We might have to discuss how CgroupsPath should get alone with Parent. They are doing similar thing, can they combine or we should just remove parent and use CgroupsPath because it's in specs?

@hqhq Looks like we should remove Parent if it's not in spec.

@LK4D4 Yes that what I had in mind, but should we do it in this PR? Since Docker is using Parent, I'm thinking about we have them both for now, after merging this to Docker, we change usage on Docker side to CgroupsPath, then remove Parent smoothly. WDYT?

Thanks for the PR. @hqhq I had a different idea for the cgroupsPath support: #399
Sorry I did not notice your PR before(mine can be combined with yours). However, the important thing is, if cgroups is passed, and it exists, runC must not modify it(other than joining the cgroups). This will allow me to remove cgroups related functionality from #357
Thanks

The intention behind cgroupsPath in the spec is that the container joins the path rather than creating a sub cgroup under it.

However, the important thing is, if cgroups is passed, and it exists, runC must not modify it(other than joining the cgroups).

@ashahab-altiscale I think you understand the intention of cgroupsPath wrong, my understanding is the same as @mrunalp . Do you have some background that you need some features work like that? Maybe we can discuss it in specs.

@hqhq So you're saying that even when the operator passes the cgroup using cgroupsPath, it will be modified(in terms of memory, devices, etc) by runC?
If that is the intent of the spec cgroupsPath, then that would not serve the usecase I was thinking of.
My usecase is this: #350. I need to be able to launch containers(with runC) from inside userns containers. I have elaborated on the issues with this in #357. When I launch runC inside a userns container, runC tries to change devices.deny and devices.allow files, which only a host root can do. So there should be a nice way for the operator to pass in the cgroup and telling runC "I know what I'm doing, don't touch this cgroup, just join it". In my previous discussion with @mrunalp, he seemed to indicate this is what "cgroupsPath" does. Are you saying this would require an additional flag in the spec? There can be other cases where the operator wants to opt-out of runC's modifications of cgroup. What if there is an external cgroupsManager that the operator uses? (I think @wking mentioned that usecase).

@mrunalp @hqhq @ashahab-altiscale I think cgoupPath won't be modified?

That's what I thought also, Alex.
On Nov 16, 2015 8:27 AM, "Alexander Morozov" [email protected]
wrote:

@mrunalp https://github.com/mrunalp @hqhq https://github.com/hqhq
@ashahab-altiscale https://github.com/ashahab-altiscale I think
cgoupPath won't be modified?

—
Reply to this email directly or view it on GitHub
#397 (comment).

On Mon, Nov 16, 2015 at 05:26:10AM -0800, Abin Shahab wrote:

@hqhq So you're saying that even when the operator passes the
cgroup, it will be modified(in terms of memory, devices, etc) by
runC? If that is the intent of the spec cgroupsPath, then that
would not serve the usecase I was thinking of.

Re-reading the spec 1, whether cgroupsPath can be modified or just
joined seems to be open to interpretation. I suggest bumping this
over to the spec to get that sorted out before continuing with the
implementation here.

I see 4 cases; 3 of which were discussed in the PR that merged cgroupPath into the spec -

1. Specify resources: runtimes creates a path and updates values per resources.
2. Specify cgroupsPath: runtime joins the cgroupsPath.
3. Specify both: runtime joins the cgroupsPath and updates resources under that path (opencontainers/runtime-spec@429f936#diff-34c30be66233f08b447fb608ea0e66bbR30).
4. Specify none: Don't do anything with cgroups i.e. let the kernel give me something I run under automatically. This is useful for usernamespaced desktop applications such as gimp under xdg-app.

@mrunalp As discussed, case (2) will work for me if cgroupsPath + no resrouce specification also prevents runC from setting devices.allow and devices.deny. That's what fails when the host launching runC is itself a usernamespaced container( see #350 ). Either I can update my PR or @hqhq can update this. My userns PR(#357) is blocked on this.

On Mon, Nov 16, 2015 at 11:39:11AM -0800, Mrunal Patel wrote:

I see 4 cases; 3 of which were discussed in the PR that merged
cgroupPath into the spec -

Ah, good (I hadn't gone back to re-read opencontainers/runtime-spec#137.

1. Specify both: runtime joins the cgroupsPath and updates resources
   under that path
   (opencontainers/runtime-spec@429f936#diff-34c30be66233f08b447fb608ea0e66bbR30).

Should I file a spec PR to echo this (informative?) Go comment in the
(normative?) Markdown description? Or are the Go comments also
normative? I feel like the Markdown was supposed to be stand-alone,
but I haven't looked up a reference to quote for that.

@wking That would be good. Lets not leave it to interpretation.

@wking Yeah, go for it.

I understood the intention of cgroupsPath wrong, if it's specified, it should replace the cgroup path rule in runc (combined by parent and name), now updated and this should work as expected in specs.

@ashahab-altiscale I didn't handle devices cgroup in this PR since I think that's a separate issue.

IMHO, we should error out if the systemd manager has CgroupPath set (because systemd doesn't allow you to set arbitrary "slice" paths).

Yeah I start thinking maybe we still need to separate --cgroup-parent and --slice usage.