Adding cgroups path to the Spec. #137
Conversation
| @@ -130,6 +130,13 @@ Next parameters can be specified: | |||
| Also known as cgroups, they are used to restrict resource usage for a container and handle | |||
| device access. cgroups provide controls to restrict cpu, memory, IO, and network for | |||
| the container. For more information, see the [kernel cgroups documentation](https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt). | |||
| The path to the cgroups can be specified in the Spec. The path is expected to be relative | |||
| to the cgroups mount point. The Spec does not support split hierarchy. The cgroups will be | |||
| created if they don't exist. | |||
There was a problem hiding this comment.
This should be one line per sentence. I'll file a PR suggesting we move stuff like that from the README to a CONTRIBUTING.md
| @@ -21,6 +21,9 @@ type LinuxRuntime struct { | |||
| // Resources contain cgroup information for handling resource constraints | |||
| // for the container | |||
| Resources Resources `json:"resources"` | |||
| // CgroupsPath specifies the path to cgroups that are created and/or joined by the container. | |||
| // The path is expected to be relative to the cgroups mountpoint. | |||
| CgroupsPath string `json:"cgroupsPath"` | |||
There was a problem hiding this comment.
@vishh It will be either CgroupsPath or Resources, right? We should either clarify that in the spec or have a layer of indirection.
There was a problem hiding this comment.
i agree that it should either be path or resources as it doesnt really make sense ( or even wrong ) to join with existing paths and then modify those resources.
There was a problem hiding this comment.
@vishh There could be two interpretations. One is simply joining the cgroups (that were configured by some other tool or by another container) and other is using that path and then going in and modifying the values under that path. The first is necessary for us to support exec like functionality. Does that work for your use cases?
There was a problem hiding this comment.
Hmm actually i withdraw my comment about enforcing the limitation of cgroupPaths vs resources. I think there can be usecases where having that capabilities is helpful ( like launching an agent container that modifies the cgroup resources at boot time and/or during the agent runtime maybe ? ).
I think that clarifying the order of resources modification is good enough i.e, if cgroups path is specified then we join the paths, otherwise we create new paths, and then apply the resources limit.
There was a problem hiding this comment.
@mrunalp: Your reasoning is sound! I see use cases for both exec and resource updates. Would making Resources optional resolve the issue?
There was a problem hiding this comment.
On Tue, Sep 08, 2015 at 03:23:20PM -0700, Daniel, Dao Quang Minh wrote:
I think that clarifying the order of resources modification is good
enough i.e, if cgroups path is specified then we join the paths,
otherwise we create new paths, and then apply the resources limit.
See also comments in #155 and #158, where we're having the same
discussion about namespaces.
|
@vishh I think that this should work with systemd as well. The only difference is the terminology AFAICS. For e.g. |
|
nit: reformat to one sentence per line please |
|
Needs rebase as well. |
|
@mrunalp @crosbymichael: WDYT of making cgroups path required? Without that, the options are cgroups can created under under root |
|
@vishh I think we could default to |
|
What will be the identifier we use for the cgroups? Will it be the base On Wed, Sep 9, 2015 at 4:49 PM, Mrunal Patel notifications@github.com
|
|
That is a common thought.
|
|
@vishh runc uses the --id or the base name if not specified. |
|
On Wed, Sep 09, 2015 at 04:55:45PM -0700, Vish Kannan wrote:
Does this need to be spec'ed out? There's not currently much language |
vishh
force-pushed
the
cgroups-path
branch
2 times, most recently
from
0ae67b0 to
1a36827
Compare
|
@wking: My understanding is that it is recommended for runtimes to manage cgroups. But for a good dev experience, we can default to creating cgroups under |
|
Though base of the bundle would not be unique enough for more than 1
|
|
Yeah. The cgroup paths can be retrieved from the state. |
|
On Wed, Sep 09, 2015 at 05:13:32PM -0700, Vish Kannan wrote:
If folks can spawn new containers without setting ‘cgroupsPath’, then So since users will have to lookup a process's cgroups path anyway, Wed, Sep 09, 2015 at 06:43:27PM -0700, Vish Kannan:
Not directly. Folks need to use the PID to get them (and that seems |
| @@ -131,6 +131,58 @@ Also known as cgroups, they are used to restrict resource usage for a container | |||
| cgroups provide controls to restrict cpu, memory, IO, pids and network for the container. | |||
| For more information, see the [kernel cgroups documentation](https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt). | |||
|
|
|||
| The path to the cgroups can to be specified in the Spec via `cgroupsPath`. | |||
| `cgroupsPath` is expected to be relative to the cgroups mount point. | |||
| If not specified, cgroups will be created under '/' with the base name of the bundle. | |||
There was a problem hiding this comment.
