mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jie Yu <yujie....@gmail.com>
Subject Re: Review Request 53296: Added cgroup namespace support for unified container.
Date Sun, 06 Nov 2016 23:28:16 GMT


> On Nov. 1, 2016, 4:43 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp, line 28
> > <https://reviews.apache.org/r/53296/diff/2/?file=1548952#file1548952line28>
> >
> >     Instead of creating a new namespace/cgroup isolator, I would suggest we add
the support to cgroups isolator. It looks weird to me to have a namespace/cgroup isolator
without using the cgroups isolator.
> 
> haosdent huang wrote:
>     I think it still possible to use `namespaces/cgroup` isolator without `cgroups` isolation?
If user only want to isolate the host cgroups environment from the container.
> 
> Jie Yu wrote:
>     What's the use case for that? I feel that it will be strange to enable cgroup namespace
if containers still share the same cgroup. There will be no isolation if two containers try
to manipulate the cgroups. That defeats the purpose of using cgroup namespace.
> 
> haosdent huang wrote:
>     For example, we launch docker daemon in the host, which would use `/sys/fs/cgroup/xx/subsystem_name`
as the hierarchies.
>     Then we want hide this in the containers launched by Mesos. In this case, we only
need `namespace/cgroup` isolator without cgroups isolation.
> 
> Jie Yu wrote:
>     If you don't enable cgroups isolator, all container's process will be in root cgroup.
IIUC, even the new container is put into a new cgroup namespace, it can still see docker's
cgroups, no?
> 
> haosdent huang wrote:
>     >all container's process will be in root cgroup
>     
>     Yes
>     
>     >it can still see docker's cgroups, no
>     
>     Could not. Refer to https://reviews.apache.org/r/53517/, we could a cgroup in the
host namesapce, but it invisible in the containers.
> 
> haosdent huang wrote:
>     systemd would let the containers use user.slice as the default cgroup root in that
case.

Here is the experiment I ran on my box:

Console 1:
```
root@ubuntu-xenial:~/opt# mkdir /sys/fs/cgroup/memory/test
root@ubuntu-xenial:~/opt# echo $$
29643
root@ubuntu-xenial:~/opt# echo 29643 > /sys/fs/cgroup/memory/test/tasks 
root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory
9:memory:/test
root@ubuntu-xenial:~/opt# /home/ubuntu/opt/util-linux/bin/unshare -Cm /bin/bash
root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory
9:memory:/
root@ubuntu-xenial:~/opt# cat /proc/1/cgroup  | grep memory
9:memory:/../init.scope
```

Console 2:
```
root@ubuntu-xenial:~# sudo mkdir /sys/fs/cgroup/memory/test/sub-test
```

Console 1:
```
root@ubuntu-xenial:~/opt# ls -al /sys/fs/cgroup/memory | grep sub-test
drwxr-xr-x  2 root root   0 Nov  6 23:21 sub-test
```


- Jie


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53296/#review154371
-----------------------------------------------------------


On Nov. 6, 2016, 12:47 p.m., haosdent huang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53296/
> -----------------------------------------------------------
> 
> (Updated Nov. 6, 2016, 12:47 p.m.)
> 
> 
> Review request for mesos, Jie Yu, Qian Zhang, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-5410
>     https://issues.apache.org/jira/browse/MESOS-5410
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Added cgroup namespace support for unified container.
> 
> 
> Diffs
> -----
> 
>   src/CMakeLists.txt aef9ae6d2872dc15725c01ce85b657965485605f 
>   src/Makefile.am 5a47c93388234a68c3c486a021ccdbe3213c5bac 
>   src/slave/containerizer/mesos/containerizer.cpp 67cc595278f124cdf518d2f4fcfb257439f067e2

>   src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/namespaces/cgroup.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53296/diff/
> 
> 
> Testing
> -------
> 
> The test case is on the way.
> 
> 
> Thanks,
> 
> haosdent huang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message