> On Nov. 1, 2016, 4:43 a.m., Jie Yu wrote: > > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp, line 28 > > <https://reviews.apache.org/r/53296/diff/2/?file=1548952#file1548952line28> > > > > Instead of creating a new namespace/cgroup isolator, I would suggest we > > add the support to cgroups isolator. It looks weird to me to have a > > namespace/cgroup isolator without using the cgroups isolator. > > haosdent huang wrote: > I think it still possible to use `namespaces/cgroup` isolator without > `cgroups` isolation? If user only want to isolate the host cgroups > environment from the container. > > Jie Yu wrote: > What's the use case for that? I feel that it will be strange to enable > cgroup namespace if containers still share the same cgroup. There will be no > isolation if two containers try to manipulate the cgroups. That defeats the > purpose of using cgroup namespace. > > haosdent huang wrote: > For example, we launch docker daemon in the host, which would use > `/sys/fs/cgroup/xx/subsystem_name` as the hierarchies. > Then we want hide this in the containers launched by Mesos. In this case, > we only need `namespace/cgroup` isolator without cgroups isolation. > > Jie Yu wrote: > If you don't enable cgroups isolator, all container's process will be in > root cgroup. IIUC, even the new container is put into a new cgroup namespace, > it can still see docker's cgroups, no? > > haosdent huang wrote: > >all container's process will be in root cgroup > > Yes > > >it can still see docker's cgroups, no > > Could not. Refer to https://reviews.apache.org/r/53517/, we could a > cgroup in the host namesapce, but it invisible in the containers. > > haosdent huang wrote: > systemd would let the containers use user.slice as the default cgroup > root in that case. > > Jie Yu wrote: > Here is the experiment I ran on my box: > > Console 1: > ``` > root@ubuntu-xenial:~/opt# mkdir /sys/fs/cgroup/memory/test > root@ubuntu-xenial:~/opt# echo $$ > 29643 > root@ubuntu-xenial:~/opt# echo 29643 > /sys/fs/cgroup/memory/test/tasks > root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory > 9:memory:/test > root@ubuntu-xenial:~/opt# /home/ubuntu/opt/util-linux/bin/unshare -Cm > /bin/bash > root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory > 9:memory:/ > root@ubuntu-xenial:~/opt# cat /proc/1/cgroup | grep memory > 9:memory:/../init.scope > ``` > > Console 2: > ``` > root@ubuntu-xenial:~# sudo mkdir /sys/fs/cgroup/memory/test/sub-test > ``` > > Console 1: > ``` > root@ubuntu-xenial:~/opt# ls -al /sys/fs/cgroup/memory | grep sub-test > drwxr-xr-x 2 root root 0 Nov 6 23:21 sub-test > ``` > > haosdent huang wrote: > In console 1, need to remount cgroup after > `/home/ubuntu/opt/util-linux/bin/unshare -Cm /bin/bash`. > > ``` > $ unshare -Cm bash > $ awk '{ if ($8 == "cgroup" && $4 ~ /^\/../) { cmd = cmd > sprintf("umount %s\n", $5); cmd = cmd sprintf("mount -t cgroup -o %s %s > %s\n", $10, $9, $5); }} END { system(cmd);}' /proc/self/mountinfo > ``` > > Then `sub-test` > > ``` > $ ls -1 /sys/fs/cgroup/memory/|grep sub-test > sub-test > ``` > > Jie Yu wrote: > Sorry, Yeah, I did do a remount of memory subsystem and forgot to paste > the command there. The result I showed above is after I do a re-mount of > subsystem. > > My point is: even the container uses cgroup namespace, the host processes > can still create cgroups in its root cgroup, and that cgroup will show up in > container's cgroup. > > That being said, using cgroup namespace along without cgroup isolator > sounds weird because all containers share the same cgroup. > > haosdent huang wrote: > Hmm, I see, let me do it in the cgroups isolator. So we add a new flag > like `--enable_cgroup_namespace` in the agent or add a new field to `message > ContainerInfo`?
ok, thought about this more. Although I feel like it's not quite useful if cgroups isolator is not used, but this namespace isolator along does address one scenario where the agent itself is running in a non root cgroup (e.g., it's launched by init like systemd). So, let's keep it as a separate isolator. - Jie ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53296/#review154371 ----------------------------------------------------------- On Nov. 6, 2016, 12:47 p.m., haosdent huang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53296/ > ----------------------------------------------------------- > > (Updated Nov. 6, 2016, 12:47 p.m.) > > > Review request for mesos, Jie Yu, Qian Zhang, and Jiang Yan Xu. > > > Bugs: MESOS-5410 > https://issues.apache.org/jira/browse/MESOS-5410 > > > Repository: mesos > > > Description > ------- > > Added cgroup namespace support for unified container. > > > Diffs > ----- > > src/CMakeLists.txt aef9ae6d2872dc15725c01ce85b657965485605f > src/Makefile.am 5a47c93388234a68c3c486a021ccdbe3213c5bac > src/slave/containerizer/mesos/containerizer.cpp > 67cc595278f124cdf518d2f4fcfb257439f067e2 > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/namespaces/cgroup.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/53296/diff/ > > > Testing > ------- > > The test case is on the way. > > > Thanks, > > haosdent huang > >
