Add cgroup support

[WeiZhang555]

cgroups: add host cgroup support

Fixes #344

Add host cgroup support for kata.

This commits only adds cpu.cfs_period and cpu.cfs_quota support.

It will create 3-level hierarchy, take "cpu" cgroup as an example:

/sys/fs/cgroup
|---cpu
   |---vc
      |---<sandbox-id>
         |--vcpu
      |---<sandbox-id>

• vc cgroup is common parent for all kata-container sandbox, it won't be removed
  after sandbox removed. This cgroup has no limitation.
• <sandbox-id> cgroup is the layer for each sandbox, it contains all other qemu
  threads except for vcpu threads. In future, we can consider putting all shim
  processes and proxy process here. This cgroup has no limitation yet.
• vcpu cgroup contains vcpu threads from qemu. Currently cpu quota and period
  constraint applies to this cgroup.

Signed-off-by: Wei Zhang [email protected]
Signed-off-by: Jingxiao Lu [email protected]

[WeiZhang555]

Replace #416

[WeiZhang555]

Note 1:

Currently I imported "github.com/WeiZhang555/cgroups", this repo is actually a fork of master branch of github.com/containerd/cgroups. The reason I made a fork instead of original code is:

1. latest code of github.com/containerd/cgroups uses a higher version of runtime-spec, which contains new RDMA cgroup support: https://github.com/containerd/cgroups/blob/master/rdma.go, importing this repo requires we bump runtime-spec for both kata-runtime and kata-agent.
2. latest code has bug according to test, raised a PR to fix: Bugfix: can't write to cpuset cgroup containerd/cgroups#54
3. another way is we use an older version of github.com/containerd/cgroups without RDMA codes, according to my test, the latest code without RDMA support also misses an important function: AddTask(), without this, I can't do fine-granularity resource limitation.

Combining the issues above, I will suggest:
** 1. we fork latest code from github.com/containerd/cgroups under kata-containers, but removes RDMA codes, including the bugfix I mentioned, then this PR can vendor github.com/kata-containers/cgroups instead of github.com/WeiZhang555/cgroups.**

---

Note 2:

govmm needs a vendor, will do it once this PR looks good

[WeiZhang555]

Because there's cgroup support in kata-agent, so we need to do some trick to see if this really works.

test steps with docker:

# docker run --rm -it --cpu-quota 60000 --cpu-period 100000 --runtime kata progrium/stress --cpu 4  --timeout 600s

Top on host, you can see the qemu process takes about 60% cpu usage.

then enter /sys/fs/cgroup/cpu/vc/<container-id>/vcpu, modify content of cpu.cfs_quota_us from 60000 to 40000, you are expected to see qemu cpu cost will go down from 60% to 40%. This can let you know it really works.

test steps with k8s + cri-containerd

Use this pod spec:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-untrusted
  annotations:
    io.kubernetes.cri.untrusted-workload: "true"
spec:
  containers:
  - name: nginx
    image: nginx
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"
  - name: busybox
    image: busybox
    command: ['top']
    resources:
      requests:
        memory: "64Mi"
        cpu: "100m"
      limits:
        memory: "128Mi"
        cpu: "200m"

There will be 2 containers inside the POD, nginx with a cpu quota/period of "50000/100000", and busybox with a cpu quota/period of "20000/100000", so value of cpu.cfs_quota_us and cpu.cfs_period_us in /sys/fs/cgroup/cpu/vc/<sandbox-id>/vcpu/ would be "70000" and "10000",
that's expected.

issue found

When tested with cri-containerd with above pod spec, the resource limit in cgroup is set to 0.7 core as expected, but the VM got 3 vcpu, that's not right.

Guess that's because we hotplugged two vcpus for two containers, plus default one vcpu. We should do more accurate calculation for VCPU numbers.

