This is an automated email from the ASF dual-hosted git repository.
bmahler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new 4e556e6c7 [cgroups2] Add isolate field for nested containers.
4e556e6c7 is described below
commit 4e556e6c7060098ec2b0710406bcd8df24d676f6
Author: Jason Zhou <[email protected]>
AuthorDate: Wed Aug 14 19:53:16 2024 -0400
[cgroups2] Add isolate field for nested containers.
Currently we do not support nested containers. We need to let nested
containers pick whether they want their own resource constraints based
on the LinuxInfo::share_cgroups field in the API.
In cgroups v1, we didn't need to track an additional field for this,
because the isolator does not store nested containers within its `infos`
map.
In cgroups v2, we will *always* create cgroups for nested containers,
and LinuxInfo::share_cgroups instead specifies whether these cgroups
will have resource isolation applied to them. (LinuxInfo::share_cgroups
needs to be renamed accordingly).
In later patches, we will use this to skip the update and isolate
calls on the controllers if isolate == false.
Review: https://reviews.apache.org/r/75167/
---
.../mesos/isolators/cgroups2/cgroups2.cpp | 29 ++++++++++++++++------
.../mesos/isolators/cgroups2/cgroups2.hpp | 16 +++++++++---
2 files changed, 35 insertions(+), 10 deletions(-)
diff --git a/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
b/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
index 762bb1122..d1507ecd9 100644
--- a/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
+++ b/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.cpp
@@ -176,9 +176,6 @@ Future<Option<ContainerLaunchInfo>>
Cgroups2IsolatorProcess::prepare(
const ContainerID& containerId,
const ContainerConfig& containerConfig)
{
- if (containerId.has_parent()) {
- return Failure("cgroups v2 does not support nested containers");
- }
if (infos.contains(containerId)) {
return Failure("Container with id '" + stringify(containerId) + "'"
@@ -224,8 +221,16 @@ Future<Option<ContainerLaunchInfo>>
Cgroups2IsolatorProcess::prepare(
LOG(INFO) << "Created cgroups '" << nonLeafCgroup << "'"
<< " and '" << leafCgroup << "'";
+ const bool shareCgroups =
+ containerId.has_parent() &&
+ ((containerConfig.has_container_info() &&
+ containerConfig.container_info().has_linux_info() &&
+ containerConfig.container_info().linux_info().has_share_cgroups())
+ ? containerConfig.container_info().linux_info().share_cgroups()
+ : true);
+
infos[containerId] = Owned<Info>(
- new Info(containerId, nonLeafCgroup, leafCgroup));
+ new Info(containerId, nonLeafCgroup, leafCgroup, !shareCgroups));
vector<Future<Nothing>> prepares;
hashset<string> skip_enable = {"core", "perf_event", "devices"};
@@ -378,7 +383,14 @@ Future<Nothing> Cgroups2IsolatorProcess::recover(
// Recover containers from checkpointed data:
vector<Future<Nothing>> recovers;
foreach (const ContainerState& state, states) {
- recovers.push_back(___recover(state.container_id()));
+ const bool shareCgroups =
+ state.container_id().has_parent() &&
+ ((state.has_container_info() && state.container_info().has_linux_info()
&&
+ state.container_info().linux_info().has_share_cgroups())
+ ? state.container_info().linux_info().share_cgroups()
+ : true);
+
+ recovers.push_back(___recover(state.container_id(), !shareCgroups));
}
// Then recover containers we find in the cgroups hierarchy:
@@ -489,7 +501,7 @@ Future<Nothing> Cgroups2IsolatorProcess::__recover(
Future<Nothing> Cgroups2IsolatorProcess::___recover(
- const ContainerID& containerId)
+ const ContainerID& containerId, bool isolate)
{
// Remark and handle invalid container states and recover enabled
controllers.
//
@@ -574,6 +586,7 @@ Future<Nothing> Cgroups2IsolatorProcess::___recover(
&Cgroups2IsolatorProcess::____recover,
containerId,
recoveredControllers,
+ isolate,
lambda::_1));
}
@@ -581,6 +594,7 @@ Future<Nothing> Cgroups2IsolatorProcess::___recover(
Future<Nothing> Cgroups2IsolatorProcess::____recover(
const ContainerID& containerId,
const hashset<string>& recoveredControllers,
+ bool isolate,
const vector<Future<Nothing>>& futures)
{
CHECK(!infos.contains(containerId));
@@ -600,7 +614,8 @@ Future<Nothing> Cgroups2IsolatorProcess::____recover(
infos[containerId] = Owned<Info>(new Info(
containerId,
cgroups2_paths::container(flags.cgroups_root, containerId, false),
- cgroups2_paths::container(flags.cgroups_root, containerId, true)));
+ cgroups2_paths::container(flags.cgroups_root, containerId, true),
+ isolate));
infos[containerId]->controllers = recoveredControllers;
diff --git a/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.hpp
b/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.hpp
index 07eb03681..cf6c6c608 100644
--- a/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.hpp
+++ b/src/slave/containerizer/mesos/isolators/cgroups2/cgroups2.hpp
@@ -101,8 +101,9 @@ private:
{
Info(const ContainerID& containerId,
const std::string& cgroup,
- const std::string& cgroup_leaf)
- : containerId(containerId), cgroup(cgroup), cgroup_leaf(cgroup_leaf) {}
+ const std::string& cgroup_leaf,
+ const bool isolate)
+ : containerId(containerId), cgroup(cgroup), cgroup_leaf(cgroup_leaf),
isolate(isolate) {}
const ContainerID containerId;
@@ -118,6 +119,13 @@ private:
// Promise that will complete when a container is impacted by a resource
// limitation and should be terminated.
process::Promise<mesos::slave::ContainerLimitation> limitation;
+
+ // Whether to perform resource isolation on this container.
+ // 1. For non-nested containers, this will always be true.
+ // 2. For nested containers, this may be true or false.
+ //
+ // This field is derived from LinuxInfo::share_cgroups.
+ const bool isolate;
};
Cgroups2IsolatorProcess(
@@ -142,11 +150,13 @@ private:
const std::vector<process::Future<Nothing>>& futures);
process::Future<Nothing> ___recover(
- const ContainerID& containerId);
+ const ContainerID& containerId,
+ bool isolate = true);
process::Future<Nothing> ____recover(
const ContainerID& containerId,
const hashset<std::string>& recoveredSubsystems,
+ bool isolate,
const std::vector<process::Future<Nothing>>& futures);
process::Future<Nothing> _isolate(
