Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CGroup device configuration in prestart hook #1044

Closed
3XX0 opened this issue Sep 14, 2016 · 4 comments
Closed

CGroup device configuration in prestart hook #1044

3XX0 opened this issue Sep 14, 2016 · 4 comments

Comments

@3XX0
Copy link

3XX0 commented Sep 14, 2016

Currently the container process joins its cgroup before the hooks are triggered (source) but the configuration is actually applied later when the procReady signal is received (source).

Is that the intended behavior? I'm asking because it makes it impossible to configure the device cgroup from within a prestart hook if the author of the hook doesn't control the runc config. The first device rule will most likely be {Major: Wildcard, Minor: Wildcard, Allow: false} or set AllowAllDevices: false thus overriding any cgroup configuration made by the hook itself.
@cyphar
Copy link
Member

cyphar commented Sep 14, 2016
edited
Loading

This is intended behaviour. The reason for this change is because of the fact that the Go runtime loves to consume resources (especially PIDs), and setting the limits earlier would result in the author of a config.json having to worry about the overhead of runc. However, I'm open to a proposal which can allow for that problem to be dealt with as well as making hooks more functional.

It should be noted that if you use the create and start operations separately then you should be able to tweak the cgroups as well (create will pause immediately before execve which is after the cgroup settings have been applied). Currently there is a lot of discussion in the specification repo whether we should remove hooks (since the create-start operations should be sufficient to handle all of the hooks features). You can also use runc update to change the cgroup configuration after the container has started.

@3XX0
Copy link
Author

3XX0 commented Sep 14, 2016

I see it makes sense. Yes, I'm aware of the create/start debate but I stick with hooks simply because in my case I can't control the invocation of runc (e.g. Docker).

Can't we just move the cgroup assignment only for the device subsystem? This shouldn't impact runc apart from the /dev/null reopen. I'm not sure about the other subsystems but the device wildcard override looks like an edge case that could be handled this way.

@3XX0
Copy link
Author

3XX0 commented Sep 30, 2016

Any insights on this? This is the only thing stopping us from adding GPU support for runc/Docker.

@3XX0 3XX0 mentioned this issue Jan 12, 2017
Closed
@3XX0 3XX0 mentioned this issue Apr 18, 2017
Merged
@3XX0
Copy link
Author

3XX0 commented May 26, 2017

Fixed by #1239

@3XX0 3XX0 closed this as completed May 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cyphar @3XX0