-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix cgroups determination in exec implementation #2720
Conversation
With this PR, the number of failed podman tests goes down from 157 to 105 : https://github.com/YJDoc2/youki/actions/runs/8138706191 🎉 |
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #2720 +/- ##
==========================================
- Coverage 65.21% 65.17% -0.05%
==========================================
Files 133 133
Lines 16981 16984 +3
==========================================
- Hits 11075 11070 -5
- Misses 5906 5914 +8 |
LGTM |
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
@lengrongfu @utam0k May I ask one of you to take a look at the newer changes I have pushed? |
@@ -353,6 +353,11 @@ impl CgroupManager for Manager { | |||
if pid.as_raw() == -1 { | |||
return Ok(()); | |||
} | |||
if self.client.transient_unit_exists(&self.unit_name) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a unit tet for this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, willl do 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed this leads to breaking changes for existing users due to changing a default cgroup path. In my opinion, affecting rootless users can be allowed, but breaking the change for regular users(non-rootless) is more important. Can we avoid affecting regular users?
Hey, while this is breaking , I'm not sure which part specifically are you talking about with respect to default cgroup path. If it is this : https://github.com/containers/youki/pull/2720/files#diff-36cd5e5a1222b5c819958e4045a242cbff00ae22a8a1699229f5c6220dafdb6bR150-R153 Then, this only changes the when the cgroup path was not set, and I had observed this behavior when creating a tenant container via exec. For the normal container, the path is correctly set and would not change in this. Also the previous behavior of using just the If you meant something else, please correct me. Thanks! |
Yes 👍
I wonder what happens in the following case:
In this above case, Every 1 and 3 processes find out different cgroup paths, right? |
Hey,
Note : below youki 3.2 = youki on tag v0.3.2 ; branch youki = youki compiled from this branch So I tried this and when I launch container A (with sudo pdoman) with youki 3.2 , then try to exec into it with youki 3.2, it gives error of
which is what I mentioned about the default cgroup path being incorrect in my previous comment. However, if I try to launch container A (with sudo podman) youki 3.2 and exec into it using branch youki , it works due to the cgroups path being set correctly in this branch. Also, I verified that there were two processes in the cgroup of container A when I tried to exec into it using branch youki. Similarly using branch youki for container A and exec works too. Trying to exec into container launched with branch youki using youki 3.2 also fails due to malformed path. In short, the exec was broken for both rootful and rootless on v0.3.2 , so I think changing the cgroup path determination wouldn't cause any issues when using containers launched with youki 0.3.2 with branch youki. Does this address your concern? Do you want me to try any other permutations? |
Also, I need to check this in detail, but I suspect that changes in the cgroup path determination don't get applied at all due to the changes in setting the cgroups path here for exec containers. Previously we would not set that path, thus the path determination finding |
Yes, I imagined this situation(Sorry for my lack of words 🙏) |
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
1b8ffdf
to
bbaf9d6
Compare
@utam0k I have added a test for systemd cgroup manager regarding the changes here. The CI is failing as the dbus pipe is not set up correctly, so I'll fix that up ; but can you take a look at the test I have added, and check if that approach is ok, or any changes are needed - commit : 4a95211 ? Thanks :) EDIT : This commit id is no longer relevant due to rebase. |
The commit in itself looks acceptable to me. I wonder whether this PR should be written as a breaking change or not. |
Thanks, I'll work on fixing the CI then.
I'm not sure, while some of the internals have changed, the overall effect is making exec work which was not working previously, thus I added the bug label. I'll think more on this 👍
|
LGTM except for the CI failed |
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
Signed-off-by: Yashodhan Joshi <yjdoc2@gmail.com>
@utam0k please take a look. I have changed the approach of adding the task - before I wrote directly to the cgroup proc file, which could be incorrect / have permission errors ; Now I use the systemd dbus api to add the process via dbus call. I have also fixed the tests, although for the task addition test, I needed to add some more mounts and one hack script so that it can run properly in the cross container. See these three commits for these new changes : 75c851b 3fe7d04 df5ebb2 Thanks :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depending on DBus is better than the previous approach, +1
Thanks a lot, @YJDoc2 |
This fixes the way we determine cgroup name as well as the way we set the cgroup in case of exec. Right now on the main, following would fail even though they should succeed
This is because
Thus, we fix it here by also copying over the cgroup config from init to tenant, and if cgroup path is not present using
:youki:id
instead .I have also added a test for exec in the rootless tests we have.
NOT READY FOR MERGE YET.