Merge pull request #10720 from fidencio/topic/test-cgroupsv2-on-guest

kernel: Ensure no cgroupsv1 is used
2025-09-03 18:04:16 +00:00 · 2025-01-23 21:26:49 +01:00
parent 66d292bdb4 b47cc6fffe
commit 4bc978416c
15 changed files with 32 additions and 38 deletions
--- a/src/runtime-rs/arch/aarch64-options.mk
+++ b/src/runtime-rs/arch/aarch64-options.mk
@@ -5,7 +5,7 @@
 #
 MACHINETYPE :=
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS :=
 CPUFEATURES := pmu=off
--- a/src/runtime-rs/arch/powerpc64le-options.mk
+++ b/src/runtime-rs/arch/powerpc64le-options.mk
@@ -5,7 +5,7 @@
 #
 MACHINETYPE := pseries
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS := "cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-large-decr=off,cap-ccf-assist=off"
 CPUFEATURES := pmu=off
--- a/src/runtime-rs/arch/s390x-options.mk
+++ b/src/runtime-rs/arch/s390x-options.mk
@@ -5,7 +5,7 @@
 #
 MACHINETYPE := s390-ccw-virtio
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS :=
 CPUFEATURES :=
--- a/src/runtime-rs/arch/x86_64-options.mk
+++ b/src/runtime-rs/arch/x86_64-options.mk
@@ -5,7 +5,8 @@
 #
 MACHINETYPE := q35
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 KERNELTDXPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS :=
 CPUFEATURES := pmu=off
--- a/src/runtime/arch/amd64-options.mk
+++ b/src/runtime/arch/amd64-options.mk
@@ -6,7 +6,8 @@
 # Intel x86-64 settings
 MACHINETYPE := q35
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 KERNELTDXPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS :=
 CPUFEATURES := pmu=off
--- a/src/runtime/arch/arm64-options.mk
+++ b/src/runtime/arch/arm64-options.mk
@@ -6,7 +6,7 @@
 # ARM 64 settings
 MACHINETYPE := virt
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS :=
 CPUFEATURES := pmu=off
--- a/src/runtime/arch/ppc64le-options.mk
+++ b/src/runtime/arch/ppc64le-options.mk
@@ -6,7 +6,7 @@
 # Power ppc64le settings
 MACHINETYPE := pseries
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS := "cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-large-decr=off,cap-ccf-assist=off"
 CPUFEATURES :=
 KERNELTYPE := uncompressed #This architecture must use an uncompressed kernel.
--- a/src/runtime/arch/s390x-options.mk
+++ b/src/runtime/arch/s390x-options.mk
@@ -6,7 +6,7 @@
 # s390x settings
 MACHINETYPE := s390-ccw-virtio
-KERNELPARAMS :=
+KERNELPARAMS := cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1
 MACHINEACCELERATORS :=
 CPUFEATURES :=
--- a/tests/integration/cri-containerd/integration-tests.sh
+++ b/tests/integration/cri-containerd/integration-tests.sh
@@ -660,7 +660,9 @@ function main() {
 			break
 		else
 			TestKilledVmmCleanup
-			TestDeviceCgroup
+
 			info "Skipping TestDeviceCgroup till the test is adapted to cgroupsv2"
 			#TestDeviceCgroup
 		fi
 	fi
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -200,7 +200,7 @@ function deploy_kata() {
 	fi
 	if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then
-		yq -i ".env.allowedHypervisorAnnotations = \"image kernel default_vcpus kernel_params\"" "${values_yaml}"
+		yq -i ".env.allowedHypervisorAnnotations = \"image kernel default_vcpus\"" "${values_yaml}"
 		yq -i ".env.hostOS = \"${KATA_HOST_OS}\""                                   "${values_yaml}"
 	fi
--- a/tests/integration/kubernetes/k8s-cpu-ns.bats
+++ b/tests/integration/kubernetes/k8s-cpu-ns.bats
@@ -21,11 +21,15 @@ setup() {
 	pod_name="constraints-cpu-test"
 	container_name="first-cpu-container"
-	sharessyspath="/sys/fs/cgroup/cpu/cpu.shares"
+
-	quotasyspath="/sys/fs/cgroup/cpu/cpu.cfs_quota_us"
+	weightsyspath="/sys/fs/cgroup/cpu.weight"
-	periodsyspath="/sys/fs/cgroup/cpu/cpu.cfs_period_us"
+	maxsyspath="/sys/fs/cgroup/cpu.max"
 	total_cpus=2
-	total_requests=512