I think it's more reasonable / simpler to error out here rather than continuing and generate a path based on base name of the bundle. cgroupsPath should be a required data right ?
There was a problem hiding this comment.
On Thu, Sep 10, 2015 at 01:54:07AM -0700, Daniel, Dao Quang Minh wrote:
+If not specified, cgroups will be created under '/' with the base name of the bundle.
I think it's more reasonable / simpler to error out here rather than
continuing and generate a path based on base name of the
bundle.cgroupsPathshould be a required data right ?
I often want cgroups for my containers, but don't care what the path
is. I think we do want the ability to tell the runtime “I don't care,
just make something up”, which is what leaving cgroupsPath out does.
But I'd rather leave the “make something up” algorithm up to the
runtime 1. See also the “several containers from one bundle” use
case 2.
There was a problem hiding this comment.
I'm in favor of defaulting to sub-containers of root. Ping @crosbymichael @mrunalp @vbatts
There was a problem hiding this comment.
On Thu, Sep 10, 2015 at 10:46:59AM -0700, Vish Kannan wrote:
+If not specified, cgroups will be created under '/' with the base name of the bundle.
I'm in favor of defaulting to sub-containers of root.
If anyone disagrees with that, I think it's a whole nother can of
worms. I think the disagreement so far has been about what the
sub-container is going to be called, not where it will be rooted.
vishh
force-pushed
the
cgroups-path
branch
2 times, most recently
from
461ad52 to
ef882c5
Compare
|
LGTM |
Signed-off-by: Vishnu Kannan <vishnuk@google.com>
|
LGTM |
| The path to the cgroups can to be specified in the Spec via `cgroupsPath`. | ||
| `cgroupsPath` is expected to be relative to the cgroups mount point. | ||
| If not specified, cgroups will be created under '/'. | ||
| Implementations of the Spec can choose to name cgroups in any manner. |
There was a problem hiding this comment.
This is only true if cgroupsPath is unset. So maybe rephrase as “In that case, implementations can choose to name cgroups in any manner.” to tie it into the previous ”If not specified…” sentence.
There was a problem hiding this comment.
I feel it's clear enough for now.
On Thu, Sep 10, 2015 at 2:55 PM, W. Trevor King notifications@github.com
wrote:
In runtime-config-linux.md
#137 (comment):@@ -131,6 +131,60 @@ Also known as cgroups, they are used to restrict resource usage for a container
cgroups provide controls to restrict cpu, memory, IO, pids and network for the container.
For more information, see the kernel cgroups documentation.+The path to the cgroups can to be specified in the Spec via
cgroupsPath.
+cgroupsPathis expected to be relative to the cgroups mount point.
+If not specified, cgroups will be created under '/'.
+Implementations of the Spec can choose to name cgroups in any manner.This is only true if cgroupsPath is unset. So maybe rephrase as “In that
case, implementations can choose to name cgroups in any manner.” to tie it
into the previous ”If not specified…” sentence.—
Reply to this email directly or view it on GitHub
https://github.com/opencontainers/specs/pull/137/files#r39198980.
|
LGTM |
Adding cgroups path to the Spec.
