check unified Mountpoint cgroup version in case user uses cgroupoup v1 on new kernel #43
Conversation
k8s-ci-robot
added
kind/bug
k8s-ci-robot
added
sig/node
…oup v1 on new kernel
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
1fa79b5 to
66f2b64
Compare
k8s-ci-robot
added
size/M
|
/cc @neolit123 |
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
821b88c to
1eb5efa
Compare
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
lgtm
|
I needs to write more test and verify it in k/k presbumit CI. |
| if st.Type == unix.CGROUP2_SUPER_MAGIC { | ||
| if isCgroupsV2 { |
There was a problem hiding this comment.
that makes sense and drops the golang.org/x/sys dependency
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
1eb5efa to
5e86f49
Compare
k8s-ci-robot
removed
the
lgtm
For this combined mode, I am not sure how to behavior is best practise for system-validator.
|
|
In |
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
5e86f49 to
17c3ea1
Compare
I run some test in kubernetes/kubernetes#128174. The current results LGTM. #43 (comment) is the only concern now.
BTW, I tried to collect some cases in https://gist.github.com/pacoxu/2768337b62ccc150e8623d25ea890cfc. |
According to https://docs.kernel.org/admin-guide/cgroup-v2.html This is not a correct solution then. |
we are already doing that here:
google-ing about it, seems like both v1 and v2 can mount to /sys/fs/cgroup with tmpfs. |
|
cc @KentaTada |
|
https://github.com/opencontainers/runc/blob/2664c845c9d271420cce5c430546d02e378a2b3b/libcontainer/cgroups/utils.go#L98-L137 |
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
17c3ea1 to
7e84124
Compare
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
7e84124 to
ff4711e
Compare
validators/cgroup_validator_linux.go
Outdated
| // If default unified mount point is available, return it directly. | ||
| if fields[1] == defaultUnifiedMountPoint { | ||
| if fields[2] == "tmpfs" { | ||
| c, err := os.Open(filepath.Join(defaultUnifiedMountPoint, "cgroup.controllers")) |
There was a problem hiding this comment.
this more seems like a line to verify it is v2, not verify it's not v1. I don't personally know of a situation the kernel would return tmpfs but also populate cgroup.controllers
There was a problem hiding this comment.
is there a common way to check if this is cgroup v1 when the mount type is tmpfs?
There was a problem hiding this comment.
https://gist.github.com/pacoxu/2768337b62ccc150e8623d25ea890cfc I collected several examples:
- https://gist.github.com/pacoxu/2768337b62ccc150e8623d25ea890cfc?permalink_comment_id=5241477#gistcomment-5241477 is the special one, which is using tmpfs to mount /sys/fs/cgroup and use cgroup v1. But there is a cgroup v2 mountpoint /sys/fs/cgroup/unified.
this more seems like a line to verify it is v2, not verify it's not v1. I don't personally know of a situation the kernel would return tmpfs but also populate cgroup.controllers
To verify it is not v1, we may check /sys/fs/cgroup/cpu or /sys/fs/cgroup/memory which is used by kubelet directly.
There was a problem hiding this comment.
a520b48 is to address this comment. PTAL.
There was a problem hiding this comment.
Or check /sys/fs/cgroup/memory in /proc/mounts like below:
scanner := bufio.NewScanner(f)
var cgroupV1MountPoint string
+ var isDefault bool
for scanner.Scan() {
line := scanner.Text()
if !strings.Contains(line, "cgroup") {
continue
}
// Example fields: `cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime 0 0`.
fields := strings.Fields(line)
if len(fields) >= 3 {
+ if isDefault {
+ if fields[1] == defaultUnifiedMountPoint + "/memory" {
+ return defaultUnifiedMountPoint, fields[2] == "cgroup2", nil
+ }
+ continue
+ }
// If default unified mount point is available, return it directly.
if fields[1] == defaultUnifiedMountPoint {
+ isDefault = true
if fields[2] == "tmpfs" {
+ continue
}
return defaultUnifiedMountPoint, fields[2] == "cgroup2", nil
}
switch fields[2] {
case "cgroup2":
// Return the first cgroups v2 mount point directly.
return fields[1], true, nil
case "cgroup":
// Set the first cgroups v1 mount point only,
// and continue the loop to find if there is a cgroups v2 mount point.
if len(cgroupV1MountPoint) == 0 {
cgroupV1MountPoint = fields[1]
}
}
}
The cons here are
- no checking local file
pacoxu
force-pushed
the
check-unifiedMountpoint
branch
from
a520b48 to
d4dab26
Compare
There was a problem hiding this comment.
@pacoxu i would assume we want this for k8s 1.32?
@KentaTada @haircommander @kannon92
please provide guidance on how to solve the pending cgroups v1/v2 detection issue that @pacoxu describes.
|
LGTM |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, pacoxu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Acccording to my test based on kubernetes/kubernetes#128174, this should not fail the k/k CIs again. /unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
4 participants
/kind bug
quick fix and needs verify
the failed CI
/proc/mounts: see https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/128174/pull-kubernetes-cos-cgroupv1-containerd-node-e2e/1847150504468025344.The cri-o cgroupv1 env.
I also checked another env using RHEL 8