Is it safe to run isolate as a service in a Docker container?

[fushar]

Or is there any known kernel issues that could potentially arise?

[hermanzdosilovic]

I am running my api and ide over a year in Docker with isolate and haven't had any problems with it. You should just give your container --priviledged flag because isolate needs to be able to create cgroups.

[fushar]

Cool, thank you! Closing.

[CristianCantoro]

If somebody needs this, the situation has changed during the last few years.

As of today (May 2023), you will need to add the following kernel command line options:

cgroup_enable=memory 
systemd.unified_cgroup_hierarchy=0

I have posted more details on StackOverflow "Unable to mount memory cgroup".

Note that this also solves errors such as:

• Missing file or directory inside the cgroup tree (e.g. /sys/fs/cgroup/memory/ or /sys/fs/cgroup/cpuacct/), or
• Failed to reset control group /sys/fs/cgroup/memory/...: Device or resource busy.

Note that, as said by @hermanzdosilovic, you will still need to run your container with the --priviledged flag.

[gollux]

You can try experimental code in the cg2 branch, which works with Cgroup 2.

[CristianCantoro]

@gollux wrote:

You can try experimental code in the cg2 branch, which works with Cgroup 2.

Thanks, I will check it out.

It took me a while to understand that the issue was caused by cgroup v2 versus v1, so I just found out about #78 now.