config: add option SandboxCgroupOnly

add option to eneable only pod cgroup (SandboxCgroupOnly) Depends-on: github.com/kata-containers/tests#1824 Fixes: #1879 Signed-off-by: Jose Carlos Venegas Munoz <[email protected]>
kata-containers · Aug 29, 2019 · b650632 · b650632
1 parent 5a17d67
commit b650632
Show file tree

Hide file tree

Showing 9 changed files with 47 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -183,6 +183,9 @@ DEFDISABLENESTINGCHECKS := false
 DEFMSIZE9P := 8192
 DEFHOTPLUGVFIOONROOTBUS := false
 
+# Default cgroup model
+DEFSANDBOXCGROUPONLY ?= false
+
 SED = sed
 
 CLI_DIR = cli
@@ -424,6 +427,7 @@ USER_VARS += DEFDISABLENESTINGCHECKS
 USER_VARS += DEFMSIZE9P
 USER_VARS += DEFHOTPLUGVFIOONROOTBUS
 USER_VARS += DEFENTROPYSOURCE
+USER_VARS += DEFSANDBOXCGROUPONLY
 USER_VARS += BUILDFLAGS
 
 
@@ -579,6 +583,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
 		-e "s|@DEFMSIZE9P@|$(DEFMSIZE9P)|g" \
 		-e "s|@DEFHOTPLUGONROOTBUS@|$(DEFHOTPLUGVFIOONROOTBUS)|g" \
 		-e "s|@DEFENTROPYSOURCE@|$(DEFENTROPYSOURCE)|g" \
+		-e "s|@DEFSANDBOXCGROUPONLY@|$(DEFSANDBOXCGROUPONLY)|g" \
 		$< > $@
 
 generate-config: $(CONFIGS)

diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in
@@ -228,6 +228,14 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # (default: false)
 #disable_new_netns = true
 
+# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
+# The container cgroups in the host are not created, just one single cgroup per sandbox.
+# The sandbox cgroup is not constrained by the runtime
+# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
+# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # They may break compatibility, and are prepared for a big version bump.

diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in
@@ -330,6 +330,14 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # (default: false)
 #disable_new_netns = true
 
+# if enable, the runtime will add all the kata processes inside one dedicated cgroup.
+# The container cgroups in the host are not created, just one single cgroup per sandbox.
+# The sandbox cgroup is not constrained by the runtime
+# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
+# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # They may break compatibility, and are prepared for a big version bump.

diff --git a/cli/config/configuration-nemu.toml.in b/cli/config/configuration-nemu.toml.in
@@ -404,6 +404,12 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # (default: false)
 #disable_new_netns = true
 
+# if enable, the runtime use the parent cgroup of a container PodSandbox.  This
+# should be enabled for users where the caller setup the parent cgroup of the
+# containers running in a sandbox so all the resouces of the kata container run
+# in the same cgroup and performance isolation its more accurate.
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # They may break compatibility, and are prepared for a big version bump.

diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in
@@ -412,6 +412,14 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 # (default: false)
 #disable_new_netns = true
 
+# if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
+# The container cgroups in the host are not created, just one single cgroup per sandbox.
+# The sandbox cgroup is not constrained by the runtime
+# The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
+# The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
+sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
+
 # Enabled experimental feature list, format: ["a", "b"].
 # Experimental features are features not stable enough for production,
 # They may break compatibility, and are prepared for a big version bump.

diff --git a/cli/kata-env.go b/cli/kata-env.go
@@ -69,6 +69,7 @@ type RuntimeInfo struct {
 	Trace               bool
 	DisableGuestSeccomp bool
 	DisableNewNetNs     bool
+	SandboxCgroupOnly   bool
 	Experimental        []exp.Feature
 	Path                string
 }
@@ -187,6 +188,7 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo {
 		Config:              runtimeConfig,
 		Path:                runtimePath,
 		DisableNewNetNs:     config.DisableNewNetNs,
+		SandboxCgroupOnly:   config.SandboxCgroupOnly,
 		Experimental:        config.Experimental,
 		DisableGuestSeccomp: config.DisableGuestSeccomp,
 	}

diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go
@@ -133,6 +133,7 @@ type runtime struct {
 	Tracing             bool     `toml:"enable_tracing"`
 	DisableNewNetNs     bool     `toml:"disable_new_netns"`
 	DisableGuestSeccomp bool     `toml:"disable_guest_seccomp"`
+	SandboxCgroupOnly   bool     `toml:"sandbox_cgroup_only"`
 	Experimental        []string `toml:"experimental"`
 	InterNetworkModel   string   `toml:"internetworking_model"`
 }
@@ -1054,6 +1055,7 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved
 		config.ProxyConfig = vc.ProxyConfig{Debug: config.Debug}
 	}
 
+	config.SandboxCgroupOnly = tomlConf.Runtime.SandboxCgroupOnly
 	config.DisableNewNetNs = tomlConf.Runtime.DisableNewNetNs
 	for _, f := range tomlConf.Runtime.Experimental {
 		feature := exp.Get(f)

diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
@@ -141,6 +141,9 @@ type RuntimeConfig struct {
 	//Determines if create a netns for hypervisor process
 	DisableNewNetNs bool
 
+	//Determines kata processes are managed only in sandbox cgroup
+	SandboxCgroupOnly bool
+
 	//Experimental features enabled
 	Experimental []exp.Feature
 }
@@ -515,6 +518,8 @@ func SandboxConfig(ocispec CompatOCISpec, runtime RuntimeConfig, bundlePath, cid
 
 		SystemdCgroup: systemdCgroup,
 
+		SandboxCgroupOnly: runtime.SandboxCgroupOnly,
+
 		DisableGuestSeccomp: runtime.DisableGuestSeccomp,
 
 		Experimental: runtime.Experimental,

diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go
@@ -104,6 +104,9 @@ type SandboxConfig struct {
 	// SystemdCgroup enables systemd cgroup support
 	SystemdCgroup bool
 
+	// SandboxCgroupOnly enables cgroup only at podlevel in the host
+	SandboxCgroupOnly bool
+
 	DisableGuestSeccomp bool
 
 	// Experimental features enabled