Implementing support for --cpu-rt-period and --cpu-rt-runtime

[erikstmartin]

- What I did
Added support for two new flags --cpu-rt-period and --cpu-rt-runtime combined with either the --privileged flag or --cap-add=sys_nice this allows processes within a container to prioritize themselves as real-time when CONFIG_RT_GROUP_SCHED is enabled in the kernel. See #22380. When this option is enabled each docker container's cgroup has to have cpu.rt_runtime_us set in order for the container to be able to prioritize its threads.

- How I did it

Support for changing the cgroup value already existed in runc, I updated all the necessary container configs to pass these values down to runc. I also implemented some sanity checks in the daemon.

- How to verify it
Ensure CONFIG_RT_GROUP_SCHED is enabled in the kernel (standard CentOS 7 install has this enabled). You can verify it's enabled by running
zcat /proc/config.gz | grep CONFIG_RT_GROUP_SCHED or by checking for the existence of /sys/fs/cgroup/cpu.rt_runtime_us

You will also need to ensure that the system and all parent cgroups have values set for the period and runtime as this limits what the children can be set to. If you're familiar with these values you can set them appropriately, sane defaults would be rt_period_us = 1000000 and rt_runtime_us = 950000, they only need to be set once on the system.

sysctl kernel.sched_rt_period_us
sysctl kernel.sched_rt_runtime_us

cat /sys/fs/cgroup/cpu.rt_period_us
cat /sys/fs/cgroup/cpu.rt_runtime_us

cat /sys/fs/cgroup/docker/cpu.rt_period_us
cat /sys/fs/cgroup/docker/cpu.rt_runtime_us

Update: You can now set the values for the parent cgroups with a new set of daemon flags. The system value will still need to be set using sysctl.
docker daemon --cpu-rt-runtime=950000

Now you have a system you can test on. To validate this works start a container with the new flags (we'll add a ulimit just to test that works as expected too)

docker run --it --cpu-rt-runtime=95000 --ulimit rtprio=99 --cap-add=sys_nice debian:jessie

If you receive an error like this, it's because your parent cgroups dont have rt_runtime_us set, or it's a lower value than you're trying to set for your container. Also ensure they are set for your container /sys/fs/cgroup/docker/<container id>/cpu.rt_runtime_us (after the container has been started). if you're testing this inside a container.

docker: Error response from daemon: oci runtime error: process_linux.go:286: setting cgroup config for ready process caused "failed to write 950000 to cpu.rt_runtime_us: write /sys/fs/cgroup/cpu,cpuacct/docker/5024d2730a83e86efd9042ea99972d582c66830f4a3aa21c747d1c25c824eb75/cpu.rt_runtime_us: invalid argument".

Once inside the container you can attempt to change the priority of your shell
chrt -r -p 99 1

Then validate by calling
chrt -p 1

root@c1d2f4b7d579:/# chrt -r -p 99 1
root@c1d2f4b7d579:/# chrt -p 1
pid 1's current scheduling policy: SCHED_RR
pid 1's current scheduling priority: 99

You can also test the following error conditions.

• Passing either flag without having the sys_nice capability or being privileged results in error (no point setting your runtime if you dont have permission to change your priority)
• Passing either flag on a host with the kernel option disabled results in error
• Passing a runtime greater than the period results in an error

- Description for the changelog
Support for --cpu-rt-period and --cpu-rt-runtime flags, allowing containers to run real-time threads when CONFIG_RT_GROUP_SCHED is enabled in the kernel.

- A picture of a cute animal (not mandatory but encouraged)

[justincormack]

Thanks for working on this!

[justincormack]

I don't think I would check this, there are potentially other ways in which we could get capabilities, so I would just check the return codes when you actually try to change stuff and try to give a helpful message if it fails.

[erikstmartin]

Remove just the capabilities check? or all the param sanity checking?

Also you wont see any errors until you make the syscall to change your priority, which would likely just be a permissions error and not overly helpful.

