[RFC] [Proposal] support cgroups in the host

[devimc]

Description of the problem

Unlike other runtimes, kata starts at least 2 processes per POD, kata-shim and a hypervisor (and kata-proxy when vsocks is disable). From host perspective, containers run in a guest (virtual machine) whose resources can be monitored by monitoring the hypervisor process and its threads. kata-shims are used to interact with the containers, sending signals, reading/writing data, etc. A POD can have any number of containers that run in the same guest. One of the major gaps that can be found in kata containers currently is that cgroups are applied in the guest, but not in the host or not in the right cgroup path (see #1021) causing problem in some implementations for resource governance, like service fabric https://github.com/Microsoft/service-fabric/.

Proposal

Move kata-shim (pause workload) and hypervisor (and kata-proxy if vsocks is disable) to sandbox cgroup, and apply a cgroup constraint to the sandbox that is defined by the sum of all its containers' cgroups. Container's cgroups are still created and applied but just to the kata-shim that interact with the container. 2 examples:

A pod with 2 containers, container A with 1 cpu and container B without cpu constraints (1 vcpu is hotplugged).

• in the host: no cpu constraints for container B and sandbox, 1 cpu for container A.
• in the guest: no cpu constraints for container B, 1 cpu for container A.

A pod with 2 containers, container A with 1 cpu and container B with 2 cpus (3 vcpus are hotplugged).

cgroup directory hierarchy

/sys/fs/cgroup/cpu,cpuacct
└── kubepods/burstable/pod644e04f3
      ├── crio-89e60b84  # Sandbox cgroupsPath=/kubepods/burstable/pod644e04f3/crio-89e60b84
      ├── crio-2a95e0f8  # Container A cgroupsPath=/kubepods/burstable/pod644e04f3/crio-2a95e0f8
      └── crio-d037bce7  # Container B cgroupsPath=/kubepods/burstable/pod644e04f3/crio-d037bce7

cc @WeiZhang555 @mocolic

[jcvenegas]

This is related to #878 that is looking to apply cpuset on the host at least to qemu for performance and isolation requirements.

I like the overview of this issue to consider shim and proxy too. Also in this issue you are considering any cgroup type right ?

[devimc]

I like the overview of this issue to consider shim and proxy too. Also in this issue you are considering any cgroup type right ?

no i'm not considering cgroup types, but if this proposal is accepted, I'd like to start with cpu stuff

[jcvenegas]

@devimc good, this may overlap with #878, let me see what operations k8s to on static policy and let you know but I suspect I'll be implementing the qemu cgroup cpuset part.

[WeiZhang555]

What's the detailed cgroup hirarchy of your implementation? Can you give me an overview of the directory hirarchy? @devimc

[devimc]

@WeiZhang555 updated, thanks

[WeiZhang555]

/sys/fs/cgroup/cpu,cpuacct
└── kubepods/burstable/pod644e04f3
      ├── crio-89e60b84  # Sandbox cgroupsPath=/kubepods/burstable/pod644e04f3/crio-89e60b84
      ├── crio-2a95e0f8  # Container A cgroupsPath=/kubepods/burstable/pod644e04f3/crio-2a95e0f8
      └── crio-d037bce7  # Container B cgroupsPath=/kubepods/burstable/pod644e04f3/crio-d037bce7

So "qemu", "kata-proxy" and "kata-shim" process for "pause" container will be put in crio-89e60b84 dir, kata-shim for container A is put in crio-2a95e0f8, kata-shim process for container B is put in crio-2a95e0f8, am I right?

There're some missing details we need to consider, real use case is usually far more complicated.

1. pause container have no constraint in general

A pod with 2 containers, container A with 1 cpu and container B without cpu constraints (1 vcpu is hotplugged).

in the host: no cpu constraints for container B and sandbox, 1 cpu for container A.
in the guest: no cpu constraints for container B, 1 cpu for container A.

In general, the infra container(pause) container will have no CPU constraint, so in K8S, I guess in all cases, the sandbox won't have a constraints in your design, AKA qemu won't have a constraint. If so, is this cgroup support really meaningful？

2. "vcpu" better have a seperate dir

In my previous design, vcpu has a standalone dir containing only the vcpu thread in qemu, IO emulator thread isn't there, this dir hirarchy is from libvirt implementation. That's because in my previous test, when doing network/file IO requests with small chunks, it consumes a lot of CPU, for a 2 CPU qemu, it requires 3 CPU to get a best performance(2 CPU for vcpu threads and 1 CPU for qemu IO emulator), if we constraint it to 2 CPU beause it has 2 vcpu, normally we can only get a 66% performance.
I care about performance a lot.

