Open TrevorSundberg opened 4 years ago
This may also be related, but /sys/fs/cgroup/memory/memory.stat
does not exist. Should I report this as a separate issue?
cgroups and cgroupfs is currently not supported inside the sandbox. What is your use case for using cgroups?
/sys/fs/cgroup/memory/memory.stat
to detect page fault rate and kill our own process if it exceeds a limit (akin to the OOM killer)./sys/fs/cgroup/memory/memory.stat
to implement Chromium's memory pressure monitor.If you have any suggestions for ways of doing this within gVisor I'd be happy to change our implementation.
@TrevorSundberg I think we are open to supporting cgroups inside the sandbox at some point but maybe there are ways you could mitigate not having them for your use case.
I don't have a great solution for telemetry but you could use info from the downward api to generate a unique id that was easier to follow. Unfortunately the downward API gives you the Pod ID but doesn't give you the container name or ID.
For page faults, could you check the page fault rate from outside the sandbox? i.e. have an agent that runs in a DaemonSet and checks cgroups for Pod containers running on the node?
cgroups are required by another Google app - cadvisor. Would be good if one Google app supports the other! Or is there a workaround? This is stopping the entire metrics system using Prometheus working currently, as it depends on cadvisor to grab data from the containers.
@Choogster1 cadvisor needs to run as a privileged pod in order to read stats from other containers besides itself. That's not likely to ever be possible with runsc
since it breaks the sandbox contract. You'll likely want to run cadvisor as a normal priviliged container.
You could also try and deploy it with the root filesystem mounted as read only (though I'm not sure it will work to read the host cgroups when mounted this way). Anyway, I'm a bit skeptical that runsc is adding much value in this case.
Repro:
runsc version
docker version