mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From haosdent huang <haosd...@gmail.com>
Subject Re: Review Request 53296: Added cgroup namespace support for unified container.
Date Mon, 07 Nov 2016 02:41:31 GMT


> On Nov. 1, 2016, 4:43 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp, line 28
> > <https://reviews.apache.org/r/53296/diff/2/?file=1548952#file1548952line28>
> >
> >     Instead of creating a new namespace/cgroup isolator, I would suggest we add
the support to cgroups isolator. It looks weird to me to have a namespace/cgroup isolator
without using the cgroups isolator.
> 
> haosdent huang wrote:
>     I think it still possible to use `namespaces/cgroup` isolator without `cgroups` isolation?
If user only want to isolate the host cgroups environment from the container.
> 
> Jie Yu wrote:
>     What's the use case for that? I feel that it will be strange to enable cgroup namespace
if containers still share the same cgroup. There will be no isolation if two containers try
to manipulate the cgroups. That defeats the purpose of using cgroup namespace.
> 
> haosdent huang wrote:
>     For example, we launch docker daemon in the host, which would use `/sys/fs/cgroup/xx/subsystem_name`
as the hierarchies.
>     Then we want hide this in the containers launched by Mesos. In this case, we only
need `namespace/cgroup` isolator without cgroups isolation.
> 
> Jie Yu wrote:
>     If you don't enable cgroups isolator, all container's process will be in root cgroup.
IIUC, even the new container is put into a new cgroup namespace, it can still see docker's
cgroups, no?
> 
> haosdent huang wrote:
>     >all container's process will be in root cgroup
>     
>     Yes
>     
>     >it can still see docker's cgroups, no
>     
>     Could not. Refer to https://reviews.apache.org/r/53517/, we could a cgroup in the
host namesapce, but it invisible in the containers.
> 
> haosdent huang wrote:
>     systemd would let the containers use user.slice as the default cgroup root in that
case.
> 
> Jie Yu wrote:
>     Here is the experiment I ran on my box:
>     
>     Console 1:
>     ```
>     root@ubuntu-xenial:~/opt# mkdir /sys/fs/cgroup/memory/test
>     root@ubuntu-xenial:~/opt# echo $$
>     29643
>     root@ubuntu-xenial:~/opt# echo 29643 > /sys/fs/cgroup/memory/test/tasks 
>     root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory
>     9:memory:/test
>     root@ubuntu-xenial:~/opt# /home/ubuntu/opt/util-linux/bin/unshare -Cm /bin/bash
>     root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory
>     9:memory:/
>     root@ubuntu-xenial:~/opt# cat /proc/1/cgroup  | grep memory
>     9:memory:/../init.scope
>     ```
>     
>     Console 2:
>     ```
>     root@ubuntu-xenial:~# sudo mkdir /sys/fs/cgroup/memory/test/sub-test
>     ```
>     
>     Console 1:
>     ```
>     root@ubuntu-xenial:~/opt# ls -al /sys/fs/cgroup/memory | grep sub-test
>     drwxr-xr-x  2 root root   0 Nov  6 23:21 sub-test
>     ```
> 
> haosdent huang wrote:
>     In console 1, need to remount cgroup after `/home/ubuntu/opt/util-linux/bin/unshare
-Cm /bin/bash`.
>     
>     ```
>     $ unshare -Cm bash
>     $ awk '{   if ($8 == "cgroup" && $4 ~ /^\/../) {    cmd = cmd sprintf("umount
%s\n", $5);    cmd = cmd sprintf("mount -t cgroup -o %s %s %s\n", $10, $9, $5);  }} END {
  system(cmd);}' /proc/self/mountinfo
>     ```
>     
>     Then `sub-test`
>     
>     ```
>     $ ls -1 /sys/fs/cgroup/memory/|grep sub-test
>     sub-test
>     ```
> 
> Jie Yu wrote:
>     Sorry, Yeah, I did do a remount of memory subsystem and forgot to paste the command
there. The result I showed above is after I do a re-mount of subsystem.
>     
>     My point is: even the container uses cgroup namespace, the host processes can still
create cgroups in its root cgroup, and that cgroup will show up in container's cgroup.
>     
>     That being said, using cgroup namespace along without cgroup isolator sounds weird
because all containers share the same cgroup.

Hmm, I see, let me do it in the cgroups isolator. So we add a new flag like `--enable_cgroup_namespace`
in the agent or add a new field to `message ContainerInfo`?


- haosdent


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53296/#review154371
-----------------------------------------------------------


On Nov. 6, 2016, 12:47 p.m., haosdent huang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53296/
> -----------------------------------------------------------
> 
> (Updated Nov. 6, 2016, 12:47 p.m.)
> 
> 
> Review request for mesos, Jie Yu, Qian Zhang, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-5410
>     https://issues.apache.org/jira/browse/MESOS-5410
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Added cgroup namespace support for unified container.
> 
> 
> Diffs
> -----
> 
>   src/CMakeLists.txt aef9ae6d2872dc15725c01ce85b657965485605f 
>   src/Makefile.am 5a47c93388234a68c3c486a021ccdbe3213c5bac 
>   src/slave/containerizer/mesos/containerizer.cpp 67cc595278f124cdf518d2f4fcfb257439f067e2

>   src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/namespaces/cgroup.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53296/diff/
> 
> 
> Testing
> -------
> 
> The test case is on the way.
> 
> 
> Thanks,
> 
> haosdent huang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message