes:
    ThrottledIO:
    - Devices:
        - /dev/vd[a-z]
      ThrottleReadBps: 50M
      ThrottleWriteBps: 10M
  

• User launches containerd with the blockio plugin configured to read the blockio class configuration file. For example, /etc/containerd/config.toml contains:

  [plugins]
    [plugins."io.containerd.internal.v1.blockio"]
      config_file = "/etc/containers/blockio.yaml"
  

• User annotates container(s) in a pod with a blockio class name in the configuration. Example, a pod spec contains:

  metadata:
    annotations:
      blockio.resources.beta.kubernetes.io/pod: ThrottledIO.
  

When a container in this pod is created, containerd assigns blockio parameters based its class configuration.

How it is implemented

The goresctrl library understands blockio class configurations, block devices in the system and the OCI BlockIO format. When containerd starts, the blockio plugin sets effective user-defined blockio class configuration to goresctrl.

containerd looks for container's blockio class from pod and container annotations. The annotation syntax is similar to container RDT class annotations in PR #5439.

If containerd finds a class, it uses goresctrl to get corresponding OCI BlockIO data and includes it in the OCI runtime-spec.

ctr is extended with --blockio-config-file and --blockio-class for direct command-line support and testing.

[k8s-ci-robot]

Hi @askervin. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 3m 40s (non-voting)
• containerd-test-arm64 : FAILURE in 3m 32s (non-voting)
• containerd-integration-test-arm64 : FAILURE in 6m 03s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : FAILURE in 3m 39s (non-voting)
• containerd-test-arm64 : FAILURE in 3m 33s (non-voting)
• containerd-integration-test-arm64 : FAILURE in 6m 10s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 4m 47s (non-voting)
• containerd-test-arm64 : SUCCESS in 5m 32s (non-voting)
• containerd-integration-test-arm64 : SUCCESS in 22m 11s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 4m 50s (non-voting)
• containerd-test-arm64 : SUCCESS in 5m 35s (non-voting)
• containerd-integration-test-arm64 : FAILURE in 22m 35s (non-voting)

[AkihiroSuda]

Rather than adding a new subsystem, can we use NRI? https://github.com/containerd/nri

[askervin]

@AkihiroSuda, happy that you asked! Actually I initially planned implementing blockio as an NRI plugin.

However, what changed my mind was the fact that OCI spec LinuxResources already had a blockio field, and that runc was already working fine with the CFQ I/O scheduler. Furthermore, Runc v1.0 (released today) supports both CFQ and BFQ schedulers in both cgroups v1 and v2. It obviously provides consistent blockio configuration behavior and low-level error messages to all container runtimes using it.

If NRI allowed a plugin to fill in OCI spec fields and thereby use runc, it would be a clear benefit in architectural perspective. In ideal case NRI would be supported by other container runtimes, too. Then NRI would definitely be the number one option for blockio: there would be a single plugin that you could install to any node running any container runtime that supports NRI. As this is not yet the case, we decided to go with runtime-internal blockio implementations but so that they are very light-weight in the runtime perspective: they use a common class-based blockio configuration and pretty much all the logic is in a library that is common to runtimes.

Related to this, you might be interested in our NRI prototype that enables OCI spec modifications from plugins - among other goodies. But that's a separate discussion.

[klihub]

Rather than adding a new subsystem, can we use NRI? https://github.com/containerd/nri

@AkihiroSuda Sorry if this is slightly off topic, but we have been playing around with a prototype of extending the scope of NRI to allow more versatile plugin functionality, for instance allowing us to implement container resource assignment algorithms as NRI plugins. AFAIK @askervin has taken a look at implementing functionality equivalent to this PR with that extended NRI scope, but we haven't taken a look at whether and how that would be possible with the currently available NRI plugin interface.

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : NODE_FAILURE in 0s (non-voting)
• containerd-test-arm64 : NODE_FAILURE in 0s (non-voting)
• containerd-integration-test-arm64 : NODE_FAILURE in 0s (non-voting)

[askervin]

• Rebased.
• Commits reordered / squashed so that every step compiles.
• Tested on k8s v1.21.2 and runc v1.0. (everything works correctly)
• Tested on k8s v1.21.2 and runc v1.0-rc93. (everything else works but setting weights, as runc starts supporting those from v1.0)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 4m 07s (non-voting)
• containerd-test-arm64 : SUCCESS in 5m 55s (non-voting)
• containerd-integration-test-arm64 : SUCCESS in 24m 01s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 4m 47s (non-voting)
• containerd-test-arm64 : SUCCESS in 5m 58s (non-voting)
• containerd-integration-test-arm64 : SUCCESS in 13m 31s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 4m 56s (non-voting)
• containerd-test-arm64 : SUCCESS in 6m 06s (non-voting)
• containerd-integration-test-arm64 : SUCCESS in 13m 25s (non-voting)

[theopenlab-ci]

Build succeeded.

• containerd-build-arm64 : SUCCESS in 4m 45s (non-voting)
• containerd-test-arm64 : SUCCESS in 6m 31s (non-voting)
• containerd-integration-test-arm64 : SUCCESS in 24m 49s (non-voting)

[askervin]

Rebased.

@dmcgowan @AkihiroSuda @samuelkarp, would you have time to take a look, please?

[aledbf]

@askervin quick question, does this work for hosts running cgroups v2 only? Thanks!

[askervin]

@askervin quick question, does this work for hosts running cgroups v2 only? Thanks!

@aledbf , sorry about slow answer on your quick question! This works on both cgroups v1 and v2. The blockio parameters are applied by runc that supports both versions.

[fuweid]

LGTM

We can update the BUILDING.md in follow-up

[mikebrow]

discussion in containerd community meeting.. leaned to not provide the extra no_blockio tags

[mikebrow]

LGTM

[d-honeybadger]

This PR isn't included in any of any 1.6.x releases so far, right? Is there a plan to release it anytime soon?

[AkihiroSuda]

This will be included in v1.7.
Basically we do not backport new features to v1.6.

[gjkim42]

Do we have unit tests or e2e tests for this feature?