Skip to content

Commit 707d2c4

Browse files
AkihiroSudaAkihiroSuda
committed
allow disabling hugepages
This helps with running rootless mode + cgroup v2 + systemd without hugetlb delegation. Systemd does not (and will not, perhaps) support hugetlb delegation as of systemd v245. https://github.com/systemd/systemd/ issues/14662 From https://github.com/rootless-containers/usernetes/blob/502bc5427e57236382db58a0af7996a145381803/src/patches/containerd/0001-DIRTY-VENDOR-cri-allow-disabling-hugepages.patch Signed-off-by: Akihiro Suda <[email protected]>
1 parent 1d3b9c5 commit 707d2c4

6 files changed

Lines changed: 25 additions & 18 deletions

File tree

pkg/config/config.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,10 @@ type PluginConfig struct {
236236
// container requests with huge page limits if the cgroup controller for hugepages is not present.
237237
// This helps with supporting Kubernetes <=1.18 out of the box. (default is `true`)
238238
TolerateMissingHugetlbController bool `toml:"tolerate_missing_hugetlb_controller" json:"tolerateMissingHugetlbController"`
239+
// DisableHugetlbController indicates to silently disable the hugetlb controller, even when it is
240+
// present in /sys/fs/cgroup/cgroup.controllers.
241+
// This helps with running rootless mode + cgroup v2 + systemd but without hugetlb delegation.
242+
DisableHugetlbController bool `toml:"disable_hugetlb_controller" json:"disableHugetlbController"`
239243
// IgnoreImageDefinedVolumes ignores volumes defined by the image. Useful for better resource
240244
// isolation, security and early detection of issues in the mount configuration when using
241245
// ReadOnlyRootFilesystem since containers won't silently mount a temporary volume.

pkg/config/config_unix.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ func DefaultConfig() PluginConfig {
6868
MaxConcurrentDownloads: 3,
6969
DisableProcMount: false,
7070
TolerateMissingHugetlbController: true,
71+
DisableHugetlbController: true,
7172
IgnoreImageDefinedVolumes: false,
7273
}
7374
}

pkg/containerd/opts/spec_unix.go

Lines changed: 15 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -408,7 +408,7 @@ func WithSelinuxLabels(process, mount string) oci.SpecOpts {
408408
}
409409

410410
// WithResources sets the provided resource restrictions
411-
func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHugetlbController bool) oci.SpecOpts {
411+
func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHugetlbController, disableHugetlbController bool) oci.SpecOpts {
412412
return func(ctx context.Context, client oci.Client, c *containers.Container, s *runtimespec.Spec) (err error) {
413413
if resources == nil {
414414
return nil
@@ -451,19 +451,21 @@ func WithResources(resources *runtime.LinuxContainerResources, tolerateMissingHu
451451
if limit != 0 {
452452
s.Linux.Resources.Memory.Limit = &limit
453453
}
454-
if isHugetlbControllerPresent() {
455-
for _, limit := range hugepages {
456-
s.Linux.Resources.HugepageLimits = append(s.Linux.Resources.HugepageLimits, runtimespec.LinuxHugepageLimit{
457-
Pagesize: limit.PageSize,
458-
Limit: limit.Limit,
459-
})
460-
}
461-
} else {
462-
if !tolerateMissingHugetlbController {
463-
return errors.Errorf("huge pages limits are specified but hugetlb cgroup controller is missing. " +
464-
"Please set tolerate_missing_hugetlb_controller to `true` to ignore this error")
454+
if !disableHugetlbController {
455+
if isHugetlbControllerPresent() {
456+
for _, limit := range hugepages {
457+
s.Linux.Resources.HugepageLimits = append(s.Linux.Resources.HugepageLimits, runtimespec.LinuxHugepageLimit{
458+
Pagesize: limit.PageSize,
459+
Limit: limit.Limit,
460+
})
461+
}
462+
} else {
463+
if !tolerateMissingHugetlbController {
464+
return errors.Errorf("huge pages limits are specified but hugetlb cgroup controller is missing. " +
465+
"Please set tolerate_missing_hugetlb_controller to `true` to ignore this error")
466+
}
467+
logrus.Warn("hugetlb cgroup controller is absent. skipping huge pages limits")
465468
}
466-
logrus.Warn("hugetlb cgroup controller is absent. skipping huge pages limits")
467469
}
468470
return nil
469471
}

pkg/server/container_create_unix.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,7 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
225225
if c.config.DisableCgroup {
226226
specOpts = append(specOpts, customopts.WithDisabledCgroups)
227227
} else {
228-
specOpts = append(specOpts, customopts.WithResources(config.GetLinux().GetResources(), c.config.TolerateMissingHugetlbController))
228+
specOpts = append(specOpts, customopts.WithResources(config.GetLinux().GetResources(), c.config.TolerateMissingHugetlbController, c.config.DisableHugetlbController))
229229
if sandboxConfig.GetLinux().GetCgroupParent() != "" {
230230
cgroupsPath := getCgroupsPath(sandboxConfig.GetLinux().GetCgroupParent(), id)
231231
specOpts = append(specOpts, oci.WithCgroup(cgroupsPath))

pkg/server/container_update_resources_unix.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ func (c *criService) updateContainerResources(ctx context.Context,
7373
return errors.Wrap(err, "failed to get container spec")
7474
}
7575
newSpec, err := updateOCILinuxResource(ctx, oldSpec, resources,
76-
c.config.TolerateMissingHugetlbController)
76+
c.config.TolerateMissingHugetlbController, c.config.DisableHugetlbController)
7777
if err != nil {
7878
return errors.Wrap(err, "failed to update resource in spec")
7979
}
@@ -134,7 +134,7 @@ func updateContainerSpec(ctx context.Context, cntr containerd.Container, spec *r
134134

135135
// updateOCILinuxResource updates container resource limit.
136136
func updateOCILinuxResource(ctx context.Context, spec *runtimespec.Spec, new *runtime.LinuxContainerResources,
137-
tolerateMissingHugetlbController bool) (*runtimespec.Spec, error) {
137+
tolerateMissingHugetlbController, disableHugetlbController bool) (*runtimespec.Spec, error) {
138138
// Copy to make sure old spec is not changed.
139139
var cloned runtimespec.Spec
140140
if err := util.DeepCopy(&cloned, spec); err != nil {
@@ -143,7 +143,7 @@ func updateOCILinuxResource(ctx context.Context, spec *runtimespec.Spec, new *ru
143143
if cloned.Linux == nil {
144144
cloned.Linux = &runtimespec.Linux{}
145145
}
146-
if err := opts.WithResources(new, tolerateMissingHugetlbController)(ctx, nil, nil, &cloned); err != nil {
146+
if err := opts.WithResources(new, tolerateMissingHugetlbController, disableHugetlbController)(ctx, nil, nil, &cloned); err != nil {
147147
return nil, errors.Wrap(err, "unable to set linux container resources")
148148
}
149149
return &cloned, nil

pkg/server/container_update_resources_unix_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ func TestUpdateOCILinuxResource(t *testing.T) {
153153
},
154154
} {
155155
t.Logf("TestCase %q", desc)
156-
got, err := updateOCILinuxResource(context.Background(), test.spec, test.resources, false)
156+
got, err := updateOCILinuxResource(context.Background(), test.spec, test.resources, false, false)
157157
if test.expectErr {
158158
assert.Error(t, err)
159159
} else {

0 commit comments

Comments
 (0)