Background
In Kubernetes, a PodCgroup is created on the host by Kubelet, which is sized appropriately for the given pod. In Docker, the host cgroup sizing is handled only by the runtime (ie, they don't have the notion of a pod or a sandbox).
With the current default configuration for SandboxCgroupOnly=false, some constraints are applied, but not to all the Kata processes. I still wouldn't want to recommend this.
Eventually I think SandboxCgroupOnly=true should become default, and it is definitely what we should recommend.
See docs pr and feature addition pr.
Problem statement
When utilizing SandboxCgroupOnly=true with Docker (or equivalent), none of the constraints are applied to the kata-sandbox-cgroup. In Kubernetes this is ok, since PodCgroup will be constrained, and is the parent. In Docker, no constraints are applied.
Suggested solution
If we care enough about Docker support, we should consider adding a ConstrainSandboxCgroup option, defaulted to false, with the intention of this only to be enabled when a user is using Kata with Docker, or other OCI CLI tools (not pod-based).
This should be straight forward, as we know the resource requirements for the workload (memory, CPU), since we receive the entire OCI runtime spec for the single container.
Background
In Kubernetes, a PodCgroup is created on the host by Kubelet, which is sized appropriately for the given pod. In Docker, the host cgroup sizing is handled only by the runtime (ie, they don't have the notion of a pod or a sandbox).
With the current default configuration for
SandboxCgroupOnly=false, some constraints are applied, but not to all the Kata processes. I still wouldn't want to recommend this.Eventually I think
SandboxCgroupOnly=trueshould become default, and it is definitely what we should recommend.See docs pr and feature addition pr.
Problem statement
When utilizing
SandboxCgroupOnly=truewith Docker (or equivalent), none of the constraints are applied to the kata-sandbox-cgroup. In Kubernetes this is ok, since PodCgroup will be constrained, and is the parent. In Docker, no constraints are applied.Suggested solution
If we care enough about Docker support, we should consider adding a
ConstrainSandboxCgroupoption, defaulted to false, with the intention of this only to be enabled when a user is using Kata with Docker, or other OCI CLI tools (not pod-based).This should be straight forward, as we know the resource requirements for the workload (memory, CPU), since we receive the entire OCI runtime spec for the single container.