> On Nov. 1, 2016, 4:43 a.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp, line 28
> > <https://reviews.apache.org/r/53296/diff/2/?file=1548952#file1548952line28>
> >
> >     Instead of creating a new namespace/cgroup isolator, I would suggest we 
> > add the support to cgroups isolator. It looks weird to me to have a 
> > namespace/cgroup isolator without using the cgroups isolator.
> 
> haosdent huang wrote:
>     I think it still possible to use `namespaces/cgroup` isolator without 
> `cgroups` isolation? If user only want to isolate the host cgroups 
> environment from the container.
> 
> Jie Yu wrote:
>     What's the use case for that? I feel that it will be strange to enable 
> cgroup namespace if containers still share the same cgroup. There will be no 
> isolation if two containers try to manipulate the cgroups. That defeats the 
> purpose of using cgroup namespace.
> 
> haosdent huang wrote:
>     For example, we launch docker daemon in the host, which would use 
> `/sys/fs/cgroup/xx/subsystem_name` as the hierarchies.
>     Then we want hide this in the containers launched by Mesos. In this case, 
> we only need `namespace/cgroup` isolator without cgroups isolation.
> 
> Jie Yu wrote:
>     If you don't enable cgroups isolator, all container's process will be in 
> root cgroup. IIUC, even the new container is put into a new cgroup namespace, 
> it can still see docker's cgroups, no?
> 
> haosdent huang wrote:
>     >all container's process will be in root cgroup
>     
>     Yes
>     
>     >it can still see docker's cgroups, no
>     
>     Could not. Refer to https://reviews.apache.org/r/53517/, we could a 
> cgroup in the host namesapce, but it invisible in the containers.
> 
> haosdent huang wrote:
>     systemd would let the containers use user.slice as the default cgroup 
> root in that case.
> 
> Jie Yu wrote:
>     Here is the experiment I ran on my box:
>     
>     Console 1:
>     ```
>     root@ubuntu-xenial:~/opt# mkdir /sys/fs/cgroup/memory/test
>     root@ubuntu-xenial:~/opt# echo $$
>     29643
>     root@ubuntu-xenial:~/opt# echo 29643 > /sys/fs/cgroup/memory/test/tasks 
>     root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory
>     9:memory:/test
>     root@ubuntu-xenial:~/opt# /home/ubuntu/opt/util-linux/bin/unshare -Cm 
> /bin/bash
>     root@ubuntu-xenial:~/opt# cat /proc/self/cgroup | grep memory
>     9:memory:/
>     root@ubuntu-xenial:~/opt# cat /proc/1/cgroup  | grep memory
>     9:memory:/../init.scope
>     ```
>     
>     Console 2:
>     ```
>     root@ubuntu-xenial:~# sudo mkdir /sys/fs/cgroup/memory/test/sub-test
>     ```
>     
>     Console 1:
>     ```
>     root@ubuntu-xenial:~/opt# ls -al /sys/fs/cgroup/memory | grep sub-test
>     drwxr-xr-x  2 root root   0 Nov  6 23:21 sub-test
>     ```
> 
> haosdent huang wrote:
>     In console 1, need to remount cgroup after 
> `/home/ubuntu/opt/util-linux/bin/unshare -Cm /bin/bash`.
>     
>     ```
>     $ unshare -Cm bash
>     $ awk '{   if ($8 == "cgroup" && $4 ~ /^\/../) {    cmd = cmd 
> sprintf("umount %s\n", $5);    cmd = cmd sprintf("mount -t cgroup -o %s %s 
> %s\n", $10, $9, $5);  }} END {   system(cmd);}' /proc/self/mountinfo
>     ```
>     
>     Then `sub-test`
>     
>     ```
>     $ ls -1 /sys/fs/cgroup/memory/|grep sub-test
>     sub-test
>     ```
> 
> Jie Yu wrote:
>     Sorry, Yeah, I did do a remount of memory subsystem and forgot to paste 
> the command there. The result I showed above is after I do a re-mount of 
> subsystem.
>     
>     My point is: even the container uses cgroup namespace, the host processes 
> can still create cgroups in its root cgroup, and that cgroup will show up in 
> container's cgroup.
>     
>     That being said, using cgroup namespace along without cgroup isolator 
> sounds weird because all containers share the same cgroup.
> 
> haosdent huang wrote:
>     Hmm, I see, let me do it in the cgroups isolator. So we add a new flag 
> like `--enable_cgroup_namespace` in the agent or add a new field to `message 
> ContainerInfo`?

ok, thought about this more. Although I feel like it's not quite useful if 
cgroups isolator is not used, but this namespace isolator along does address 
one scenario where the agent itself is running in a non root cgroup (e.g., it's 
launched by init like systemd). So, let's keep it as a separate isolator.


- Jie


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53296/#review154371
-----------------------------------------------------------


On Nov. 6, 2016, 12:47 p.m., haosdent huang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53296/
> -----------------------------------------------------------
> 
> (Updated Nov. 6, 2016, 12:47 p.m.)
> 
> 
> Review request for mesos, Jie Yu, Qian Zhang, and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-5410
>     https://issues.apache.org/jira/browse/MESOS-5410
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Added cgroup namespace support for unified container.
> 
> 
> Diffs
> -----
> 
>   src/CMakeLists.txt aef9ae6d2872dc15725c01ce85b657965485605f 
>   src/Makefile.am 5a47c93388234a68c3c486a021ccdbe3213c5bac 
>   src/slave/containerizer/mesos/containerizer.cpp 
> 67cc595278f124cdf518d2f4fcfb257439f067e2 
>   src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/namespaces/cgroup.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/53296/diff/
> 
> 
> Testing
> -------
> 
> The test case is on the way.
> 
> 
> Thanks,
> 
> haosdent huang
> 
>

Reply via email to