[katacontainersbot]

PSS Measurement:
Qemu: 167489 KB
Proxy: 4350 KB
Shim: 9018 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2006696 KB

[katacontainersbot]

PSS Measurement:
Qemu: 167264 KB
Proxy: 4163 KB
Shim: 8891 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2006696 KB

[katacontainersbot]

PSS Measurement:
Qemu: 173229 KB
Proxy: 4047 KB
Shim: 8897 KB

Memory inside container:
Total Memory: 2043460 KB
Free Memory: 2006884 KB

[codecov]

Codecov Report

Merging #734 into master will decrease coverage by 0.34%.
The diff coverage is 46.29%.

@@            Coverage Diff             @@
##           master     #734      +/-   ##
==========================================
- Coverage   66.09%   65.75%   -0.35%     
==========================================
  Files          87       88       +1     
  Lines       10705    10685      -20     
==========================================
- Hits         7076     7026      -50     
- Misses       2897     2919      +22     
- Partials      732      740       +8

[bergwolf]

A huge PR but it is really something we need. I'll take a closer look later today. Thanks @WeiZhang555 !

[bergwolf]

Generally looks good. A few comments inline.

[bergwolf]

Please move the comments as well if the braces are intentional.

[WeiZhang555]

Got it!

[bergwolf]

This is already called in createContainers(). Are you trying to make sure there is host cpu cg even for an empty sandbox?

[WeiZhang555]

No, this s.setupCgroups() in createSandboxFromConfig is for the initial sandbox container, in this sandbox it has exactly one container. Another call of s.setupCgroups() is in s.CreateContainer(). The setup process only happens once for each container(including sandbox container), there's no duplicate call.

[bergwolf]

@WeiZhang555 There is a code path createSandboxFromConfig -> s.createContainers -> createContainer -> setupCgroups for the initial container in the sandbox as well.

[WeiZhang555]

createContainer -> setupCgroups doesn't exist.

Maybe you mixed createContainer() from virtcontainers/container.go with the one from cli/create.go ?

[bergwolf]

oops, you are right! I mixed the two createcontainer() functions in sandbox.go and container.go, though they have a initial capital difference. Sry for the noise...

[bergwolf]

Default cpu quota might conflict globally on the host if we exceed the total available CPU time. While users might set it to exceed, we should not make it happen unintentionally. docker/runc does not set default quota for containers either.

[WeiZhang555]

The worry is, if there's two containers inside a POD, one with quota 6000, the other one with quota -1 (unlimited), total quota will be 6000.

That means with my calculation, one container with 0.6 core + one container with unlimited cores = 0.6 core.
Not sure if this can satisfy everyone, I can only suggest user, if you set a limit for one container, you should set limit for every container too...

[devimc]

please file an issue

[WeiZhang555]

@devimc Here it is: #743 😄

[bergwolf]

Nice! I like the proportional calculation and the comments!

[bergwolf]

@WeiZhang555 Nice patch, thanks! w.r.t. the containerd bug, is it possible to push containerd/cgroups#54 forward? Also I think we should update our spec version even though we do not support rdma right now. Then we can import from containerd directly ;)

[WeiZhang555]

@bergwolf

Nice patch, thanks! w.r.t. the containerd bug, is it possible to push containerd/cgroups#54 forward?

I think this is achivable, just can't be sure how long it takes.

Also I think we should update our spec version even though we do not support rdma right now. Then we can import from containerd directly ;)

I need to check if bumping runtime-spec breaks anything. Currently kata-runtime and kata-agent are using latest stable release v1.0.1, I think we have more reasons to keep it v1.0.1 as it's a stable release, you know, comparing to an in-developing master branch.

[crosbymichael]

We bumped the spec in containerd, you shouldn't have any backward incompat issues

[WeiZhang555]

Hi @crosbymichael , thank you for your response! Then I think bumping kata-runtime's runtime spec version is the right way, kata-runtime/agent should use same/similiar version of runtime spec with containerd 😄

[raravena80]

@WeiZhang555 ping from your weekly Kata herder.