+	# https://github.com/containers/crun/blob/main/crun.1.md#cgroup-v2
 	# The weight is calculated by the:
 	# weight = (1 + ((request - 2) * 9999) / 262142)
 	total_requests=20
 	total_cpu_container=1
 	get_pod_config_dir
@@ -38,17 +42,13 @@ setup() {
 	exec_num_cpus_cmd=(sh -c "${num_cpus_cmd}")
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_num_cpus_cmd[@]}"
-	quotasyspath_cmd="cat ${quotasyspath}"
+	maxsyspath_cmd="cat ${maxsyspath}"
-	exec_quotasyspath_cmd=(sh -c "${quotasyspath_cmd}")
+	exec_maxsyspath_cmd=(sh -c "${maxsyspath_cmd}")
-	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_quotasyspath_cmd[@]}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_maxsyspath_cmd[@]}"
-	periodsyspath_cmd="cat ${periodsyspath}"
+	weightsyspath_cmd="cat ${weightsyspath}"
-	exec_periodsyspath_cmd=(sh -c "${periodsyspath_cmd}")
+	exec_weightsyspath_cmd=(sh -c "${weightsyspath_cmd}")
-	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_periodsyspath_cmd[@]}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_weightsyspath_cmd[@]}"
 	sharessyspath_cmd="cat ${sharessyspath}"
 	exec_sharessyspath_cmd=(sh -c "${sharessyspath_cmd}")
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_sharessyspath_cmd[@]}"
 	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
 	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
@@ -77,18 +77,15 @@ setup() {
 	# Check the total of requests
 	total_requests_container=$(kubectl exec $pod_name -c $container_name \
-		-- "${exec_sharessyspath_cmd[@]}")
+		-- "${exec_weightsyspath_cmd[@]}")
 	info "total_requests_container = $total_requests_container"
 	[ "$total_requests_container" -eq "$total_requests" ]
 	# Check the cpus inside the container
-	total_cpu_quota=$(kubectl exec $pod_name -c $container_name \
+	read total_cpu_quota total_cpu_period <<< $(kubectl exec $pod_name -c $container_name \
-		-- "${exec_quotasyspath_cmd[@]}")
+		-- "${exec_maxsyspath_cmd[@]}")
 	total_cpu_period=$(kubectl exec $pod_name -c $container_name \
 		-- "${exec_periodsyspath_cmd[@]}")
 	division_quota_period=$(echo $((total_cpu_quota/total_cpu_period)))
--- a/tests/integration/kubernetes/setup.sh
+++ b/tests/integration/kubernetes/setup.sh
@@ -108,13 +108,10 @@ add_cbl_mariner_specific_annotations() {
 		local mariner_annotation_image="io.katacontainers.config.hypervisor.image"
 		local mariner_image_path="/opt/kata/share/kata-containers/kata-containers-mariner.img"
 		local mariner_annotation_kernel_params="io.katacontainers.config.hypervisor.kernel_params"
 		local mariner_kernel_params="SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0"
 		for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
 		do
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_kernel}" "${mariner_kernel_path}"
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_image}" "${mariner_image_path}"
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_kernel_params}" "${mariner_kernel_params}"
 		done
 	fi
 }
--- a/tools/packaging/kernel/configs/fragments/common/cgroup.conf
+++ b/tools/packaging/kernel/configs/fragments/common/cgroup.conf
@@ -2,7 +2,6 @@
 # also used/looked for by systemd rootfs.
 CONFIG_CGROUPS=y
 CONFIG_MEMCG=y
 CONFIG_MEMCG_V1=y
 CONFIG_BLK_CGROUP=y
 CONFIG_CGROUP_WRITEBACK=y
 CONFIG_CGROUP_SCHED=y
@@ -11,7 +10,6 @@ CONFIG_CFS_BANDWIDTH=y
 CONFIG_CGROUP_PIDS=y
 CONFIG_CGROUP_FREEZER=y
 CONFIG_CPUSETS=y
 CONFIG_CPUSETS_V1=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_HUGETLB=y
--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@@ -38,5 +38,3 @@ CONFIG_PAGE_TABLE_ISOLATION
 CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
 CONFIG_VFIO_AP
 CONFIG_VFIO_MDEV
 CONFIG_CPUSETS_V1
 CONFIG_MEMCG_V1
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-144
+145