Support running containers without CGroups #3581
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
approved
|
--cgroup-driver=none seems more consistent with Docker |
|
Flag change works for me; might be useful to add a cgroupv2 setting to it as well. |
|
LGTM |
|
Few things I want to do here in addition to existing changes:
|
That could have some positive impact on the code as well since we could introduce a |
|
☔ The latest upstream changes (presumably #3509) made this pull request unmergeable. Please resolve the merge conflicts. |
openshift-ci-robot
added
the
needs-rebase
|
@mheon Needs a rebase. |
|
@mheon What is the scoop on this. Seems like something we would want? |
|
Blocked on I could get this landed, but restrict it to |
|
Is there a PR opened for runc? |
|
I got the |
|
With all of the work on getting podman to run well under a systemd unit file, would this PR help us allow better management of cgroups via systemd commands? |
|
Yes - though with limitations (that the Openstack folks found too limiting). It forces creation of a PID namespace (no |
mheon
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
openshift-ci-robot
removed
the
needs-rebase
|
Rebased and updated. This now only works with OCI runtimes that have been explicitly flagged as supporting it - in this case, Should be ready for review now. It's missing tests still, but I need to figure out a good way of doing those. |
|
@giuseppe @vrothberg @rhatdan Mind taking a look at the tests here to see if you can figure out what's going on? I've been poking for most of two days without success |
|
Seems to be tied to crun? |
contrib/cirrus/integration_test.sh
Outdated
| @@ -45,6 +45,7 @@ case "$SPECIALMODE" in | |||
| export OCI_RUNTIME=/usr/bin/crun | |||
| make | |||
| make install PREFIX=/usr ETCDIR=/etc | |||
| make install.config PREFIX=/usr | |||
contrib/cirrus/integration_test.sh
Outdated
| @@ -57,6 +58,7 @@ case "$SPECIALMODE" in | |||
| none) | |||
| make | |||
| make install PREFIX=/usr ETCDIR=/etc | |||
| make install.config PREFIX=/usr | |||
|
The failing kill tests look like a flake to me. I can't reproduce locally at least. They fail (error below) when trying to run the container (not trying to kill it).
A funny one is ... rerunning |
|
Restarted all of the three failed jobs |
|
Found the failure, squashed down, expecting this to go green now. |
|
The |
|
LGTM but I'd like @vrothberg to take one last look before merging |
This is mostly used with Systemd, which really wants to manage CGroups itself when managing containers via unit file. Signed-off-by: Matthew Heon <matthew.heon@pm.me>
|
Done |
|
/retest |
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
/lgtm |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
Presently requires
crunto test, but I'm working up patches toruncas well.Add support for a
--no-cgroupsflag, which disables container creation of CGroups. This is mainly intended for use with systemd unit files - you'd manage the container from a unit file (for example, one generated bygenerate systemd), without CGroups set, so systemd has sole control of resource limits, shutdown ordering, etc.