This should help clarify the cgroupsPath setting added in opencontainers#137, which was the subject of some confusion in opencontainers/runc#397. Issues I'm trying to clarify here: * If you specify a cgroupsPath, is the container added to that path or a sub-cgroup underneath it [1]? (This commit rules in favor of "added to that path") * If you specify a cgroupsPath, can the runtime modify that cgroup [2]? (This commit rules "yes, if 'resources' is specified", following [3] and the Go comment from opencontainers#137 [4]). To help make the distinctions clearer, I've added a facet list to help folks think about the difference between cgroup creation, process assignment, and resource configuration. cgroupsPath is just about cgroup creation and process assignment. 'resources' is just about resource configuration. I've listed out Mrunal's first three cases [3] to be even clearer. I stayed away from the "neither are set" case, since I covered that fairly directly in opencontainers#237, which that was punted back to the list [5] and has seen no further interest. So I'm not clear on what the intended semantics are there, although Mrunal's wording in [4] seems to agree with the proposal in opencontainers#237. [1]: opencontainers/runc#397 (comment) [2]: opencontainers/runc#397 (comment) [3]: opencontainers/runc#397 (comment) [4]: opencontainers@429f936#diff-34c30be66233f08b447fb608ea0e66bbR30 [5]: https://groups.google.com/a/opencontainers.org/d/msg/dev/qWHoKs8Fsrk/c9mv6qXtDAAJ Message-ID: <20151029194427.GA30073@odin.tremily.us> Signed-off-by: W. Trevor King <wking@tremily.us>
This should help clarify the cgroupsPath setting added in opencontainers#137, which was the subject of some confusion in opencontainers/runc#397. Issues I'm trying to clarify here: * If you specify a cgroupsPath, is the container added to that path or a sub-cgroup underneath it [1]? (This commit rules in favor of "added to that path") * If you specify a cgroupsPath, can the runtime modify that cgroup [2]? (This commit rules "yes, if 'resources' is specified", following [3] and the Go comment from opencontainers#137 [4]). To help make the distinctions clearer, I've added a facet list to help folks think about the difference between cgroup creation, process assignment, and resource configuration. cgroupsPath is just about cgroup creation and process assignment. 'resources' is just about resource configuration. I've listed out Mrunal's first three cases [3] to be even clearer. I stayed away from the "neither are set" case, since I covered that fairly directly in opencontainers#237, which that was punted back to the list [5] and has seen no further interest. So I'm not clear on what the intended semantics are there, although Mrunal's wording in [4] seems to agree with the proposal in opencontainers#237. [1]: opencontainers/runc#397 (comment) [2]: opencontainers/runc#397 (comment) [3]: opencontainers/runc#397 (comment) [4]: opencontainers@429f936#diff-34c30be66233f08b447fb608ea0e66bbR30 [5]: https://groups.google.com/a/opencontainers.org/d/msg/dev/qWHoKs8Fsrk/c9mv6qXtDAAJ Message-ID: <20151029194427.GA30073@odin.tremily.us> Signed-off-by: W. Trevor King <wking@tremily.us>
This should help clarify the cgroupsPath setting added in opencontainers#137, which was the subject of some confusion in opencontainers/runc#397. Issues I'm trying to clarify here: * If you specify a cgroupsPath, is the container added to that path or a sub-cgroup underneath it [1]? (This commit rules in favor of "added to that path") * If you specify a cgroupsPath, can the runtime modify that cgroup [2]? (This commit rules "yes, if 'resources' is specified", following [3] and the Go comment from opencontainers#137 [4]). To help make the distinctions clearer, I've added a facet list to help folks think about the difference between cgroup creation, process assignment, and resource configuration. cgroupsPath is just about cgroup creation and process assignment. 'resources' is just about resource configuration. I've listed out Mrunal's first three cases [3] to be even clearer. I stayed away from the "neither are set" case, since I covered that fairly directly in opencontainers#237, which that was punted back to the list [5] and has seen no further interest. So I'm not clear on what the intended semantics are there, although Mrunal's wording in [4] seems to agree with the proposal in opencontainers#237. [1]: opencontainers/runc#397 (comment) [2]: opencontainers/runc#397 (comment) [3]: opencontainers/runc#397 (comment) [4]: opencontainers@429f936#diff-34c30be66233f08b447fb608ea0e66bbR30 [5]: https://groups.google.com/a/opencontainers.org/d/msg/dev/qWHoKs8Fsrk/c9mv6qXtDAAJ Message-ID: <20151029194427.GA30073@odin.tremily.us> Signed-off-by: W. Trevor King <wking@tremily.us>
