-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable rootless cgroup v2 tests + some fixes #2944
Enable rootless cgroup v2 tests + some fixes #2944
Conversation
Failure in Fedora is caused by the fact systemd do not support delegation of
Will probably disable the check. |
CentOS failure is a known flake (#2760). I have a half-ready fix but no time to finish it :( |
f95897e
to
589795f
Compare
# so check the controllers that the current user has, not the top one. | ||
# NOTE: delegation of cpuset requires systemd >= 244 (Fedora >= 32, Ubuntu >= 20.04). | ||
if [[ "$ROOTLESS" -ne 0 && -n "$RUNC_USE_SYSTEMD" ]]; then | ||
controllers="/sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.controllers" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better to check cgroup.subtree_control?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Theoretically, if systemd did the job of delegation right, it does not matter.
Fixed nevertheless.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, it seems that was wrong to change cgroup.controllers
to cgroup.subtree_control
. The first one contains all the controllers that systemd can delegate, while the second one only has a few (pids
and memory
, if I remember correctly).
Now, as far as I understand, fs2.CreateCgroupPath
(called from unifiedManager's Apply
) fixes that, enabling all supported controllers and subtree_control, but the tests check it earlier.
Anyway, when I changed it back to cgroups.controllers
, it is working, and the tests that require cpuset
are now not skipped on cgroup v2 + systemd + rootless.
589795f
to
ad3f47e
Compare
We have Fedora 34, but cpuset tests seems skipped?
|
ad3f47e
to
3ae0981
Compare
That was a typo in Thanks for catching this, should be fixed now. |
CentOS 7 failure:
This is probably caused by the fact that some earlier container was not removed, which in turn is probably caused by a very slow VM, a small (1 second) timeout in In any case look unrelated to the PR. I'll look into it. CI restarted. |
Proposed fix (unrelated to this PR): #2946 |
Weird, I still see this in fedora + rootless + systemd:
Looking. |
3ae0981
to
89e648e
Compare
Might be caused by the last commit ( |
7f709da
to
2ca3ba9
Compare
This was added by commit ca4f427, together with set_resources_limit, and was needed for the latter, since sed was used to update resources. Now when we switched to jq in commit 79fe41d, this kludge is no longer needed. Signed-off-by: Kir Kolyshkin <[email protected]>
Sometimes Path() is called before m.path is initialized (in particular, this happens from (*linuxContainer).newInitConfig), so we do need to make sure to call initPath. This fixes the following integration tests (for cgroup v2 + systemd case, currently not enabled -- to be enabled by further commits): * runc run (blkio weight) * runc run (cgroupv2 mount inside container) Fixes: ff692f2 ("Fix cgroup2 mount for rootless case") Signed-off-by: Kir Kolyshkin <[email protected]>
Setting cpuset.cpus requires cpuset controller, which might not be available in case of cgroup v2 + systemd < 244. Rather than require cpuset support from every test case, do not set the initial cpuset value from setup(), and do not check it. Signed-off-by: Kir Kolyshkin <[email protected]>
With this, something like cgroups_pids can be used (to be added by the next commit). Signed-off-by: Kir Kolyshkin <[email protected]>
1. In case of cgroup v2 + systemd + rootless, get the list of controllers from the own cgroup, rather than from the root one (as systemd cgroup delegation is required in this case, and it might not be set or fully working). 2. Use "requires cgroups_<controller>" in tests that need those controllers. Tested on Fedora 31 (which does not support delegation of cpuset controller). Signed-off-by: Kir Kolyshkin <[email protected]>
