Spike: Investigate support for rootless containers

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop

https://rancherdesktop.io

Apache License 2.0

5.86k stars 274 forks source link

Spike: Investigate support for rootless containers #4141

Open jandubois opened 1 year ago

jandubois commented 1 year ago

cgroupv2 should be supported in OpenRC by adding rc_cgroup_mode="unified" in rc.conf.

On WSL2 it can be enabled with kernelCommandLine=systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all in .wslconfig.

mook-as commented 1 year ago

Note that we probably shouldn't modify the kernel command line, because that's global across all distributions (and lives in C:\Users\User\.wslconfig, instead of /etc/wsl.conf inside our distro). That makes modifying it harder (because the user might already have other things in that file).

Problems that come from being in a container and not a VM…

jandubois commented 1 year ago

Maybe needs to be prioritized: (from https://github.com/microsoft/WSL/releases/tag/1.1.5):

Do not mount cgroup v1 for WSL2

nunix commented 1 year ago

Very early testing shows that Rancher Desktop distro behaves normally and cgroupv2 is fully integrated. Examples:

# containerD runtime
nerdctl info
...
Server:
 Server Version: v1.6.8
 Storage Driver: overlayfs
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
...

# moby runtime
docker info
...
Server Version: 20.10.20
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
...

@mook-as please note that WSL 1.1.5 doesn't require the .wslconfig change, however it's still applied to all WSL distros as you pointed out.

The OpenRC settings might need to be double-checked still and see if there's a need to configuration change or optimization.

ericpromislow commented 1 year ago

Note on macOS work with Rancher Desktop 1.9.1:

When I add the following lines to /etc/rc.conf

rc_controller_cgroups="YES"
rc_cgroup_controllers="cpuset cpu io memory hugetlb pids"
rc_cgroup_mode="hybrid

and restart, k3s fails to start and I get these messages in k3s.log:

level=warning msg="Failed to find cpuset cgroup, you may need to add \"cgroup_enable=cpuset\" to your linux cmdline (/boot/cmdline.txt on a Raspberry Pi)"
level=error msg="Failed to find memory cgroup, you may need to add \"cgroup_memory=1 cgroup_enable=memory\" to your linux cmdline (/boot/cmdline.txt on a Raspberry Pi)"

Jan wonders if modifying the kernel startup command would fix things, but I'm putting this investigation aside as it was just part of interrupt duty.

jandubois commented 1 year ago

Just throwing the link in here for now: https://wiki.gentoo.org/wiki/OpenRC/CGroups