Exec cgroup #5837
Exec cgroup #5837
Conversation
openshift-ci
bot
added
release-note-none
openshift-ci
bot
added
the
needs-ok-to-test
|
Hi @donpenney. Thanks for your PR. I'm waiting for a cri-o member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cc @haircommander |
internal/oci/runtime_oci.go
Outdated
| @@ -427,6 +435,32 @@ func (r *runtimeOCI) ExecContainer(ctx context.Context, c *Container, cmd []stri | |||
| return cmdErr | |||
| } | |||
|
|
|||
| // moveExecToCgroup moves Exec command pid to the pod group | |||
| func moveExecToCgroup(containerPid, commandPid int) error { | |||
There was a problem hiding this comment.
1: is there any way we can merge this funcitonality with the CreateContainer variant?
2: I think we want this to be in internal/config/cgmgr so we can toggle based on cgroup type and version
There was a problem hiding this comment.
I'll look into this. Thanks for the suggestion!
There was a problem hiding this comment.
Moved the function to cgmgr.go. I don't see a way to merge this with CreateContainer, though
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
|
/retest |
|
Rebased to pick up newly merged PR #5823 |
internal/oci/runtime_oci.go
Outdated
| @@ -521,6 +544,42 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman | |||
|
|
|||
| // We don't need childPipe on the parent side | |||
| childPipe.Close() | |||
| childStartPipe.Close() | |||
|
|
|||
| if r.handler.MonitorExecCgroup && r.config.InfraCtrCPUSet != "" { | |||
There was a problem hiding this comment.
we need to defer the container process kill if it errors here (with a closure like in CreateContainer), otherwise we'll leak a process because conmon will be waiting forever on the pipe
There was a problem hiding this comment.
thanks for the comment... I've updated the code to do the same kill as CreateContainer
|
I would love to dedup this code in the future if possible, but I would not consider that blocking it in the first place /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: donpenney, haircommander The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@saschagrunert PTAL |
openshift-ci
bot
added
release-note
|
/hold actually, I had a thought that this should be a string instead of a bool. If empty, default behavior, if value |
openshift-ci
bot
added
the
do-not-merge/hold
Signed-off-by: Don Penney <dpenney@redhat.com>
Added runtime handler config option, monitor_exec_cgroup, to enable moving the exec probe process to the container's cgroup. Users can enable the feature by setting monitor_exec_cgroup to "container". Signed-off-by: Don Penney <dpenney@redhat.com>
Updated ExecSyncContainer to move the exec probe process to the container's cgroup, if the runtime handler monitor_exec_cgroup config option is set to "container". This ensures cpu usage and resource accounting are restricted to the container's allowances. Co-Authored-By: Brent Rowsell <browsell@redhat.com> Signed-off-by: Don Penney <dpenney@redhat.com>
|
Done. If monitor_exec_cgroup is set to a string other than "container", you'll see an error log like the following: I0509 16:46:55.212517 3089960 prober.go:121] "Probe failed" probeType="Readiness" pod="xxxxxx" podUID=c6ba8458475c9dd26941a04586b8e318 containerName="xxxxxx" probeResult=failure output="Unsupported monitor_exec_cgroup value: not-container" |
|
/retest |
|
/lgtm thanks for all of your work @donpenney |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/retest |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
/override ci/openshift-jenkins/integration_crun |
|
@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/integration_crun In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Currently, exec sync containers are launched under the crio cgroup. For applications with a large number of exec probes, this can impact cpu usage for reserved platform cores, in addition to affecting accounting. To address this, this PR introduces an opt-in exec_cgroup option (defaults to false) that moves the exec probe process to the pod's cgroup. This ensures cpu usage and resource accounting are restricted to the pod's allowances.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?