containerd: add option to set parent cgroup #5033
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tonistiigi
reviewed
Jun 13, 2024
thaJeztah
reviewed
Jun 13, 2024
| } | ||
| } | ||
| opt, err := containerd.NewWorkerOpt(common.config.Root, cfg.Address, snapshotter, cfg.Namespace, cfg.Rootless, cfg.Labels, dns, nc, common.config.Workers.Containerd.ApparmorProfile, common.config.Workers.Containerd.SELinux, parallelismSem, common.traceSocket, runtime, ctd.WithTimeout(60*time.Second)) | ||
| opt, err := containerd.NewWorkerOpt(common.config.Root, cfg.Address, snapshotter, cfg.Namespace, cfg.CgroupParent, cfg.Rootless, cfg.Labels, dns, nc, common.config.Workers.Containerd.ApparmorProfile, common.config.Workers.Containerd.SELinux, parallelismSem, common.traceSocket, runtime, ctd.WithTimeout(60*time.Second)) |
There was a problem hiding this comment.
This list of argument is getting really really long, and probably requires changes in Moby as well; should we implement a struct for passing options? Similar to https://github.com/moby/moby/blob/450f18d3cae6be625d671b6bacd3eefcaaa13bb9/builder/builder-next/builder.go#L79 ?
There was a problem hiding this comment.
Ah, I wanted to comment on the other file 🙈 same applies 😅
There was a problem hiding this comment.
Don't refactor this in the same PR. Future follow-up welcome.
Using the "runc.v2" runtime, it is possible to configure containerd to start
runc with the "systemd_cgroup" flag. This will cause runc to use systemd to
manage the container cgroups. For this configuration to work, runc needs the
cgroup name to be of a special form: "<systemd.slice>:<parent>:<name>".
This is already implemented in the containerd runtime package, provided that
a parent cgroup of the form "<systemd.slice>:<parent>:" is set.
This commit adds the option to configure such a parent cgroup for the
containerd worker. By default, it will still use an empty string as cgroup
parent, keeping existing behaviour.
Using a configuration like:
[worker.containerd]
defaultCgroupParent = "system.slice:buildkit:"
[worker.containerd.runtime]
name = "io.containerd.runc.v2"
[worker.containerd.runtime.options]
SystemdCgroup = true
a user is able to have their container cgroups managed by systemd. This makes
it possible to set global resource constraints on a per-container basis using
systemd drop-in configuration. When using the example above, the following file
restricts every container spawned by buildkit to use only 1 CPU and 1G of RAM:
$ cat /etc/systemd/system/buildkit-.scope.d/limits.conf
[Scope]
CPUQuota=100%
MemoryMax=1G
Signed-off-by: Moritz "WanzenBug" Wanzenböck <moritz@wanzenbug.xyz>
ef8da09 to
5cb8618
Compare
tonistiigi
approved these changes
Jun 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using the
runc.v2runtime, it is possible to configure containerd to start runc with the "systemd_cgroup" flag. This will cause runc to use systemd to manage the container cgroups. For this configuration to work, runc needs the cgroup name to be of a special form:<systemd.slice>:<parent>:<name>. This is already implemented in the containerd runtime package, provided that a parent cgroup of the form<systemd.slice>:<parent>:is set.This commit adds the option to configure such a parent cgroup for the containerd worker. By default, it will still use an empty string as cgroup parent, keeping existing behaviour.
Using a configuration like:
a user is able to have their container cgroups managed by systemd. This makes it possible to set global resource constraints on a per-container basis using systemd drop-in configuration. When using the example above, the following file restricts every container spawned by buildkit to use only 1 CPU and 1G of RAM: