Conversation
038a308 to
c424f8f
Compare
|
containerd/containerd#3799 is merged, but we still need a couple of days to stabilize the interface |
|
We should look at adding a stage to the Jenkinsfile that runs on a machine with cgroup2 enabled |
|
Maybe we can merge this PR as-is and work on metrics in separate PRs |
Do we need a more recent version of containerd and run to actually use this? (with containerd/containerd#3799 in it?)
^ what would be needed for that? Probably at least a host that runs a more recent version of Ubuntu/Debian/Fedora, but given that we run the tests DIND, do we need to update the base-image or a separate stage for that? |
We need containerd binary built from master, but no need to vendor containerd library at this moment.
Maybe we should wait for adding cgroup v2 CI until we finish basic v2 support. Or we can use Podman instead, but not sure it is acceptable 😛 https://github.com/opencontainers/runc/blob/201b06374548b64212f4ceb1529688d435e42899/.travis.yml#L29 |
* Requires containerd binaries from containerd/containerd#3799 . Metrics are unimplemented yet. * Works with crun v0.10.4, but `--security-opt seccomp=unconfined` is needed unless using master version of libseccomp ( containers/crun#156, seccomp/libseccomp#177 ) * Doesn't work with master runc yet * Resource limitations are unimplemented Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
enable resource limitation by disabling cgroup v1 warnings resource limitation still doesn't work with rootless mode (even with systemd mode) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/podman#4363 containers/podman#4374 Privileged containers also use cgroupns=private by default. containers/podman#4374 (comment) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
@thaJeztah PTAL? |
In cgroup v1 container implementations, cgroupns is not used by default because it was not available in the kernel until kernel 4.6 (May 2016), and the default behavior will not change on cgroup v1 environments, because changing the default will break compatibility and surprise users. For cgroup v2, implementations are going to unshare cgroupns by default so as to hide /sys/fs/cgroup from containers. * Discussion: containers/podman#4363 * Podman PR (merged): containers/podman#4374 * Moby PR: moby/moby#40174 This PR enables cgroupns for containers, but pod sandboxes are untouched because probably there is no need to do. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
|
@AkihiroSuda I think it means, "Please Take A Look." |
|
Yes, so, I'm asking thaJeztah to PTAL whether we can merge this PR without including metrics stuff 😅 |
cpuguy83
left a comment
There was a problem hiding this comment.
LGTM
Tested with Fedora 31 and a master build of containerd and runc.
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM
we should create a tracking issue for what's needed to run CI for this
|
tracking issue: #40360 |
…6654) ### What does this PR do? Adds `cgroup: "host"` to the host-profiler service in the dev docker-compose, so the profiler gets the host cgroup namespace instead of a private one. ### Motivation On cgroup v2, Docker keeps private cgroup namespaces even for privileged containers ([moby#40174](moby/moby#40174)). This causes `/proc/self/cgroup` to return `0::/`, which breaks self container ID detection. Profiles of the profiler itself end up missing container tags. ### Describe how you validated your changes Run `docker compose up --build` from `cmd/host-profiler/` and verify the profiler resolves its own container ID. ### Additional Notes This only affects the dev docker-compose. For customer-facing Docker deployments, we should add `--cgroupns=host` to the recommended run configuration in the docs. Co-authored-by: nayef.ghattas <nayef.ghattas@datadoghq.com>
- What I did
support cgroup2 (unified mode)
Fix #16238
- How I did it
- How to verify it
systemd.unified_cgroup_hierarchy=1to kernel cmdline and reboot. This step is not needed for Fedora 31.docker run -it --rm --runtime=crun --security-opt seccomp=unconfined alpineLimitations:
--security-opt seccomp=unconfinedunless using master version of libseccomp ( invalid seccomp syscall 'io_uring_enter': unknown. containers/crun#156, RFE: new release? seccomp/libseccomp#177 )--exec-opt native.cgroupdriver=systemd.- Description for the changelog
support cgroup2
- A picture of a cute animal (not mandatory but encouraged)
🐧