Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination #3563

Merged
merged 1 commit into from Oct 27, 2020
Merged

cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination #3563

merged 1 commit into from Oct 27, 2020

Conversation

r10r
Copy link
Contributor

@r10r r10r commented Oct 27, 2020

On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir)
because only empty cgroups can be removed.

Although I've used the newly introduced option lxc.cgroup.dir.monitor as prefix this option should work fine
with with either lxc.cgroup.dir or lxc.cgroup.dir.monitor.

I've discovered this when working on crio-lxc - I found the following warning in the log.

Oct 07 14:27:20 k8s-cluster2-controller kubelet[3725]: W1007 14:27:20.906211    3725 pod_container_manager_linux.go:200] failed to delete cgroup paths for [kubepods besteffort pod2159cf63-66b6-4fa5-88b1-23489e084727] : unable to destroy cgroup paths for cgroup [kubepods besteffort pod2159cf63-66b6-4fa5-88b1-23489e084727] : remove /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod2159cf63_66b6_4fa5_88b1_23489e084727.slice: device or resource busy

The lxc config with this option will look like this (for crio-lxc):

lxc.cgroup.dir.container = kubepods.slice/kubepods-burstable.slice/kubepods-burstable-podcf6a372f_513a_47e3_aa9f_51f72e046812.slice/crio-f591102de92279a1cb2bc405cfd8a738061ffd36a95957297449b69ed0c7dea6.scope
lxc.cgroup.dir.monitor = crio-lxc-monitor.slice/f591102de92279a1cb2bc405cfd8a738061ffd36a95957297449b69ed0c7dea6.scope
lxc.cgroup.dir.monitor.pivot = crio-lxc-monitor.slice

On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
@lxc-jenkins
Copy link

This pull request didn't trigger Jenkins as its author isn't in the whitelist.

An organization member must perform one of the following:

  • To have this branch tested by Jenkins, use the "ok to test" command.
  • To have a one time test done, use the "test this please" command.

Those commands are simple Github comments of the format: "jenkins: COMMAND"

@brauner
Copy link
Member

brauner commented Oct 27, 2020

jenkins: test this please

@brauner brauner requested a review from Blub October 27, 2020 16:10
Copy link
Member

@brauner brauner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable.

@brauner brauner merged commit a093bb0 into lxc:master Oct 27, 2020
@brauner
Copy link
Member

brauner commented Oct 27, 2020

Thanks!

@r10r r10r deleted the cgroup-fixes branch January 25, 2021 08:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants