cgroups: Use only pod cgroup

[jcvenegas]

• config add option to use only pod cgroup (SandboxCgroupOnly)
• Get the sandbox Cgroup path based on cgroupsPath from Sandbox Container
• Join the Sandbox Cgroup before create any process
• All the kata processes are inside the Sandbox Cgroup
• The cgroup is not restricted by the runtime but the caller is free to limit it.

Depends-on: github.com/kata-containers/tests#1824

Fixes: #1879
Signed-off-by: Jose Carlos Venegas Munoz jose.carlos.venegas.munoz@intel.com

[jcvenegas]

/test

[jcvenegas]

/test

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@bc15e44). Click here to learn what that means.
The diff coverage is 23.45%.

@@            Coverage Diff            @@
##             master    #1880   +/-   ##
=========================================
  Coverage          ?   52.32%           
=========================================
  Files             ?      108           
  Lines             ?    14025           
  Branches          ?        0           
=========================================
  Hits              ?     7338           
  Misses            ?     5813           
  Partials          ?      874

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@bc15e44). Click here to learn what that means.
The diff coverage is 23.45%.

@@            Coverage Diff            @@
##             master    #1880   +/-   ##
=========================================
  Coverage          ?   52.32%           
=========================================
  Files             ?      108           
  Lines             ?    14025           
  Branches          ?        0           
=========================================
  Hits              ?     7338           
  Misses            ?     5813           
  Partials          ?      874

[codecov]

Codecov Report

Merging #1880 into master will decrease coverage by 0.17%.
The diff coverage is 58.33%.

@@            Coverage Diff             @@
##           master    #1880      +/-   ##
==========================================
- Coverage   51.89%   51.71%   -0.18%     
==========================================
  Files         107      107              
  Lines       14456    14589     +133     
==========================================
+ Hits         7502     7545      +43     
- Misses       6061     6140      +79     
- Partials      893      904      +11

[jcvenegas]

We are creating a cgroup, we should should remove it on delete (even if the caller will delete all the parent cgroup)
If we use a common name al the pods will use the same cgroup if the cgroup parent was not set just for the pod, e.g. docker. So probably need to add an additional sufix (container.id) or just drop kata in the parent cgroup instead of create one.

[jcvenegas]

/test

[jcvenegas]

All passed with the flag not enabled. So all good in the default/current way to do cgroups.

Re-ran with the flag enabled,

fedora failed with (this job does not run docker)

15:26:11 ok 24 ctr oom # skip This is not working (Issue https://github.com/kata-containers/tests/issues/714)
15:26:29 not ok 25 ctr /etc/resolv.conf rw/ro mode
15:26:29 # (in test file ctr.bats, line 882)
15:26:29 #   `[ "$status" -eq 0 ]' failed

Restarting to get if is non related error.

Ubuntu job failed with (this job does not run docker)

16:30:11 not ok 33 ctr /etc/resolv.conf rw/ro mode
16:30:11 # (in test file ctr.bats, line 1217)
16:30:11 #   `[ "$status" -eq 0 ]' failed
16:30:11 # time="2019-07-16T21:29:09Z" level=error msg="File descriptor 3 (pipe:[156253]) leaked on pvdisplay invocation. Parent PID 109987: /tmp/jenkins/workspace/kata-con
16:30:11 # File descriptor 6 (/dev/mapper/control) leaked on pvdisplay invocation. Parent PID 109987: /tmp/jenkins/workspace/kata-con
16:30:11 #   Failed to find physical volume "/dev/sdb".
16:30:11 # " error="exit status 5" 

The rest of jobs that failed with

15:23:10 [1] • Failure [13.542 seconds]
15:23:10 [1] Checking CPU cgroups in the host
15:23:10 [1] /tmp/jenkins/workspace/kata-containers-runtime-ubuntu-nemu/go/src/github.com/kata-containers/tests/integration/docker/cgroups_test.go:110
15:23:10 [1]   checking whether cgroups can be deleted
15:23:10 [1]   /tmp/jenkins/workspace/kata-containers-runtime-ubuntu-nemu/go/src/github.com/kata-containers/tests/integration/docker/cgroups_test.go:130
15:23:10 [1]     with a running process
15:23:10 [1]     /tmp/jenkins/workspace/kata-containers-runtime-ubuntu-nemu/go/src/github.com/kata-containers/tests/integration/docker/cgroups_test.go:131
15:23:10 [1]       should be deleted [It]
15:23:10 [1]       /tmp/jenkins/workspace/kata-containers-runtime-ubuntu-nemu/go/src/github.com/kata-containers/tests/integration/docker/cgroups_test.go:132
15:23:10 [1] 
15:23:10 [1]       Expected
15:23:10 [1]           <string>: /sys/fs/cgroup/cpu/docker/kata_ae38701e4bc415ee6876f4dba2d1841949f0528f4bbc336ac7526cd4634445e8
15:23:10 [1]       to be a directory: stat /sys/fs/cgroup/cpu/docker/kata_ae38701e4bc415ee6876f4dba2d1841949f0528f4bbc336ac7526cd4634445e8: no such file or directory

Expected as those run docker test

[caoruidong]

/test

[jcvenegas]

/test

[jcvenegas]

/test

[jcvenegas]

/test

[jcvenegas]

/test

[jcvenegas]

/test

[jcvenegas]

@egernst please take a look to the last updates.

[jcvenegas]

/test

[egernst]

looking good. Submitted one more patch which I think simplifies things.

erics review is old

[egernst]

/test

[bergwolf]

LGTM. A side question how do we handle guest resource calculation w.r.t. podoverhead? I mean, if we allocate the requested cpu/memory based on container cpu/memory limits, and hand all of them to the guest and container process, there is actually no reserved resource of the kata components.

[egernst]

@bergwolf : the overhead is assumed to be just on host, we don’t size the VM any larger to account for it (today, anyway). So, the container sizing is the same as what is requested. Perhaps the default cpu/memory can be considered for this (recall that we start with a minimal cpu/memory, and then add in whatever is requested by the workload).