[WIP] Refactor cgroup handling

[jingxiaolu]

According to #344, this PR is trying to refactor cgroups handling in runtime.

What I've done in this PR:

1. introduce libcontainer/cgroups package for cgroups handling;
2. move cgroups handlings from CLI to sandbox level; refactor the handlings by the help of libcontainer/cgroups;

Works to be continue:

1. Add tests as @jodh-intel mentioned;
2. Add handling to UpdateContainer();
3. Remove old cgroups handling codes

Fixes: #344

Signed-off-by: Jingxiao Lu lujingxiao@huawei.com

[jingxiaolu]

This PR is re-submitted according to @sboeuf's comments at #405 .

@sboeuf @jodh-intel @grahamwhaley @devimc although is PR is still WIP, could you help to pay some time on it? Many thanks~

cc\ @WeiZhang555 @jshachm

[jingxiaolu]

CI is failing, let me fix it first...

[WeiZhang555]

Why is "libcontainer/cgroups/systemd" not involved? Is it unnecessary?

[jingxiaolu]

Should we support systemd containers? If yes, I'll add "libcontainer/cgroups/systemd"~

[jodh-intel]

Could you remove this comment and just rename the file to be virtcontainers/cgroups_linux.go as that's much clearer imho.

[WeiZhang555]

And, you need a new file named "virtcontainers/cgroups_unsupported.go" contains exactly same interface with current implementation(old codes) for other platforms other than linux. Or it won't compile on ppc64le

[WeiZhang555]

You can imitating

 vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups_unsupported.go
@@ -0,0 +1,3 @@
 +// +build !linux
 +
 +package cgroups

[jingxiaolu]

Accepted 👍

[jodh-intel]

I don't really understand this code. Why can't it be just...

state, err := s.storage.fetchSandboxState(s.id)
if err != nil {
    return err
}

cgm.libcontainerManager = &fs.Manager{
    Cgroups:    cgm.libcontainerConfig.Cgroups,
    Paths:      state.CgroupPaths,
}

Maybe a comment in the code would help here.

[jingxiaolu]

Accepted~ Code is more beautiful now~

But I think we can ignore the err of fetchSandboxState() here, because if state.CgroupPaths is nil, it means we are in the first container creation. That's why I check if state.CgroupPaths == nil.
I'll update as this, so the first container creation, state.CgroupsPaths is nil:

	state, _ := s.storage.fetchSandboxState(s.id)
	cgm.libcontainerManager = &fs.Manager{
		Cgroups: cgm.libcontainerConfig.Cgroups,
		Paths:   state.CgroupPaths,
	}

[jodh-intel]

Shouldn't this test be the first one in the function (fail fast)?

[jingxiaolu]

accepted~ 👍

[jodh-intel]

It looks like this function should return an error as there are error scenarios it has to deal with?

[jingxiaolu]

I think when deletion, we shouldn't return error to break the shutdown procedure, that's why I just report warning here~

[katacontainersbot]

PSS Measurement:
Qemu: 144409 KB
Proxy: 4602 KB
Shim: 9112 KB

Memory inside container:
Total Memory: 2045972 KB
Free Memory: 2006316 KB

[bergwolf]

Where is s.Annotations() defined? I can't find it in the PR. Ideally we should only unmarshal the OCI json once for each container, since it is really slow... And for an empty sandbox w/o containers (e.g. in the CRI case), there is no such container OCI spec. You need to handle that case as well. So IMO the cgroup manager needs to be created upon first container creation instead.

[jingxiaolu]

So we should create this "cgroupManager" when the first container is created, but not the first sandbox is created?~

[bergwolf]

Yes, because you rely on a container OCI spec to create the cgroup manager and we won't have a container spec until the first container is to be created.

[jingxiaolu]

Currently the only place unmarshaling the OCI json is in kata-agent level, but I think newManager() should be called at sandbox level.

I would like to:

1. add a pointer named ociSpec at Sandbox struct;
2. unmarshal in newSandbox() and assign it to ociSpec;
3. when createContainer() in kata-agent level, get it from ociSpec;

Please share your comments, thanks~

[bergwolf]

@jingxiaolu

1. Yes, a pointer to the first ocispec in Sandbox makes sense since it avoids unmarshalling the same json twice.

2. As I stated above, one issue with newManager() in newSandbox() is that there may be no containers in sandboxConfig. Then you do not have the OCI spec you need to create the cgroup manager. The right place to do it is in createContainer().

3. Yes, it makes sense.

[bergwolf]

Need to check for shimPid > 0 to exclude the builtin shim case.

[jingxiaolu]

accepted~ 👍

when shimPid == 0, should we just return with nil or report error?

[bergwolf]

shimPid == 0 happens in noop_shim case. You can just return nil IMO.

[bergwolf]

What is s.state.Pid? A sandbox does not have a corresponding shim. All shims are associated with containers instead.

[jshachm]

sandbox.state.pid is shim pid of the first container in the pod, in other word means pause container.

[bergwolf]

First, a sandbox can be empty in which case there is no container in it at all. Secondly you cannot assume the first container in a sandbox is always a pause container that never quits. Such assumption breaks with docker and frakti case.

[jingxiaolu]

@bergwolf reasonable~ I'm modifying~

[jshachm]

Sry for missing for frakti case~

[bergwolf]

PodSandbox and PodContainer are both annotations in the kata CLI to get the missing sandbox abstraction from runc compatible command lines. There is no need to use such annotation in virtcontainers, where we know clearly about sandbox vs. containers.

[jingxiaolu]

which means: once createContainer() is called, we're clearly creating a container, I don't need to check PodContainer or what, just add the container's pid to cgroup.
Am I clear?~

[bergwolf]

Yes, your understanding is correct.

[bergwolf]

cgroups *cgroupsManager?

[jingxiaolu]

Yes, I adding this to enclose the implementations and data of cgroups handlings in cgroups.go (will be cgroups_linux.go and cgroups_unsupported.go)

[WeiZhang555]

@jingxiaolu is currently too busy and can't get enough time on this. I'll carry his work and take over the process.

[jodh-intel]

Thanks @WeiZhang555 - branch needs updating due to conflicts too btw.

[bergwolf]

@WeiZhang555 Any updates on this one?

[WeiZhang555]

@bergwolf I'll update it soon, didn't get enough time on it in recent days.

[jodh-intel]

Ping @WeiZhang555 :)

[sboeuf]

@WeiZhang555 I bet you're very busy, but just checking if this is something you're planning to look at?
I'm asking because we could reassign this to someone else that might have more bandwidth if someone's interested.

[WeiZhang555]

@sboeuf Sorry for delay, let me try to finish it in several days. It is truly blocked for so many months!
I'll give some update in this week. But if anyone is so interested in implementing this, welcome!

[WeiZhang555]

Closing this. New implementation is #734