Allow completely disabling cgroup manipulation #2892
Conversation
aidanhs
force-pushed
the
aphs-disabling-cgroups
branch
2 times, most recently
from
cfae143 to
c535084
Compare
|
Sorry for the late. I'll review this PR next weekend. If you have time to check CIs, please fix it before starting reviewing 🙏 |
Signed-off-by: Aidan Hobson Sayers <[email protected]>
Signed-off-by: Aidan Hobson Sayers <[email protected]>
aidanhs
force-pushed
the
aphs-disabling-cgroups
branch
from
c535084 to
3783dab
Compare
|
Have fixed linting and unit test compilation failures. Have run the unit tests and integration tests as best I can (struggled with WASM ones) and the only failures I get also fail on main. |
Signed-off-by: Aidan Hobson Sayers <[email protected]>
Signed-off-by: Aidan Hobson Sayers <[email protected]>
Signed-off-by: Aidan Hobson Sayers <[email protected]>
aidanhs
force-pushed
the
aphs-disabling-cgroups
branch
from
3783dab to
f6514a0
Compare
Why don't you directly use cgroupv2 fs instead of systemd? Also, I'd like to know more concrete use case you mentioned. |
|
The program I'm working on will be distributed to users and I want it to work natively in WSL, without any additional user setup. Currently I use nsjail for rootless namespace isolation (pid and mount only) and have no need for cgroups or anything else. I'm doing the isolation rootless, WSL uses the unified setup (microsoft/WSL#6662) and also does not have systemd enabled by default - so afaict none of systemd, cgroupsv1 or cgroupsv2 will work for me without some configuration. libcontainer allows disabling most things (via the bundle), but it will always try to access cgroups to create a cmanager (even if you're not applying resource limits or entering a cgroup namespace) - hence this PR. There were two ways I could tackle this PR:
I opted against 1 because it removes control from the user - if someone wants the container in a cgroup without resources or cgroup namespaces (e.g. to manage outside of libcontainer), they'd have no way to achieve that. |
|
I will say - if your goal is to have libcontainer be a runtime primarily for OCI, rather than a generic 'namespace toolkit' (like nsjail), I understand if you're not interested in this PR. |
|
We understand the demand, but this implementation is still unacceptable. This is because the demand is not very high, whereas the cost of maintenance is too high. |
This enables usage of libcontainer etc in situations where you want a rootless container and you do not have access to systemd.
This has been achieved by setting up cgroups once (on container init) and storing the config in the
youki_config.jsonfile, then loading it afterwards when it needs to be referenced rather than deriving it from scratch every time. I suspect this will fix bugs with exec not correctly using systemd for cgroups (because subcommands were not performing the check for user namespaces, they just check for the--systemd-cgroupflag).This is a breaking change to the API, as now
use_systemdcannot be overridden on theContainertype - this PR makes it a static property of the container once created (like hooks). But I think if people are doing on-the-fly editing of cgroup management for a created container they're already off the happy path of youki anyway.Note: you may want to review this via
https://github.com/youki-dev/youki/pull/2892/files?w=1(note the&w=1) to ignore whitespace differences on thecleanup_containerfunction, which has been moved to a free function rather than a method.