-
Notifications
You must be signed in to change notification settings - Fork 882
stage1: remount entire subcgroup r/w, instead of each knob #3494
Conversation
@@ -332,9 +321,9 @@ func CreateCgroups(m fs.Mounter, root string, enabledCgroups map[int][]string, m | |||
|
|||
// RemountCgroups remounts the v1 cgroup hierarchy under root. | |||
// It mounts /sys/fs/cgroup/[controller] read-only, | |||
// but leaves needed knobs in the subcgroup for each app read-write, | |||
// but leaves needed knobs in the subcgroup the pod read-write, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subcgroup the pod
// | ||
// cpuSet should be <stage1rootfs>/sys/fs/cgroup/cpuset | ||
func fixCpusetKnobs(cpusetPath, subcgroup string) error { | ||
//cgroupPathFix := filepath.Join(cpusetPath, "system.slice") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove?
_ = os.MkdirAll(cgroupPathFix, 0755) | ||
// Ensure that the hierarchy has consistent cpu restrictions. | ||
// | ||
// cpuSet should be <stage1rootfs>/sys/fs/cgroup/cpuset |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cpusetPath
|
Yeah, I saw that failure. The previous version of the function I refactored ignored errors, but i started paying attention. Of course, it Works On My Machine(tm). |
43ff2d1
to
d55a7e6
Compare
@s-urbaniak would you mind making sure my reasoning is correct? This is all a bit moot, since we no longer mount /sys/fs/cgroup in to the stage2, but it still seems prudent. |
I'm fine with this change, after a rebase and after adding a description of the current status of stage0/stage1/stage2 cgroups in the devdocs (cgroups.md) with a short reference to the backstory (starting from #2351) |
d55a7e6
to
eb0ac46
Compare
This mounts the entire subcgroup (machine slice) read-write, instead of mounting only the exact knobs per-app we need.
eb0ac46
to
30ecafb
Compare
@lucab rebased and doc updated, thanks! |
"TestNetDefaultConnectivity":
I think that test has an overly strict output matcher, or alternatively shouldn't be run with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the devdocs.
ready to go? |
This remounts the entire subcgroup (machine slice) read-write, instead of only the exact knobs per-app we need.
This is needed for runc (since it wants to manage cgroups for itself). It also simplifies
app add
, since we no longer need to manipulate cgroups after pod start time. It also reduces the number of bind mounts to one per controller, making various operations more efficient. (Before, we had one bind mount per controller knob per app).