Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rootless: allow resource isolation with cgroup v2 #3104

Merged
merged 3 commits into from May 17, 2019

Conversation

Projects
None yet
5 participants
@giuseppe
Copy link
Member

commented May 10, 2019

this is not adding any support for cgroup v2. It is only used to avoid some early errors when attempting to use cgroup v2 for rootless users.

Depends on:

with the updated versions of conmon and crun, on a Fedora 30 configured with cgroup v2 unified mode, I can:

$ podman --runtime /usr/bin/crun run --memory=100M \
   --rm fedora sh -c 'cat $(cat /proc/self/cgroup | sed -e"s|0::|/sys/fs/cgroup|")/memory.max'
 104857600


@openshift-ci-robot

This comment has been minimized.

Copy link
Collaborator

commented May 10, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@giuseppe

This comment has been minimized.

Copy link
Member Author

commented May 10, 2019

@openshift-ci-robot

This comment has been minimized.

Copy link
Collaborator

commented May 10, 2019

@giuseppe: GitHub didn't allow me to request PR reviews from the following users: AkihiroSuda.

Note that only containers members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @mheon @AkihiroSuda

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@@ -76,6 +77,17 @@ func addWarning(warnings []string, msg string) []string {

func verifyContainerResources(config *cc.CreateConfig, update bool) ([]string, error) {
warnings := []string{}

var st syscall.Statfs_t
if err := syscall.Statfs("/sys/fs/cgroup", &st); err == nil {

This comment has been minimized.

Copy link
@mheon

mheon May 10, 2019

Collaborator

Can we either do this once and stick it in a bool we can read, or make a helper for the test?

This comment has been minimized.

Copy link
@giuseppe

giuseppe May 10, 2019

Author Member

yes, good idea. Done in the new version

@giuseppe giuseppe force-pushed the giuseppe:initial-cgroup2 branch from d703eac to 76c44d4 May 10, 2019

const _CGROUP2_SUPER_MAGIC = 0x63677270

// IsCgroup2UnifiedMode returns whether we are running in cgroup 2 unified mode.
func IsCgroup2UnifiedMode() (bool, error) {

This comment has been minimized.

Copy link
@rhatdan

rhatdan May 10, 2019

Member

Can you put this into buildah rather then into Podman so both tools can share the check?

This comment has been minimized.

Copy link
@giuseppe

giuseppe May 10, 2019

Author Member

we are not currently doing any the same check in Buildah as we do for Podman when resources are specified.

@giuseppe giuseppe force-pushed the giuseppe:initial-cgroup2 branch from 76c44d4 to 1b8f2c3 May 10, 2019

@openshift-ci-robot openshift-ci-robot added size/M and removed size/S labels May 10, 2019

@giuseppe giuseppe force-pushed the giuseppe:initial-cgroup2 branch from 1b8f2c3 to 3021c51 May 11, 2019

@giuseppe

This comment has been minimized.

Copy link
Member Author

commented May 11, 2019

correction: it works fine on Fedora 30 with the systemd version available there.

giuseppe added some commits May 10, 2019

rootless, spec: allow resources with cgroup v2
We were always raising an error when the rootless user attempted to
setup resources, but this is not the case anymore with cgroup v2.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
create: skip resources validation with cgroup v2
skip resources validation when cgroup v2 is detected, as we don't
support it yet.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
rootless: default --cgroup-manager=systemd in unified mode
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

@giuseppe giuseppe force-pushed the giuseppe:initial-cgroup2 branch from 3021c51 to 0e8f4dd May 13, 2019

@giuseppe

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

tests are finally passing

@mheon

This comment has been minimized.

Copy link
Collaborator

commented May 13, 2019

Question: does this break runc rootless containers on CGroupsV2 enabled systems?

@giuseppe

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

Question: does this break runc rootless containers on CGroupsV2 enabled systems?

the only difference for rootless Podman with runc will be that if an user specifies any resource, Podman won't error out immediately but it will let the runtime handle it. I've not tried it but I'd expect it to fail on cgroup v2 also when resources are not specified

@giuseppe

This comment has been minimized.

Copy link
Member Author

commented May 17, 2019

the change for conmon got merged, fine to merge this?

@mheon

This comment has been minimized.

Copy link
Collaborator

commented May 17, 2019

LGTM

@rhatdan

This comment has been minimized.

Copy link
Member

commented May 17, 2019

/lgtm

@openshift-merge-robot openshift-merge-robot merged commit 144244a into containers:master May 17, 2019

15 checks passed

build_each_commit Task Summary
Details
ci/prow/images Job succeeded.
Details
ci/prow/lint Job succeeded.
Details
ci/prow/validate Job succeeded.
Details
gating Task Summary
Details
meta Task Summary
Details
special_testing SPECIALMODE:in_podman Task Summary
Details
special_testing SPECIALMODE:rootless Task Summary
Details
success Task Summary
Details
testing image:fedora-28-libpod-548c1c05 Task Summary
Details
testing image:fedora-29-libpod-548c1c05 Task Summary
Details
testing image:ubuntu-18-libpod-548c1c05 Task Summary
Details
tide In merge pool.
Details
varlink_api Task Summary
Details
vendor Task Summary
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.