From b65063248fa5083ba265d9247f6ae93e45644113 Mon Sep 17 00:00:00 2001 From: Jose Carlos Venegas Munoz Date: Mon, 8 Jul 2019 19:18:11 +0000 Subject: [PATCH] config: add option SandboxCgroupOnly add option to eneable only pod cgroup (SandboxCgroupOnly) Depends-on: github.com/kata-containers/tests#1824 Fixes: #1879 Signed-off-by: Jose Carlos Venegas Munoz --- Makefile | 5 +++++ cli/config/configuration-acrn.toml.in | 8 ++++++++ cli/config/configuration-fc.toml.in | 8 ++++++++ cli/config/configuration-nemu.toml.in | 6 ++++++ cli/config/configuration-qemu.toml.in | 8 ++++++++ cli/kata-env.go | 2 ++ pkg/katautils/config.go | 2 ++ virtcontainers/pkg/oci/utils.go | 5 +++++ virtcontainers/sandbox.go | 3 +++ 9 files changed, 47 insertions(+) diff --git a/Makefile b/Makefile index eecc9d409..879b8a9aa 100644 --- a/Makefile +++ b/Makefile @@ -183,6 +183,9 @@ DEFDISABLENESTINGCHECKS := false DEFMSIZE9P := 8192 DEFHOTPLUGVFIOONROOTBUS := false +# Default cgroup model +DEFSANDBOXCGROUPONLY ?= false + SED = sed CLI_DIR = cli @@ -424,6 +427,7 @@ USER_VARS += DEFDISABLENESTINGCHECKS USER_VARS += DEFMSIZE9P USER_VARS += DEFHOTPLUGVFIOONROOTBUS USER_VARS += DEFENTROPYSOURCE +USER_VARS += DEFSANDBOXCGROUPONLY USER_VARS += BUILDFLAGS @@ -579,6 +583,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@DEFMSIZE9P@|$(DEFMSIZE9P)|g" \ -e "s|@DEFHOTPLUGONROOTBUS@|$(DEFHOTPLUGVFIOONROOTBUS)|g" \ -e "s|@DEFENTROPYSOURCE@|$(DEFENTROPYSOURCE)|g" \ + -e "s|@DEFSANDBOXCGROUPONLY@|$(DEFSANDBOXCGROUPONLY)|g" \ $< > $@ generate-config: $(CONFIGS) diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in index b3da08744..b38dd3436 100644 --- a/cli/config/configuration-acrn.toml.in +++ b/cli/config/configuration-acrn.toml.in @@ -228,6 +228,14 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ # (default: false) #disable_new_netns = true +# if enabled, the runtime will add all the kata processes inside one dedicated cgroup. +# The container cgroups in the host are not created, just one single cgroup per sandbox. +# The sandbox cgroup is not constrained by the runtime +# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. +# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. +# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType +sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in index b9137c114..520642d91 100644 --- a/cli/config/configuration-fc.toml.in +++ b/cli/config/configuration-fc.toml.in @@ -330,6 +330,14 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ # (default: false) #disable_new_netns = true +# if enable, the runtime will add all the kata processes inside one dedicated cgroup. +# The container cgroups in the host are not created, just one single cgroup per sandbox. +# The sandbox cgroup is not constrained by the runtime +# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. +# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. +# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType +sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. diff --git a/cli/config/configuration-nemu.toml.in b/cli/config/configuration-nemu.toml.in index 9486e2cf4..3173e364c 100644 --- a/cli/config/configuration-nemu.toml.in +++ b/cli/config/configuration-nemu.toml.in @@ -404,6 +404,12 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ # (default: false) #disable_new_netns = true +# if enable, the runtime use the parent cgroup of a container PodSandbox. This +# should be enabled for users where the caller setup the parent cgroup of the +# containers running in a sandbox so all the resouces of the kata container run +# in the same cgroup and performance isolation its more accurate. +sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in index 6d5c84605..a03ee568f 100644 --- a/cli/config/configuration-qemu.toml.in +++ b/cli/config/configuration-qemu.toml.in @@ -412,6 +412,14 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ # (default: false) #disable_new_netns = true +# if enabled, the runtime will add all the kata processes inside one dedicated cgroup. +# The container cgroups in the host are not created, just one single cgroup per sandbox. +# The sandbox cgroup is not constrained by the runtime +# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. +# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. +# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType +sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@ + # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # They may break compatibility, and are prepared for a big version bump. diff --git a/cli/kata-env.go b/cli/kata-env.go index f9c1e9d80..90a73b3c4 100644 --- a/cli/kata-env.go +++ b/cli/kata-env.go @@ -69,6 +69,7 @@ type RuntimeInfo struct { Trace bool DisableGuestSeccomp bool DisableNewNetNs bool + SandboxCgroupOnly bool Experimental []exp.Feature Path string } @@ -187,6 +188,7 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo { Config: runtimeConfig, Path: runtimePath, DisableNewNetNs: config.DisableNewNetNs, + SandboxCgroupOnly: config.SandboxCgroupOnly, Experimental: config.Experimental, DisableGuestSeccomp: config.DisableGuestSeccomp, } diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go index a920b5795..3d6b7c3e2 100644 --- a/pkg/katautils/config.go +++ b/pkg/katautils/config.go @@ -133,6 +133,7 @@ type runtime struct { Tracing bool `toml:"enable_tracing"` DisableNewNetNs bool `toml:"disable_new_netns"` DisableGuestSeccomp bool `toml:"disable_guest_seccomp"` + SandboxCgroupOnly bool `toml:"sandbox_cgroup_only"` Experimental []string `toml:"experimental"` InterNetworkModel string `toml:"internetworking_model"` } @@ -1054,6 +1055,7 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved config.ProxyConfig = vc.ProxyConfig{Debug: config.Debug} } + config.SandboxCgroupOnly = tomlConf.Runtime.SandboxCgroupOnly config.DisableNewNetNs = tomlConf.Runtime.DisableNewNetNs for _, f := range tomlConf.Runtime.Experimental { feature := exp.Get(f) diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go index 5c7cab342..abd44e9b4 100644 --- a/virtcontainers/pkg/oci/utils.go +++ b/virtcontainers/pkg/oci/utils.go @@ -141,6 +141,9 @@ type RuntimeConfig struct { //Determines if create a netns for hypervisor process DisableNewNetNs bool + //Determines kata processes are managed only in sandbox cgroup + SandboxCgroupOnly bool + //Experimental features enabled Experimental []exp.Feature } @@ -515,6 +518,8 @@ func SandboxConfig(ocispec CompatOCISpec, runtime RuntimeConfig, bundlePath, cid SystemdCgroup: systemdCgroup, + SandboxCgroupOnly: runtime.SandboxCgroupOnly, + DisableGuestSeccomp: runtime.DisableGuestSeccomp, Experimental: runtime.Experimental, diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go index a749f9ece..1edc8dc09 100644 --- a/virtcontainers/sandbox.go +++ b/virtcontainers/sandbox.go @@ -104,6 +104,9 @@ type SandboxConfig struct { // SystemdCgroup enables systemd cgroup support SystemdCgroup bool + // SandboxCgroupOnly enables cgroup only at podlevel in the host + SandboxCgroupOnly bool + DisableGuestSeccomp bool // Experimental features enabled