Closed raviprakash007 closed 6 months ago
Is isolate.service
running?
No, Is it required?
Can you please mention the steps required to run isolate and what all checks we have to perform to make sure it is working.
Yes. Please see the section Installation in the man page.
user@workers-5556b96ff8-snsrl:/api$ ls /usr/local/sbin/
isolate-cg-keeper unminimize
user@workers-5556b96ff8-snsrl:/api$ sudo /usr/local/sbin/isolate-cg-keeper Cannot write to /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod945302c5_e850_4408_9381_fd5f03f26f6a.slice/cri-containerd-ad80d1be3a89e17ae9eecdf2217b3018e12bf6144eaff62d48a031207eb972af.scope/cgroup.subtree_control: Device or resource busy
user@workers-5556b96ff8-snsrl:/api$ /usr/local/sbin/isolate-cg-keeper Cannot create /run/isolate/cgroup: Permission denied
user@workers-5556b96ff8-snsrl:/api$ sudo su
root@workers-5556b96ff8-snsrl:/api# /usr/local/sbin/isolate-cg-keeper Cannot create subgroup /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod945302c5_e850_4408_9381_fd5f03f26f6a.slice/cri-containerd-ad80d1be3a89e17ae9eecdf2217b3018e12bf6144eaff62d48a031207eb972af.scope/daemon: File exists root@workers-5556b96ff8-snsrl:/api#
@gollux , Do we need to start Ubuntu with systemd? As When I run my application, PID 1 is given to my application in Docker Container.
root@80eba255f2ee:/api/scripts# service isolate start Job for isolate.service failed because the control process exited with error code. See "systemctl status isolate.service" and "journalctl -xeu isolate.service" for details. root@80eba255f2ee:/api/scripts# systemctl status isolate.service × isolate.service - A trivial daemon to keep Isolate's control group hierarchy Loaded: loaded (/etc/systemd/system/isolate.service; disabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2024-03-23 12:23:39 UTC; 25s ago Process: 516 ExecStart=/usr/local/sbin/isolate-cg-keeper (code=exited, status=1/FAILURE) Main PID: 516 (code=exited, status=1/FAILURE)
Mar 23 12:23:39 80eba255f2ee systemd[1]: Starting A trivial daemon to keep Isolate's control group hierarchy... Mar 23 12:23:39 80eba255f2ee isolate-cg-keeper[516]: Cannot find my own cgroup Mar 23 12:23:39 80eba255f2ee systemd[1]: isolate.service: Main process exited, code=exited, status=1/FAILURE Mar 23 12:23:39 80eba255f2ee systemd[1]: isolate.service: Failed with result 'exit-code'. Mar 23 12:23:39 80eba255f2ee systemd[1]: Failed to start A trivial daemon to keep Isolate's control group hierarchy. root@80eba255f2ee:/api/scripts#
root@80eba255f2ee:/api/scripts# ps -elf F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD 4 S root 1 0 0 80 0 - 41348 do_epo 12:18 ? 00:00:01 /lib/systemd/systemd 4 S root 23 1 0 79 -1 - 9882 do_epo 12:18 ? 00:00:00 /lib/systemd/systemd-journald 4 S systemd+ 39 1 0 80 0 - 6384 do_epo 12:18 ? 00:00:00 /lib/systemd/systemd-resolved 4 S message+ 41 1 0 80 0 - 2030 do_epo 12:18 ? 00:00:00 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only 4 S syslog 44 1 0 80 0 - 55523 core_s 12:18 ? 00:00:00 /usr/sbin/rsyslogd -n -iNONE 4 S root 48 1 0 80 0 - 3727 do_epo 12:18 ? 00:00:00 /lib/systemd/systemd-logind 4 S root 60 0 0 80 0 - 1156 - 12:19 pts/0 00:00:00 bash 4 S root 323 1 0 80 0 - 73249 x64_sy 12:21 ? 00:00:00 /usr/libexec/packagekitd 4 S root 327 1 0 80 0 - 58623 x64_sy 12:21 ? 00:00:00 /usr/libexec/polkitd --no-debug 4 R root 520 60 0 80 0 - 1765 - 12:25 pts/0 00:00:00 ps -elf root@80eba255f2ee:/api/scripts#
@gollux Please suggest why am I gettting "Cannot find my own cgroup" while starting isolate?
@gollux , Do we need to start Ubuntu with systemd? As When I run my application, PID 1 is given to my application in Docker Container.
Using systemd is the recommended way. It is not necessary, but otherwise you have to set cg_root
in the configuration file manually and ensure that the cgroup subtree is properly delegated.
@gollux Please suggest why am I gettting "Cannot find my own cgroup" while starting isolate?
Interesting. Please try the following patch and tell me what it prints:
diff --git a/isolate-cg-keeper.c b/isolate-cg-keeper.c
index 74bd731..937ebdd 100644
--- a/isolate-cg-keeper.c
+++ b/isolate-cg-keeper.c
@@ -67,6 +67,7 @@ get_my_cgroup(void)
{
if (len > 0 && line[len-1] == '\n')
line[--len] = 0;
+ fprintf(stderr, "<<< %s\n", line);
if (line[0] == '0' && line[1] == ':' && line[2] == ':')
{
cg = xsprintf("/sys/fs/cgroup%s", line + 3);
I have fixed the problem "Cannot find my own cgroup". thanks for pointing the locaiton.
Just curious: what was the reason?
Also, can we close this issue now?
Yes, obviously. The crux, is we need a system initialized with systemd.
Just curious: what was the reason?
The host cgroup was mismatching.
Sorry for reactivating this thread, but I decided this thread contains context, and creating another "why it doesn't work in Docker" thread makes no sense.
@gollux , Do we need to start Ubuntu with systemd? As When I run my application, PID 1 is given to my application in Docker Container.
Using systemd is the recommended way. It is not necessary, but otherwise you have to set
cg_root
in the configuration file manually and ensure that the cgroup subtree is properly delegated.
Could you please evaluate your response? What exactly configuration file and what exactly do I need to set to cg_root
, and how would I ensure that the cgroup subtree is properly delegated
?
Thanks in advance
Isolate's configuration file (by default installed to `/usr/local/etc/isolate).
Otherwise, if you want to use Isolate outside the recommended setup (which is running it under systemd, preferably without Docker), you are on your own and you are expected to understand your control group setup thoroughly. Without such understanding, you will likely end up with a sandbox, which seems working, but which is insecure.
root@workers-5556b96ff8-snsrl:/api# mount | grep cgroup cgroup on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
root@workers-5556b96ff8-snsrl:/api# isolate --cg -b 1 --init Cannot open /run/isolate/cgroup: No such file or directory root@workers-5556b96ff8-snsrl:/api#
root@workers-5556b96ff8-snsrl:/api# ls /sys/fs/cgroup/ cgroup.controllers dev-hugepages.mount memory.stat cgroup.max.depth dev-mqueue.mount misc.capacity cgroup.max.descendants init.scope proc-sys-fs-binfmt_misc.mount cgroup.procs io.cost.model sys-fs-fuse-connections.mount cgroup.stat io.cost.qos sys-kernel-config.mount cgroup.subtree_control io.pressure sys-kernel-debug.mount cgroup.threads io.prio.class sys-kernel-tracing.mount cpu.pressure io.stat system.slice cpu.stat kubepods.slice user.slice cpuset.cpus.effective memory.numa_stat cpuset.mems.effective memory.pressure
What can be the reason?
Env:
Ubuntu : 22.04 Jammy isolate : master with cgroup v2 merged