-
Notifications
You must be signed in to change notification settings - Fork 541
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify cgroups path handling behavior #834
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -183,13 +183,15 @@ If a `cgroupsPath` value is specified, the runtime MUST consistently attach to t | |
Implementations of the Spec can choose to name cgroups in any manner. | ||
The Spec does not include naming schema for cgroups. | ||
The Spec does not support per-controller paths for the reasons discussed in the [cgroupv2 documentation][cgroup-v2]. | ||
The cgroups will be created if they don't exist. | ||
|
||
You can configure a container's cgroups via the `resources` field of the Linux configuration. | ||
Do not specify `resources` unless limits have to be updated. | ||
The runtime MUST create the cgroups specified by the `cgroupsPath` if they don't exist. | ||
If `cgroupsPath` is empty, then the behavior is runtime implementation specific. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think you mean “implementation-defined”. And I liked the old language (where the runtime could pick a default There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i think this new sentence is fine and not any more of a "loophole" than the old language There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
With the new language, config authors should not leave With the old language, config authors could safely leave There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I too prefer the old language. What is the reason for this change @mrunalp? |
||
|
||
The runtime MUST ensure that the container process is attached to the cgroups specified by `cgroupsPath`. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In cgroupv1 (which we do support but not explicitly) it is not clear what cgroups are specified by a single path. Could you clarify what was wrong with the old language (which had similar semantics but was more explicit about how different controllers are handled). Also with cgroupv2 it's not clear what |
||
If any property is set under `resources` then the runtime MUST set it for the container. | ||
|
||
For example, to run a new process in an existing container without updating limits, `resources` need not be specified. | ||
|
||
Runtimes MAY attach the container process to additional cgroup controllers beyond those necessary to fulfill the `resources` settings. | ||
|
||
### Example | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which cgroups? Only those needed to fulfil
resources
, no? Or MUST they create a newdevices
cgroup even if there is nothing inlinux.resources.devices
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They must create all for the use case of orchestrator preparing the cgroups for you and just be asking the runtime to add the container process to the cgroups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How should the runtime distinguish between v1 and v2 cgroups (more on this here)? I think a safer approach for orchestrators would be to tell the runtime to leave cgroups alone and set them up completely in a hook (both creating/initializing any required cgroups and joining the runtime to them). On the other hand, with #237 rejected, there's no clear way to warn the runtime that you'll be messing with cgroups in the hook, so the runtime might be surprised with:
cgroupsPath
orresources
, so the runtime creates a new devices cgroup and adds the container process.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But should the runtime join any extra cgroups? The old language handled this case.