Systemd is not able to delegate hugetlb controller, and it is needed for cgroup v2 + systemd + rootless case (which is currently skipped because of "requires rootless_cgroup", but will be enabled by a later commit). The failure being fixed looks like this: > not ok 4 runc create (limits + cgrouppath + permission on the cgroup dir) succeeds > # (from function `check_cgroup_value' in file /vagrant/tests/integration/helpers.bash, line 188, > # in test file /vagrant/tests/integration/cgroups.bats, line 53) > # `check_cgroup_value "cgroup.controllers" "$(cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/cgroup.controllers)"' failed > # <....> > # /sys/fs/cgroup/user.slice/user-2000.slice/[email protected]/machine.slice/runc-cgroups-integration-test-20341.scope/cgroup.controllers > # current cpuset cpu io memory pids !? cpuset cpu io memory hugetlb pids Signed-off-by: Kir Kolyshkin <[email protected]>
Before this commit, "require rootless_cgroup" feature check required "cgroup" to be present in ROOTLESS_FEATURES. The idea of the requirement, though, is to ensure that rootless runc can manage cgroups. In case of systemd + cgroup v2, rootless runc can manage cgroups, thanks to systemd delegation, so modify the feature check accordingly. Next, convert (simplify) some of the existing users to the modified check. Signed-off-by: Kir Kolyshkin <[email protected]>
Instead of listing all individual controllers we want to be delegated, just say "yes" which means "all the controllers that are available". Signed-off-by: Kir Kolyshkin <[email protected]>
2ca3ba9
to
12e9cac
Compare
No longer a draft. The last issue that was fixed is described at #2944 (comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
TL;DR: this is mostly tests/integration simplifications and improvements for systemd + cgroup v2 + rootless case, addressing #2942. The only exception is the second commit, which fixes the real bug uncovered by tests that are no longer skipped thanks to this PR.
tests/int/helpers: rm old code
This was added by commit ca4f427, together with
set_resources_limit
,and was needed for the latter, since it used
sed
to update resources.Now when we switched from
sed
tojq
in commit 79fe41d, this kludgeis no longer needed.
libct/cg/sd/v2: call initPath from Path
Sometimes
Path()
is called before m.path is initialized (in particular,this happens from
(*linuxContainer).newInitConfig)
, so we do need tomake sure to call
initPath
.This fixes the following integration tests (for cgroup v2 + systemd case,
currently not enabled -- to be enabled by further commits):
runc run (blkio weight)
runc run (cgroupv2 mount inside container)
Fixes: ff692f2 ("Fix cgroup2 mount for rootless case") aka PR Fix cgroup2 mount for rootless case #2818.
tests/int/update.bats: don't set cpuset in setup
Setting
cpuset.cpus
requires cpuset controller, which mightnot be available in case of cgroup v2 + systemd < 244.
Rather than require cpuset support from every test case, do not set the initial
cpuset value from
setup()
, and do not check it.tests/int/helpers: generalize require cgroups_freezer
With this, something like cgroups_pids can be used (to be added
by the next commit).
tests/int: enable/use
requires cgroups_<ctrl>
In case of cgroup v2 + systemd + rootless, get the list of controllers from
the own cgroup, rather than from the root one (as systemd cgroup delegation
is required in this case, and it might not be set or fully working).
Use
requires cgroups_<controller>
in tests that need thosecontrollers.
Tested on Fedora 31 (which does not support delegation of cpuset controller).
tests/int/cgroups: don't check for hugetlb
Systemd is not able to delegate hugetlb controller, and it is needed for
cgroup v2 + systemd + rootless case (which is currently skipped because
of "requires rootless_cgroup", but will be enabled by a later commit).
The failure being fixed looks like this:
tests/int: run rootless_cgroup tests for v2+systemd
Before this commit,
require rootless_cgroup
feature check requiredcgroup
to be present in
$ROOTLESS_FEATURES
. The idea of the requirement,though, is to ensure that rootless runc can manage cgroups.
In case of systemd + cgroup v2, rootless runc can manage cgroups,
thanks to systemd delegation, so modify the feature check accordingly.
Next, convert (simplify) some of the existing users to the modified check,
essentially enabling some tests that were disabled for systemd + cgroup v2 +
rootless case before.
Fixes: CI seems skipping
cgroupv2 with rootless (systemd)
#2942.Vagrantfile.fedora: set Delegate=yes
Instead of listing all individual controllers we want to be delegated,
just say "yes" which means "all the controllers that are available".