In a word, your design can help to make existing metric tools work, that's good. But the problem is, either it can't give us a real meaningful result, or it can bring some performance influence. So we should do it very carefully, and should do more tests to see if it really works like what we want.

[devimc]

@WeiZhang555

So "qemu", "kata-proxy" and "kata-shim" process for "pause" container will be put in crio-89e60b84 dir, kata-shim for container A is put in crio-2a95e0f8, kata-shim process for container B is put in crio-2a95e0f8, am I right?

yes

In general, the infra container(pause) container will have no CPU constraint, so in K8S, I guess in all cases, the sandbox won't have a constraints in your design, AKA qemu won't have a constraint.

No, the sandbox won't have constraints only if there is a container without constraints, otherwise the sandbox constraints (qemu and its threads) will be equal to sum of all containers' constraints

If so, is this cgroup support really meaningful

yes, it is, because cgroup paths and constraints will be honoured

In a word, your design can help to make existing metric tools work, that's good. But the problem is, either it can't give us a real meaningful result, or it can bring some performance influence. So we should do it very carefully, and should do more tests to see if it really works like what we want.

ok, I'll implement it and run some performance tests.

[WeiZhang555]

No, the sandbox won't have constraints only if there is a container without constraints, otherwise the sandbox constraints (qemu and its threads) will be equal to sum of all containers' constraints

I mean, in general, for a K8s Pod with 2 workload containers, the pod is usually composed of 3 containers. 1 infra(pause) container and 2 workload containers. In most(maybe all?) cases, infra container won't have a constraint, 2 workloads container will have.

Do you mean when you set the sandbox contraint, you don't count "infra" container in? Will be sandbox resources equal to sum of 2 workload containers without "infra" container?

@devimc

[devimc]

@WeiZhang555

Do you mean when you set the sandbox contraint, you don't count "infra" container in?

no, because sandbox containers never have constraints

Will be sandbox resources equal to sum of 2 workload containers without "infra" container?

Yes

[WeiZhang555]

@devimc That sounds feasible.

Can we give a default constraint(in configuration.toml) when container doesn't have a given resource limit? E.g. defaultVCPU=0.2 and defaultMemory=128M, then we don't need to handle empty constraint case, and service provider can configure their own strategy. If the K8s service provide can be sure that every workload container have a resource constraint, they can even set defaultVCPU=0 and defaultMemory= 0M

[devimc]

@WeiZhang555 sounds good, thanks

[mocolic]

Thanks for working on the proposal. If I understood correctly, if parent cgroup (ex. fabric) is created and passed to kata runtime, the hierarchy will be:
/sys/fs/cgroup/cpu,cpuacct
└── fabric
├── crio-89e60b84 # Sandbox cgroupsPath=/kubepods/burstable/pod644e04f3/crio-89e60b84
├── crio-2a95e0f8 # Container A cgroupsPath=/kubepods/burstable/pod644e04f3/crio-2a95e0f8
└── crio-d037bce7 # Container B cgroupsPath=/kubepods/burstable/pod644e04f3/crio-d037bce7

Also, how the hierarchy will look like if the parent cgroup is not provided? I would expect something like this:
/sys/fs/cgroup/cpu,cpuacct
├── crio-89e60b84 # Sandbox cgroupsPath=/kubepods/burstable/pod644e04f3/crio-89e60b84
├── crio-2a95e0f8 # Container A cgroupsPath=/kubepods/burstable/pod644e04f3/crio-2a95e0f8
└── crio-d037bce7 # Container B cgroupsPath=/kubepods/burstable/pod644e04f3/crio-d037bce7

[devimc]

@mocolic

Also, how the hierarchy will look like if the parent cgroup is not provided? I would expect something like this:
├── crio-89e60b84 # Sandbox cgroupsPath=/kubepods/burstable/pod644e04f3/crio-89e60b84
├── crio-2a95e0f8 # Container A cgroupsPath=/kubepods/burstable/pod644e04f3/crio-2a95e0f8
└── crio-d037bce7 # Container B cgroupsPath=/kubepods/burstable/pod644e04f3/crio-d037bce7

yes