docker-container: place build containers in a separate cgroup #782
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I noticed that the buildkit code embedded in dockerd also does some setting up of a parent cgroup (originally added (extracted to a function later) in moby/moby@d52485c); cgroupParent := newCgroupParent(config)func newCgroupParent(config *config.Config) string {
cgroupParent := "docker"
useSystemd := daemon.UsingSystemd(config)
if useSystemd {
cgroupParent = "system.slice"
}
if config.CgroupParent != "" {
cgroupParent = config.CgroupParent
}
if useSystemd {
cgroupParent = cgroupParent + ":" + "docker" + ":"
}
return cgroupParent
}
For the last bullet, I'm looking at the daemon code that handles (custom) parent cgroups for containers, which seems to confirm that; https://github.com/moby/moby/blob/306fa44b7ca59282dc8695e6d169c5b25698d0cb/daemon/daemon_unix.go#L709-L714 if hostConfig.CgroupParent != "" && UsingSystemd(daemon.configStore) {
// CgroupParent for systemd cgroup should be named as "xxx.slice"
if len(hostConfig.CgroupParent) <= 6 || !strings.HasSuffix(hostConfig.CgroupParent, ".slice") {
return warnings, fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")
}
}Wondering how to solve that
|
|
/cc @AkihiroSuda (perhaps you have some thoughts on the above) |
tonistiigi
approved these changes
Sep 29, 2021
AkihiroSuda
reviewed
Sep 29, 2021
driver/docker-container/driver.go
Outdated
| } | ||
| if d.netMode != "" { | ||
| hc.NetworkMode = container.NetworkMode(d.netMode) | ||
| } | ||
| if d.cgroupParent != "" { | ||
| hc.CgroupParent = d.cgroupParent |
There was a problem hiding this comment.
Probably, this should be set only when d.DockerAPI.Info().CgroupDriver == “cgroupfs”
This allows the parent cgroup to be customised, which allows resource limits to be imposed on build containers separately from "user" containers. Signed-off-by: David Scott <dave@recoil.org>
This allows resource limits to be applied to all builds on a host. For example to limit the total amount of CPU used by builds: https://medium.com/@asishrs/docker-limit-resource-utilization-using-cgroup-parent-72a646651f9d Signed-off-by: David Scott <dave@recoil.org>
djs55
force-pushed
the
cgroup-parent
branch
from
98d23b0
to
d5908cd
Compare
|
Thanks, I've pushed an update which gates the setting on |
AkihiroSuda
approved these changes
Sep 29, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously build containers created by the
docker-containerdriver were in the default parent cgroup, along with non-build containers. This made it hard to apply resource limits to all the builds on a machine.This PR adds a
--driver-opt cgroup-parent=CGROUPto allow the cgroup to be customised. A default value of/docker/buildxis set.