[justincormack]

The capabilities check, it is a bit ugly and encodes a lot of presumed information about how capabilities are assigned which could change in future, and we don't do it anywhere else. EPERM in the syscall is pretty clear and you can provide a more helpful message there.

[erikstmartin]

I got overly ambition trying to save people from themselves. I'll get this removed.

[erikstmartin]

No problem, sorry for the crazy delay, been insanely caught up on other tasks.

Let me know if you have any questions/problems trying to test this. I admit it's a lot of steps to get setup to test if you don't already have this kernel param enabled, then the Docker inception thing, having to make sure the container you're testing inside of has rt_runtime. You almost need this feature to test this feature :)

[erikstmartin]

I've removed the capabilities check and associated unit tests, PTAL.

[erikstmartin]

CI Failures are from the manual changes within vendor/ I was advised to do that for now here so that everything could be reviewed in one place.

Once docker-archive-public/docker.engine-api#262 is merged, this PR can be updated to pull in upstream and that failure will disappear.

[thaJeztah]

@erikstmartin yes, don't worry about the "failing-ci" label for now, it's just that we know it's failing (in this case due to the "vendor" CI). Should not be an issue while in design-review 👍

[erikstmartin]

I've updated this PR to include a --cpu-rt-runtime flag to the daemon. The daemon needs to be able to set the cgroup value otherwise a sysadmin will need to set the value after the first container is started (after every reboot)

[jalaziz]

I haven't had a chance to test this, but I believe the daemon flag won't actually work correctly with newer systemd versions. Until opencontainers/runc#931 is fixed, the cpu cgroup path ends up being /sys/fs/cgroup/cpu/init.scope/system.slice. In order for everything to work correctly, rt_runtime and rt_period have to be recursively set down the path.

[erikstmartin]

@jalaziz I'll double check, but i'm pretty sure I was developing this against 230.

[jalaziz]

@erikstmartin For reference, we're running CoreOS with systemd v229. However, I believe the problem exists on other OSes with newer systemd versions if you use --exec-opt native.cgroupdriver=systemd (I'm sure you already knew this).

I'm not sure if the cgroupParent is correct for the CPU subsystem when you call initCgroupsPath. Even if it is, though, the testing I've done seems to indicate you'd have to recursively set the runtime and period settings (e.g. for init.scope, then for init.scope/system.slice).

[erikstmartin]

@jalaziz You're completely correct. I dont think I tried it using the systemd cgroup driver on that machine.

[erikstmartin]

Latest push should handle climbing the cgroup tree and also account for init.scope in newer versions of systemd

[cpuguy83]

🎉
Thanks @erikstmartin!

[huster-hh]

@erikstmartin thank you for reading my question.
i meet the same error you said.i submit my question in #31411
you said 'If you receive an error like this, it's because your parent cgroups dont have rt_runtime_us set, or it's a lower value than you're trying to set for your container.'
however i can not change docker cgroup 's rt_runtime_us to more than 0.
can you tell me how you solve this error??
Thank you very much !!!Thank you !

[erikstmartin]

@IT-huang This is going to be dependent on what the parent cgroup of docker is, is it user.slice, etc. You need to make sure that the parents also have rt_runtime allocated. This could also be at the system level of the host itself. Check sysctl kernel.sched_rt_runtime_us and sysctl kernel.sched_rt_period_us

[kolyshkin]

It does not make sense to check these two files separately -- this is a single kernel feature, so these two are either both present or not (and if one present and the other is not this is some kind of a gross kernel error).

I am trying to fix this in #41014

[kolyshkin]

there is no need to do all of the below in case CPU RT parameters are not set, or the kernel does not support CPU RT sched.

[kolyshkin]

this call is very expensive and ideally should only be done once.

[kolyshkin]

This is very expensive way to check whether CPU RT scheduler is supported, and it's also performed way too late in the code, and also multiple times :(

[kolyshkin]

Trying to address some of the issues in #41014 and #41016