New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enabling cgroup v2 in Guest Containers #9555
Comments
Hi @haswelliris Where did you run "ls -la /sys/fs/cgroup/" command, in guest system or in container? Hi @Apokleos , would you like to take a look at this issue? |
Hi @haswelliris sorry for that the cgroup v2 setting make you confused. And to address your problem, cloud you please try such setting as describe in the issue #9336
|
@lifupan Thank you for your response. My objective is to utilize cgroupv2 to regulate the resource usage of subprocesses within my code, inside Kata's containers. Essentially, I intend to employ Kata as a container runtime to enhance security. For clarity, my host operating system is Ubuntu 2204 and I am using cgroup v2, containerd (v1.7.2), and kata-runtime (3.4.0). Presently, I am attempting to alter the cgroup v2 files located in /sys/fs/cgroup/ within the kata-runtime container. However, this doesn't appear to be working, here are no file in /sys/fs/cgroup/ within the kata-runtime container . Please note that I am not passing the host OS cgroup path to the container. I would prefer the container's cgroup behavior to mimic what I would typically do within a virtual machine. @Apokleos Thanks for suggestion. I've updated
This indicates that systemd.unified_cgroup_hierarchy=true is set. However, inside the container I cannot find any cgroup v2 files. Running the container with or without privileges does not affect the result. Any insights on this behavior would be greatly appreciated. |
Could you give more info about the result of "cannot find any cgroup v2 files" ? what's the concrete info about it ? |
Normally,on an OS that has cgroup v2 enabled (be it on a host node or in a VM), mount|grep cgroup should reveal the location of cgroup2. For instance:
However, when I run a Kata container, executing these commands inside the Kata container returns nothing. For example, when running ls /sys/fs/cgroup, I get:
Despite this, the container's /proc/filesystem suggests that cgroup2 support is available. This can be seen from grep cgroup /proc/filesystems command's output:
This leads me to believe there might be an issue with how systemd mounts the cgroupfs when the container's kernel starts up. updateJust now, I ran a Kata container with privileged access and executed the following command within the container:
This allowed me to view the cgroup filesystem in path
I received the error: Operation not supported (os error 95). Could you provide some insights on this? |
But I get a result differs from yours, regardless of in guest or in container, I will see the result as below:
IMO, first of all, you'd better address why cgroup files not found. Cloud you please change another version of kata(3.3.0) and have a try ? |
@Apokleos Here are some recent updates: The command "ctr" from However, in Kubernetes (like when using After un-mounting and mounting again with the following commands:
Then, I'm able to access the cgroup filesystem in Kata containers with privileged access. New problemI've encountered a new issue: I'm trying to run a runc container within the Kata container, but I'm experiencing an error. The error message is as follows:
I'm suspecting that the rootfs's OS might be too simple to support the operation of runc. |
As this doc and this issue said:
Set agent.unified_cgroup_hierarchy to 1 or true to enable cgroups v2 in the guest.
I've configured the kernel command line in kata's config file with agent.unified_cgroup_hierarchy=true. However, when I run ls -la /sys/fs/cgroup/, the output suggests that cgroup v2 is not enabled:
At the same time, the output of /proc/filesystems indicates that cgroupv2 is indeed supported:
This leads me to believe there might be some confusion regarding the usage of cgroup v2.
My question is: How can I enable cgroup v2 within a guest container so that I can manage cgroups as if I were operating in a genuine VM?
The text was updated successfully, but these errors were encountered: