support cgroup2 #40174
support cgroup2 #40174
Conversation
AkihiroSuda
force-pushed
the
cgroup2
branch
3 times, most recently
from
038a308 to
c424f8f
Compare
|
containerd/containerd#3799 is merged, but we still need a couple of days to stabilize the interface |
|
We should look at adding a stage to the Jenkinsfile that runs on a machine with cgroup2 enabled |
|
Maybe we can merge this PR as-is and work on metrics in separate PRs |
Do we need a more recent version of containerd and run to actually use this? (with containerd/containerd#3799 in it?)
^ what would be needed for that? Probably at least a host that runs a more recent version of Ubuntu/Debian/Fedora, but given that we run the tests DIND, do we need to update the base-image or a separate stage for that? |
We need containerd binary built from master, but no need to vendor containerd library at this moment.
Maybe we should wait for adding cgroup v2 CI until we finish basic v2 support. Or we can use Podman instead, but not sure it is acceptable 😛 https://github.com/opencontainers/runc/blob/201b06374548b64212f4ceb1529688d435e42899/.travis.yml#L29 |
* Requires containerd binaries from containerd/containerd#3799 . Metrics are unimplemented yet. * Works with crun v0.10.4, but `--security-opt seccomp=unconfined` is needed unless using master version of libseccomp ( containers/crun#156, seccomp/libseccomp#177 ) * Doesn't work with master runc yet * Resource limitations are unimplemented Signed-off-by: Akihiro Suda <[email protected]>
enable resource limitation by disabling cgroup v1 warnings resource limitation still doesn't work with rootless mode (even with systemd mode) Signed-off-by: Akihiro Suda <[email protected]>
For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/podman#4363 containers/podman#4374 Privileged containers also use cgroupns=private by default. containers/podman#4374 (comment) Signed-off-by: Akihiro Suda <[email protected]>
Signed-off-by: Akihiro Suda <[email protected]>
|
@thaJeztah PTAL? |
In cgroup v1 container implementations, cgroupns is not used by default because it was not available in the kernel until kernel 4.6 (May 2016), and the default behavior will not change on cgroup v1 environments, because changing the default will break compatibility and surprise users. For cgroup v2, implementations are going to unshare cgroupns by default so as to hide /sys/fs/cgroup from containers. * Discussion: containers/podman#4363 * Podman PR (merged): containers/podman#4374 * Moby PR: moby/moby#40174 This PR enables cgroupns for containers, but pod sandboxes are untouched because probably there is no need to do. Signed-off-by: Akihiro Suda <[email protected]>
|
@AkihiroSuda I think it means, "Please Take A Look." |
|
Yes, so, I'm asking thaJeztah to PTAL whether we can merge this PR without including metrics stuff 😅 |
|
tracking issue: #40360 |
- What I did
support cgroup2 (unified mode)
Fix #16238
- How I did it
- How to verify it
systemd.unified_cgroup_hierarchy=1to kernel cmdline and reboot. This step is not needed for Fedora 31.docker run -it --rm --runtime=crun --security-opt seccomp=unconfined alpineLimitations:
--security-opt seccomp=unconfinedunless using master version of libseccomp ( invalid seccomp syscall 'io_uring_enter': unknown. containers/crun#156, RFE: new release? seccomp/libseccomp#177 )--exec-opt native.cgroupdriver=systemd.- Description for the changelog
support cgroup2
- A picture of a cute animal (not mandatory but encouraged)
🐧