New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exec cgroup #5837
Exec cgroup #5837
Conversation
Hi @donpenney. Thanks for your PR. I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cc @haircommander |
internal/oci/runtime_oci.go
Outdated
@@ -427,6 +435,32 @@ func (r *runtimeOCI) ExecContainer(ctx context.Context, c *Container, cmd []stri | |||
return cmdErr | |||
} | |||
|
|||
// moveExecToCgroup moves Exec command pid to the pod group | |||
func moveExecToCgroup(containerPid, commandPid int) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1: is there any way we can merge this funcitonality with the CreateContainer variant?
2: I think we want this to be in internal/config/cgmgr
so we can toggle based on cgroup type and version
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll look into this. Thanks for the suggestion!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved the function to cgmgr.go. I don't see a way to merge this with CreateContainer, though
/ok-to-test |
/retest |
Rebased to pick up newly merged PR #5823 |
internal/oci/runtime_oci.go
Outdated
@@ -521,6 +544,42 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman | |||
|
|||
// We don't need childPipe on the parent side | |||
childPipe.Close() | |||
childStartPipe.Close() | |||
|
|||
if r.handler.MonitorExecCgroup && r.config.InfraCtrCPUSet != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to defer the container process kill if it errors here (with a closure like in CreateContainer), otherwise we'll leak a process because conmon will be waiting forever on the pipe
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the comment... I've updated the code to do the same kill as CreateContainer
I would love to dedup this code in the future if possible, but I would not consider that blocking it in the first place /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: donpenney, haircommander The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@saschagrunert PTAL |
/hold actually, I had a thought that this should be a string instead of a bool. If empty, default behavior, if value |
Signed-off-by: Don Penney <dpenney@redhat.com>
Added runtime handler config option, monitor_exec_cgroup, to enable moving the exec probe process to the container's cgroup. Users can enable the feature by setting monitor_exec_cgroup to "container". Signed-off-by: Don Penney <dpenney@redhat.com>
Updated ExecSyncContainer to move the exec probe process to the container's cgroup, if the runtime handler monitor_exec_cgroup config option is set to "container". This ensures cpu usage and resource accounting are restricted to the container's allowances. Co-Authored-By: Brent Rowsell <browsell@redhat.com> Signed-off-by: Don Penney <dpenney@redhat.com>
Done. If monitor_exec_cgroup is set to a string other than "container", you'll see an error log like the following: I0509 16:46:55.212517 3089960 prober.go:121] "Probe failed" probeType="Readiness" pod="xxxxxx" podUID=c6ba8458475c9dd26941a04586b8e318 containerName="xxxxxx" probeResult=failure output="Unsupported monitor_exec_cgroup value: not-container" |
/retest |
/lgtm thanks for all of your work @donpenney |
/hold cancel |
/retest |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/override ci/openshift-jenkins/integration_crun |
@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/integration_crun In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Currently, exec sync containers are launched under the crio cgroup. For applications with a large number of exec probes, this can impact cpu usage for reserved platform cores, in addition to affecting accounting. To address this, this PR introduces an opt-in exec_cgroup option (defaults to false) that moves the exec probe process to the pod's cgroup. This ensures cpu usage and resource accounting are restricted to the pod's allowances.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?