Share cgroup namespace in pod #12310
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: hshiina The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
pkg/specgen/namespaces.go
Outdated
| @@ -54,7 +54,7 @@ const ( | |||
|
|
|||
| // DefaultKernelNamespaces is a comma-separated list of default kernel | |||
| // namespaces. | |||
| DefaultKernelNamespaces = "cgroup,ipc,net,uts" | |||
| DefaultKernelNamespaces = "ipc,net,uts" | |||
There was a problem hiding this comment.
Though I posted this fix because values in --share and a result of pod inspection are inconsistent, I'm not sure if it's worth sharing a cgroup namespace in a pod.Containers in a pod have their own cgroups under a pod cgroup by default.
If a container enters the cgroup namespace of the infra container like other shared namespaces, the container cannot see its own cgroup.Because this behavior doesn't seem so useful, I dropped 'cgroup' from the default shared namespaces.
It also causes me to do it that crun cannot put a container into a specified cgroup namespace currently (containers/crun#781).
There was a problem hiding this comment.
I would rather wait until crun is updated and retain the cgroup sharing by default, if possible.
There was a problem hiding this comment.
I agree, lets remove the change and retest with latest crun.
There was a problem hiding this comment.
Sure. I will remove this change.
When a new container joins a cgroup namespace of another container, if the given container uses the host's namespace, the new container doesn't have to re-enter the host's namespace. Especially, if the new container is rootless, the container cannot re-enter the host's namespace. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
`podman help pod create` displays `cgroup` as one of default values of `--share` flag, which specifies shared namespaces in a pod. However, `cgroup` is not listed in `SharedNameSpaces` of a pod with default values. Even if `cgroup` is explicitly specified in `--share` flag, `cgroup` is not listed in pod inspection and actually containers in a pod don't share a cgroup namespace. There are two similar parameters for cgroups in a pod. When `cgroup` is specified in `--share`, `PodConfig.UsePodCgroup` is set to `true`. For `SharedNameSpaces` in pod inspection, `PodConfig.UsePodCgroupNS` is referred to. In order to share `cgroup` namespace expectedly, `PodConfig.UsePodCgroupNS` should be set to `true` via `WithPodCgroup()`. Regarding `PodConfig.UsePodCgroup`, this should be always `true` via `WithPodCgroups()` as it was in Podman 3.3. Signed-off-by: Hironori Shiina <shiina.hironori@jp.fujitsu.com>
|
I am going to give this a look later today, I am skeptical of how this is just being applied on a ctr by ctr level. Not sure thought because I just glanced at this. |
| @@ -1024,8 +1024,16 @@ func WithCgroupNSFrom(nsCtr *Container) CtrCreateOption { | |||
| return err | |||
| } | |||
|
|
|||
| ctr.config.CgroupNsCtr = nsCtr.ID() | |||
| for _, ns := range nsCtr.config.Spec.Linux.Namespaces { | |||
There was a problem hiding this comment.
this might result in some nil pointers, no?
There was a problem hiding this comment.
Yup, is this not checked elsewhere?
There was a problem hiding this comment.
Thank you for the comments.
I will use Container.hasNamespace(), which checks nil pointers:
https://github.com/containers/podman/blob/main/libpod/container_internal.go#L2321
| @@ -454,7 +454,7 @@ func GetNamespaceOptions(ns []string, netnsIsHost bool) ([]libpod.PodCreateOptio | |||
| for _, toShare := range ns { | |||
| switch toShare { | |||
| case "cgroup": | |||
| options = append(options, libpod.WithPodCgroups()) | |||
| options = append(options, libpod.WithPodCgroup()) | |||
There was a problem hiding this comment.
I think this should be WithPodCgroup, which sets pod.config.UsePodCgroupNS to True. It might be better to rename these functions to make their roles clear.
| @@ -176,6 +176,7 @@ func createPodOptions(p *specgen.PodSpecGenerator, rt *libpod.Runtime, infraSpec | |||
| options = append(options, libpod.WithPodUser()) | |||
| } | |||
| } | |||
| options = append(options, libpod.WithPodCgroups()) | |||
There was a problem hiding this comment.
also, should this always be done?? what if we do not want to share?
There was a problem hiding this comment.
Agreed we should only do this is the pod shares cgroups.
There was a problem hiding this comment.
WithPodCgroups used to be always called in v3.3:
https://github.com/containers/podman/blob/v3.3/pkg/specgen/generate/pod_create.go#L142
As far as I investigated, it seems that this was unintentionally removed:
- https://github.com/containers/podman/pull/11102/files#diff-edb3bda86436d2a7bc55b34fa48c71156dc5e02d5f452012b1750efb15b3158fR160
- https://github.com/containers/podman/pull/12271/files#diff-edb3bda86436d2a7bc55b34fa48c71156dc5e02d5f452012b1750efb15b3158fL261
This is why I just restored this call.
I would consider introducing a new flag to specify whether cgroup is shared in a pod or not though it might be better to work in another PR.
There was a problem hiding this comment.
IT should be handled via the --shares command, if the user wants to eliminate it, then using the shares command should handle it.
There was a problem hiding this comment.
I think it should always be called by default as well @hshiina but the issue here is that --share=none here will not take affect since line is executed always, right?
There was a problem hiding this comment.
I should have clarified which is expected to be shared by pod create --share cgroup, cgroup or cgroup namespace, at first. Though this PR assumes cgroup namespace is shared based on the help message, I would reconsider.
|
@hshiina any updates on this PR? I just want to make sure that |
|
This PR is more complicated than I expected at first. I filed a issue to elaborate on the concern: #12765 |
|
I think this PR has been taken over in a different PR and is not longer necessary. Closing, reopen if I am mistaken. |
github-actions
bot
added
the
locked - please file new issue/PR
Signed-off-by: Hironori Shiina shiina.hironori@jp.fujitsu.com
What this PR does / why we need it:
podman help pod createdisplayscgroupas one of default values of--shareflag, which specifies shared namespaces in a pod. However,cgroupis not listed inSharedNameSpacesof a pod with defaultvalues. Even if
cgroupis explicitly specified in--shareflag,cgroupis not listed in pod inspection and actually containers in apod don't share a cgreoup namespace.
There are two similar parameters for cgroups in a pod. When
cgroupis specified in
--share,PodConfig.UsePodCgroupis set totrue.For
SharedNameSpacesin pod inspection,PodConfig.UsePodCgroupNSisreferred to.
In order to share
cgroupnamespace expectedly,PodConfig.UsePodCgroupNSshould be set totrueviaWithPodCgroup(). RegardingPodConfig.UsePodCgroup, this should bealways
trueviaWithPodCgroups()as it was in Podman 3.3.How to verify it
Run added integration tests.
Which issue(s) this PR fixes:
None
Special notes for your reviewer: