github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-25 10:43:15 +00:00
Code Issues Projects Releases Wiki Activity

agent: support systemd cgroup for kata agent

Browse Source 
1. Implemented a rust module for operating cgroups through systemd with the help of zbus (src/agent/rustjail/src/cgroups/systemd).
2. Add support for optional cgroup configuration through fs and systemd at agent (src/agent/rustjail/src/container.rs).
3. Described the usage and supported properties of the agent systemd cgroup (docs/design/agent-systemd-cgroup.md).

Fixes: #4336

Signed-off-by: Yuan-Zhuo <yuanzhuo0118@outlook.com>
This commit is contained in:
Yuan-Zhuo
2022-10-25 13:57:09 +08:00
parent a151d8ee50
commit d7bb4b5512
31 changed files with 4546 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/runtime/virtcontainers/kata_agent.go
View File

@@ -23,7 +23,6 @@ import (
"github.com/kata-containers/kata-containers/src/runtime/pkg/device/config"
volume "github.com/kata-containers/kata-containers/src/runtime/pkg/direct-volume"
"github.com/kata-containers/kata-containers/src/runtime/pkg/katautils/katatrace"
resCtrl "github.com/kata-containers/kata-containers/src/runtime/pkg/resourcecontrol"
"github.com/kata-containers/kata-containers/src/runtime/pkg/uuid"
persistapi "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/persist/api"
pbTypes "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/agent/protocols"
@@ -927,18 +926,19 @@ func (k *kataAgent) constrainGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool, str
grpcSpec.Linux.Resources.CPU.Mems = ""
}
// We need agent systemd cgroup now.
// There are three main reasons to do not apply systemd cgroups in the VM
// - Initrd image doesn't have systemd.
// - Nobody will be able to modify the resources of a specific container by using systemctl set-property.
// - docker is not running in the VM.
if resCtrl.IsSystemdCgroup(grpcSpec.Linux.CgroupsPath) {
// Convert systemd cgroup to cgroupfs
slice := strings.Split(grpcSpec.Linux.CgroupsPath, ":")
// 0 - slice: system.slice
// 1 - prefix: docker
// 2 - name: abc123
grpcSpec.Linux.CgroupsPath = filepath.Join("/", slice[1], slice[2])
}
// if resCtrl.IsSystemdCgroup(grpcSpec.Linux.CgroupsPath) {
// // Convert systemd cgroup to cgroupfs
// slice := strings.Split(grpcSpec.Linux.CgroupsPath, ":")
// // 0 - slice: system.slice
// // 1 - prefix: docker
// // 2 - name: abc123
// grpcSpec.Linux.CgroupsPath = filepath.Join("/", slice[1], slice[2])
// }
// Disable network namespace since it is already handled on the host by
// virtcontainers. The network is a complex part which cannot be simply

2
src/runtime/virtcontainers/kata_agent_test.go
View File

@@ -574,7 +574,7 @@ func TestAppendVhostUserBlkDevices(t *testing.T) {
func TestConstrainGRPCSpec(t *testing.T) {
assert := assert.New(t)
expectedCgroupPath := "/foo/bar"
expectedCgroupPath := "system.slice:foo:bar"
g := &pb.Spec{
Hooks: &pb.Hooks{},