use runc cgroup creation logic #936
Conversation
|
@mheon not sure if this is the proper way of doing this but it seems like a happy medium of getting resource functionality without completely ripping out the guts here. also, I am running into persistent cross build errors due to undefined unix entities in runc, any way to avoid these? |
|
I think I am going to need to make |
cdoern
force-pushed
the
cgroup
branch
5 times, most recently
from
4796b6f
to
f61887f
Compare
|
leaving this here as a note for myself: the reason this is broken right now is because our cgroup creation process needs to be modified more from the start rather than each time we update the cgroup. The specific resource files need to exist which currently do not. |
cdoern
force-pushed
the
cgroup
branch
2 times, most recently
from
a7076cd
to
87e9ac8
Compare
|
@giuseppe PTAL |
cdoern
force-pushed
the
cgroup
branch
4 times, most recently
from
e1c4916
to
5fba634
Compare
|
I've tried to vendor the current PR into podman but I get: I am afraid all the new dependencies (~21000 new lines of code) will increase significantly the podman binary size. Could we pick just the pieces we need? How difficult would be to implement the resource limits part in our library? @kolyshkin FYI |
|
@giuseppe it was about 4,000 lines without the inclusion of fs2, but I needed that for the creation. I think figuring out proper cgrouo creation (if we need it at all) is what is necessary here. The resource handlers should probably be imported directly from runc... Not sure though |
|
Ok... I now have this working locally, I am going to try and pick parts out until we get to a reasonable mix of c/common code and runc code |
cdoern
force-pushed
the
cgroup
branch
2 times, most recently
from
98e51db
to
2c44075
Compare
|
@giuseppe I removed all references to Cgroupsv1 uses the runc functions directly just for simplicity. I though that bringing in the cgroupsv2 code directly made sense so we have direct control over it in the future. |
|
/approve |
|
so we are using libcontainer for cgroupv1 but our code for cgroupv2? |
|
@kolyshkin PTAL |
|
It would probably be best if we used libcontainer for both, if possible. |
|
Try with this one |
|
Upgrading to go 1.17 should not be an issue. |
|
strange... why is this linting things I did not even edit? |
cdoern
force-pushed
the
cgroup
branch
3 times, most recently
from
325d551
to
f3a36c1
Compare
|
I think the linter fires on any file that you change, and forces you to fix other issues. |
|
@cdoern how about this (untested nor spellchecked): diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 5eae1b05..8988512b 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -41,11 +41,15 @@ jobs:
uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # v3
with:
version: "${{ env.LINT_VERSION }}"
+ only-new-issues: true
# Extra linters, only checking new code from a pull request.
+ - name: Extra golangci-lint config. switcharoo
+ run: mv .gilangci-extra.yml golangci.yml
- name: lint-extra
- if: github.event_name == 'pull_request'
- run: |
- golangci-lint run --config .golangci-extra.yml --new-from-rev=HEAD~1 --out-format=github-actions
+ uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # v3
+ with:
+ version: "${{ env.LINT_VERSION }}"
+ only-new-issues: true
- name: validate seccomp
run: ./tools/validate_seccomp.sh ./pkg/seccomp |
cdoern
force-pushed
the
cgroup
branch
2 times, most recently
from
085f334
to
4b55840
Compare
switch c/common to use runc cgroup creation so that we can use resource limits This entails importing the newly refactored runc code to manage reading from and writing to cgroup. vendoring in directly an unreleased runc commit from opencontainers/runc#3452 Signed-off-by: cdoern <cdoern@redhat.com>
|
LGTM |
|
@cevich @giuseppe @vrothberg PTAL |
|
vendored into podman: head of upstream/main podman: very similar binary sizes. |
does this happen with |
|
@giuseppe I think @kolyshkin 's most recent version of the PR removes the build tag and separates the packages in such a way that you do not import the devices code unless you excitability use it. so yes, this is without the devices, |
|
The github-action changes LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cdoern, giuseppe, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/lgtm |
switch c/common to use runc cgroup creation so that we can use resource limits
This entails importing some runc code directly while also recreating a lot of the logic for resource limits locally
so that imports do not run too large.
Signed-off-by: cdoern cbdoer23@g.holycross.edu