[WeiZhang555]

Rebased.

ping @devimc , what do you think of this #734 (comment) ?

[caoruidong]

/test

[WeiZhang555]

It seems we got some LGTMs from @bergwolf @devimc @jshachm .
@sboeuf @jodh-intel @egernst do you want to take another look at this?

Two legacy issues need to be resolved in following PR:

• honor cgroupsPath in config.json
• honor --systemd-cgroup flags

[caoruidong]

So are vcpus[] thread ids or cpu ids? I'm a little confused.

[WeiZhang555]

They are thread ids

[WeiZhang555]

/test

[WeiZhang555]

CI passed. Merging this as we have enough LGTMs and it has been pending for long time.

[crosbymichael]

Yeah! Congrats

[WeiZhang555]

@liangxianlong I'm not sure about your meaning by "reuse" my code. If you want to reuse kata-runtime codes to implement new feature, please go ahead and do it! This is an open source project and you're welcome to use and contribute!

[liangxianlong]

@WeiZhang555 I test your code, i run this command "docker run -ti --cpuset-cpus 1 busybox /bin/sh",and the i see the directory on my host: "/sys/fs/cgroup/cpuset/kata/e76fe6c34d9e75333b06091e0a68095a470ba4333c3de4440e99010029f1674a/vcpu". But if we have two vcpus, i think the directory should like this "/sys/fs/cgroup/cpuset/kata/e76fe6c34d9e75333b06091e0a68095a470ba4333c3de4440e99010029f1674a/vcpu0" and "/sys/fs/cgroup/cpuset/kata/e76fe6c34d9e75333b06091e0a68095a470ba4333c3de4440e99010029f1674a/vcpu1"

[WeiZhang555]

@liangxianlong So you are trying to support cpuset, currently only cfs_quota and cfs_period are supported.

cpuset support could be more complicated, it depends on our cgroup setting policy.

1. we have host cgroup and guest cgroup support, supporting cpuset need coordinate between guest and host cgroup
2. suppose a container with 1.5 core and cpuset "0-1", we don't need to set cpuset seperately for vcpu 0 and 1, we can put vcpus in same cgroup and write "0-1" in cgroup config, you don't have to put them in seperate dir

[liangxianlong]

@WeiZhang555 Now，i don't care container. In my test, after "docker run -ti --cpuset-cpus 1 busybox /bin/sh ", there will be two results, (1)the container's process in vm is bound to vcpu1, (2) build a diretory on host "/sys/fs/cgroup/cpuset/kata/${sandbox-id}/vcpu". The vcpux is just a qemu thread,so if we want to realize this: Bind the vcpu to the physical cpu;Does the code need some modifications?

[WeiZhang555]

@liangxianlong This is achievable, you can enhance the code to add cpuset support, it should be easy.

[liangxianlong]

@liangxianlong This is achievable, you can enhance the code to add cpuset support, it should be easy.

thanks. Another question, if i run "docker run -ti busybox /bin/sh ", two directory will be built on my host,
(1) /sys/fs/cgroup/cpuset/kata/${sandbox-id}/vcpu; (2) /sys/fs/cgroup/cpu/kata/${sandbox-id}/vcpu. I think it should only build "/sys/fs/cgroup/cpu/kata/${sandbox-id}/vcpu". Why does the code create two directories?

[WeiZhang555]

@liangxianlong That's because github,com/containerd/cgroups doesn't give us an interface to only build cpu/kata/vcpu without building cpuset/kata/vcpu, it's a miss of cgroups lib api.

By the way, it's better to open another issue for discussing and tracking this, discussing under a closed PR may be ignored by other people, this is not right place 😄

[liangxianlong]

@WeiZhang555 think s! I'm new to kata and interested in it，so please bear with me. xixi.

[liangxianlong]

@WeiZhang555 Regarding this PR, I asked a question, please take a look, thank you.
#901