The only discussion related to this is in [1,2], where the relationship between oomScoreAdj and disableOOMKiller is raised. But since 429f936 (Adding cgroups path to the Spec, 2015-09-02, opencontainers#137) resources has been tied to cgroups, and oomScoreAdj is not about cgroups. For example, we currently have (in config-linux.md): You can configure a container's cgroups via the resources field of the Linux configuration. I suggested we move the property from linux.resources.oomScoreAdj to linux.oomScoreAdj so config authors and runtimes don't have to worry about what cgroupsPath means if the only entry in resources is oomScoreAdj. Michael responded with [4]: If anything it should probably go on the process So that's what this commit does. [1]: opencontainers#236 [2]: opencontainers#292 [3]: opencontainers#137 [4]: opencontainers#782 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
The only discussion related to this is in [1,2], where the relationship between oomScoreAdj and disableOOMKiller is raised. But since 429f936 (Adding cgroups path to the Spec, 2015-09-02, opencontainers#137) resources has been tied to cgroups, and oomScoreAdj is not about cgroups. For example, we currently have (in config-linux.md): You can configure a container's cgroups via the resources field of the Linux configuration. I suggested we move the property from linux.resources.oomScoreAdj to linux.oomScoreAdj so config authors and runtimes don't have to worry about what cgroupsPath means if the only entry in resources is oomScoreAdj. Michael responded with [4]: If anything it should probably go on the process So that's what this commit does. I've gone with the four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495), but have left the existing entries in this list unchanged to reduce churn. [1]: opencontainers#236 [2]: opencontainers#292 [3]: opencontainers#137 [4]: opencontainers#782 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
The only discussion related to this is in [1,2], where the relationship between oomScoreAdj and disableOOMKiller is raised. But since 429f936 (Adding cgroups path to the Spec, 2015-09-02, opencontainers#137) resources has been tied to cgroups, and oomScoreAdj is not about cgroups. For example, we currently have (in config-linux.md): You can configure a container's cgroups via the resources field of the Linux configuration. I suggested we move the property from linux.resources.oomScoreAdj to linux.oomScoreAdj so config authors and runtimes don't have to worry about what cgroupsPath means if the only entry in resources is oomScoreAdj. Michael responded with [4]: If anything it should probably go on the process So that's what this commit does. I've gone with the four-space indents here to keep Pandoc happy (see 7795661 (runtime.md: Fix sub-bullet indentation, 2016-06-08, opencontainers#495), but have left the existing entries in this list unchanged to reduce churn. [1]: opencontainers#236 [2]: opencontainers#292 [3]: opencontainers#137 [4]: opencontainers#782 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
It's backed by memory.oom_control, so this commit moves it in with the rest of the memory-controller config. Looking at the history, the initial request landing a setting for this in the Docker/OCI ecosystem seems to be [1], which added Cgroup.OomKillDisable. That commit was carried from libcontainer into runC [2] where it is now Resources.OomKillDisable [3]. From runC it was carried into this repo (with some renaming) in [4]. Subsequent early doc updates landed in [5,6]. In none of those can I find discussion about why the setting is not already under memory. I expect the reason is that the runC structures are flat, so "under memory" is not a thing there. But in this spec, resources has per-controller sub-properties. The fact that disableOOMKiller belonged to the memory controller may have been overlooked in [4] and never revisited until now. [1]: docker-archive/libcontainer#417 Subject: cgroups: add support for oom control [2]: opencontainers/runc@295c708 Subject: cgroups: add support for oom control [3]: https://github.com/opencontainers/runc/blob/v1.0.0-rc3/libcontainer/configs/cgroup_unix.go#L113-L114 [4]: opencontainers#51 Subject: Add Go types for specification [5]: opencontainers#137 Subject: Adding cgroups path to the Spec. [6]: opencontainers#199 Subject: runtime: config: linux: add cgroups informations Signed-off-by: W. Trevor King <wking@tremily.us>
Related to #114
This change should be useful for exec'ing new processes in an existing container.