lukasheinrich
commented
2 years ago hi @AkihiroSuda - do you have any guidance on this. If so that'd be much appreciated!
Closed anthonyhartin closed 10 months ago
lukasheinrich
commented
2 years ago hi @AkihiroSuda - do you have any guidance on this. If so that'd be much appreciated!
AkihiroSuda
commented
2 years ago Does it work if you change the runtime from crun to runc?
AkihiroSuda
commented
2 years ago The CI uses Fedora 35. Vagrantfile can be found here: https://github.com/rootless-containers/usernetes/blob/master/Vagrantfile
lukasheinrich
commented
2 years ago Thanks @AkihiroSuda ! @anthonyhartin - were you able to try this?
anthonyhartin
commented
2 years ago Hi @lukasheinrich @AkihiroSuda,
I tried changing crun to runc and it didn't help. The upstream problem which needs to be fixed before anything else, is that the described procedure for granting the user control of the cpu and the io does not work for me. Once cgroups v2 is present and configured for user delegation, and the boot time arguments added, the reboot doesn't actually grant user control.
I found at least one other instance online where someone else also couldn't get user delegation to work. The workarounds provided didn't do anything for me. I've tried on several different operating systems including fc35.
cheers.
anthonyhartin
commented
2 years ago Just an update, The initial part of the installation - delegation of cpu and io to the user - it works on my laptop, but not on our openstack virtual machines. So it may be the case that bare metal is ok, but virtual machines, not. I'm not sure whether it is just our virtual machines, or virtual machines in general.. I will try and track down further error messages to see if I can clarify the situation
AkihiroSuda
commented
2 years ago Maybe you need DefaultCPUAccounting=yes
https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
AkihiroSuda
commented
2 years ago it works on my laptop, but not on our openstack virtual machines
systemctl --user show might be useful to check the differences across your laptop and VM
anthonyhartin
commented
2 years ago OK, I set the CPUAccounting parameter and ran systemctl --user show on the VM and LAPTOP. Output attached below. Just comparing the accounting parameters, they are both the same: DefaultCPUAccounting=yes DefaultBlockIOAccounting=no DefaultMemoryAccounting=yes DefaultTasksAccounting=yes
but it's still not working on the VM. I don't yet see anything else obvious, but I will keep looking into it.
AkihiroSuda
commented
10 months ago Let me close this, as the architecture was changed in "Generation 2": https://github.com/rootless-containers/usernetes/releases/tag/gen2-v20230906.0
The usernetes install script fails on the condition of waiting for coreDNS containers to reach ready state:
kubectl get pods -A
kubectl describe pod coredns-697b4969d7-6925r -n kube-system
So we see that the problem occurs because the user has no access to the cpu controller.
I followed the instructions on confirming cgroups v2 available and delegating control
ls -lah /sys/fs/cgroup/cgroup.controllers
grep cgroup /proc/filesystems
sudo cat /etc/systemd/system/user@.service.d/delegate.conf
sudo grubby --info=ALL | grep args
After reboot, cpu and io control is not granted to the user
cat /sys/fs/cgroup/user.slice/user-$(id -u).slice/user@$(id -u).service/cgroup.subtree_control
There are other people who having difficulty with delegating cpu control in other contexts. For instance this post describes difficulties and possible work arounds: https://unix.stackexchange.com/questions/624428/cgroups-v2-cgroup-controllers-not-delegated-to-non-privileged-users-on-centos-s
I have tried the work arounds and different configuration described, but nothing seems to work. I have tried operating systems CentOS 8, Fedora 33 and Fedora 35,, so far.