Hi @halaney. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

@rata here's the first stab at this, lemme know what you think!

/ok-to-test

Also, please try to push again if CI is failing but the error seems unrelated to this PR. We can't merge until CI is green

@halaney just curious, can you stress test this to see if systemd or the system in general is affected? Now there is one extra mount per rootfs, that is visible to systemd, so it might cause some extra load. It would be great if you can verify the behaviour with this PR too :)

I've also validated this locally, it works fine. @halaney great work, let's push it to the finish line :)

@rata -- sorry was trying to gather data before addressing latest comments! The data below I'm back on an older kernel (compared to prior data, mostly just for my notes) -- 6.5 based.

Here's a flamegraph running 100 pods without this patch applied, each pods 55 layers. Note how much time is spent in doPrepareIDMappedOverlay(). Also note that compared to #12048 's data (which was on 2.0.5) things are actually a bit better, but its still not good. I think the difference with 2.0.5 is that the bind mounts here are now read only which skips some kernel locks.

Here's a flamegraph of the same test, with this patch applied. You can't even see doPrepareIDMappedOverlay() anymore in the view. I've highlighted in purple the Mount() call (would have done doPrepare... but its so small you still can't notice it).

I've scaled the test up to run more pods (which dies pretty spectacularly without this patch and goes through fine with it).

There's other things that don't scale great like the pinned user namespace not getting cleaned up until kubelet removes the sandbox, but that's a different subject and is nowhere near as impactful as this is. i.e. these staying around is a bit troublesome if you churn thru pods super quickly, but like I said that's an entirely different subject to look at and not nearly as impactful:

$ mount
(...)
nsfs on /run/containerd/io.containerd.grpc.v1.cri/sandboxes/dd4ced4b0d1f13735203f3d338b42aa6649fd65f0ea88ff144170bb91a581e3a/pinned-namespaces/user type nsfs (rw)
nsfs on /run/containerd/io.containerd.grpc.v1.cri/sandboxes/ace057993e94944dc7d9422a5524c045ede056ac154362ba5113826ac49d66a3/pinned-namespaces/user type nsfs (rw)

@halaney just curious, can you stress test this to see if systemd or the system in general is affected? Now there is one extra mount per rootfs, that is visible to systemd, so it might cause some extra load. It would be great if you can verify the behaviour with this PR too :)

Just to be clear, the above test should have validated general system "ok-ness" :D

Also, the main reason I am quoting this -- the "extra mount per rootfs" is sort of misleading to anyone looking just at this PR. Prior, we did a temporary mount per layer. Now its just one temporary mount per overlayfs, which can be a massive improvement if your images have a good number of layers. In both cases those temporary mounts are cleaned up shortly after the overlayfs is mounted.

What @rata is referring to when claiming there's an extra mount is the approach mentioned over here that we were originally exploring to improve this situation, which avoids mounting the idmap'ed lowerdirs at all and instead supplies them to the kernel as an fd. That requires a fairly new kernel, etc, and still would benefit from the work done here to reduce the number of operations from a function of # layers to a constant per overlayfs.

If anyone has recs for improving the commit message to better captures this + add some data, I'm all ears, please nitpick away!

Perfect, so with this patch the systemd perf issue is gone and no kubelet timeouts from #12048! Great! :)

Hmm, CI is still not happy. I don't think that's my fault, but lemme dig a little more and if not see if i can rekick those.

EDIT: Couldn't find a way to rekick, just going to rebase and rerun all of CI.

@AkihiroSuda friendly ping?

@fuweid friendly ping? It would be great to merge this so we can backport to 2.0 and 2.1 too

It looks good actually. Just want to test it in my local before voting. Thanks

Neat idea.

@fuweid -- sorry to pester, but any ideas on when you'll get to try this out?

Sorry @halaney for late reply.
kind of busy recently. Will test it tomorrow and give feedback to you. 🙏

@AkihiroSuda @dmcgowan -- when you get some time can you review this? Would love to get this and #12114 merged

Can we backport this to 2.0 and 2.1?

@rata thanks for the nudge, I'll prepare a backport with:

1. The RO idmap changes
2. This change
3. Your clean up changes

To address all the problems those PRs addressed. Seems that acceptable procedure based on backporting docs here

@rata @fuweid backports over here:
2.0: #12223
2.1: #12222

The bot can backport PRs. But a manual PR SGTM too :)

The bot can backport PRs. But a manual PR SGTM too :)

Too many (2-3, 2.0 only needs one commit from one of the PRs) separate but related PRs to try and untangle. I'm a simple man, git-foo is easier than bot foo!