I'm considering supporting podman, but I don't know the details of podman, so I'm looking for opinions.
I don't know what features youki lacks to support podman yet.
I'm also looking for people to support this issue.

The exec command is not listed in the runtime-spec, but I consider it one of the required features. For example, when I run docker exec -it [container id] bash, I currently get the following error.

ref: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#readonly-paths

When building the released version of youki binary, the clone(2) used to create the container process will fail with the following error from dmesg:

[176643.245728] youki[340675]: segfault at 529 ip 00005581f9b434a0 sp 00007fff14905090 error 4 in youki[5581f9a20000+157000]
[176643.245741] Code: 00 00 ff d5 4c 89 bc 24 00 1c 00 00 48 89 9c 24 08 1c 00 00 4c 89 b4 24 10 1c 00 00 48 8b 84 24 18 03 00 00 48 8b 00 48 8b 00 <4c> 8b b8 28 05 00 00 48 8b 98 38 05 00 00 41 be 01 00 00 00 bd 01

Preliminary investigation points to the child stack pointer passed to clone(2) call. The debug version of the binary is not affected. Changing the allocated child stack size to 1MB or 2MB seems to make the issue go away, but I'd like a proper fix. Using this issue to track.

I've built youki from here : -

apt-get install -y pkg-config

apt-get install -y libsystemd-dev

apt-get install -y libdbus-glib-1-dev

cargo install cargo-when

git clone [email protected]:containers/youki.git

cd youki

./build.sh

resulting in: -

file youki

youki: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=885bc1c85a5d7739537de235aadeabc94294ced5, for GNU/Linux 3.2.0, with debug_info, not stripped

./youki --version

youki 1.0

I'm then packaging the binary into a Fedora 30 VM that forms the so-called pod sandbox component of Kata Containers so that I can run youki inside the pod sandbox ( aka guest VM ) rather than on the box that hosts the Kubernetes 1.21 Compute Node.

I'm also using two other tools - skopeo to pull images from public registries and copy them to the local file-system and umoci to unpack the pulled image and make it available as a bundle.

From a console on this VM, I pull an image using skopeo: -

skopeo copy docker://registry.fedoraproject.org/fedora:latest oci://tmp/fedora:latest

and unpack it to a bundle using umoci : -

umoci.amd64 unpack --image /tmp/fedora:latest /tmp/fedora_bundle

and then attempt to create a container using youki : -

youki create davehay --bundle /tmp/fedora_bundle

This fails with: -

Error: could not find mountpoint for hugetlb

I ran youki info

Version           0.0.1
Kernel-Release    5.10.25
Kernel-Version    #1 SMP Fri Jun 11 20:36:25 UTC 2021
Architecture      x86_64
Operating System  Fedora 30 (Thirty)
Cores             1
Total Memory      1995
cgroup version    v1 and v2
cgroup mounts
  blkio           /sys/fs/cgroup/blkio
  cpu             /sys/fs/cgroup/cpu,cpuacct
  cpuacct         /sys/fs/cgroup/cpu,cpuacct
  cpuset          /sys/fs/cgroup/cpuset
  devices         /sys/fs/cgroup/devices
  freezer         /sys/fs/cgroup/freezer
  memory          /sys/fs/cgroup/memory
  net_cls         /sys/fs/cgroup/net_cls,net_prio
  net_prio        /sys/fs/cgroup/net_cls,net_prio
  pids            /sys/fs/cgroup/pids
  unified         /sys/fs/cgroup/unified

To the best of my knowledge, I don't have / want Huge TLB Pages enabled and, to the best of my knowledge, my environment, with Kata Containers 2.1.0-rc0 is using cgroups V1 as per this

In case it helps, here are the mount points inside the guest VM: -

mount

/dev/pmem0p1 on / type ext4 (ro,relatime,errors=remount-ro,data=ordered,dax=always)
devtmpfs on /dev type devtmpfs (rw,relatime,size=1019924k,nr_inodes=254981,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
cgroup2 on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
nsfs on /run/sandbox-ns/ipc type nsfs (rw)
nsfs on /run/sandbox-ns/uts type nsfs (rw)
kataShared on /run/kata-containers/shared/containers type virtiofs (rw,relatime)
shm on /run/kata-containers/sandbox/shm type tmpfs (rw,relatime)
tmpfs on /etc/resolv.conf type tmpfs (rw,nosuid,nodev,mode=755)
kataShared on /run/kata-containers/1cd920f8ab4c440bed57e6c87c262fff09ca34c94f51d69fcb38f47eb6b97a7d/rootfs type virtiofs (rw,relatime)
kataShared on /run/kata-containers/27718022df79a99c1839534eb8f761231a7a04311c3d3a5955ac9bd2548a9798/rootfs type virtiofs (rw,relatime)

which does include: -

hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)

and here are the cgroups : -

ls -al /sys/fs/cgroup/

total 0
drwxr-xr-x 13 root root 340 Jun 24 10:37 .
drwxr-xr-x  8 root root   0 Jun 24 10:37 ..
dr-xr-xr-x  3 root root   0 Jun 24 10:37 blkio
lrwxrwxrwx  1 root root  11 Jun 24 10:37 cpu -> cpu,cpuacct
dr-xr-xr-x  3 root root   0 Jun 24 10:37 cpu,cpuacct
lrwxrwxrwx  1 root root  11 Jun 24 10:37 cpuacct -> cpu,cpuacct
dr-xr-xr-x  3 root root   0 Jun 24 10:37 cpuset
dr-xr-xr-x  4 root root   0 Jun 24 10:37 devices
dr-xr-xr-x  3 root root   0 Jun 24 10:37 freezer
dr-xr-xr-x  4 root root   0 Jun 24 10:37 memory
lrwxrwxrwx  1 root root  16 Jun 24 10:37 net_cls -> net_cls,net_prio
dr-xr-xr-x  3 root root   0 Jun 24 10:37 net_cls,net_prio
lrwxrwxrwx  1 root root  16 Jun 24 10:37 net_prio -> net_cls,net_prio
dr-xr-xr-x  3 root root   0 Jun 24 10:37 perf_event
dr-xr-xr-x  4 root root   0 Jun 24 10:37 pids
dr-xr-xr-x  5 root root   0 Jun 24 10:37 systemd
dr-xr-xr-x  4 root root   0 Jun 24 10:37 unified

Appreciating that this is a very non-standard configuration, but all advice gratefully received and appreciated 👍

Nix wrapper doesn't have support for getrlimit at the moment. PR is pending nix-rust/nix#1302. #163 will be merged leaving libc::getrlimit in place. Using this issue to track, so this will not get lost.

Currently, the spec.root.fs is not correctly handled. When init_builder calls load_and_safeguard_spec, the copied version of the spec.json doesn't contain the change to canonicalize the rootfs path. As a result, when youki exec tries to load the safeguarded spec in tenent_builder, the spec.root.path can be incorrect missing the bundle path. As a result, currently, youki exec is also broken.

There are two solutions. One is to save the canonicalized rootfs path with bundle path as part of the spec when safeguard the spec into the /run/youki/<id>. The other option is to take care to canonicalize the path with bundle path again when loading the path in tenent_builder.

Checkpoint and restore is supported by runc. We should also support these operations. There does not seem to be a crate that allows interacting with criu, so we probably have to write it ourselves. The go implementation would be a good starting point. If anyone has more information on this topic it would be appreciated.

This issue creates an implementation that will serve as a template for now, and the other parameters that will be updated will be managed in a separate issue as a good first issue.
ref: https://github.com/opencontainers/runc/blob/master/man/runc-update.8.md

It would be nice to have an overview of all the containers created by youki and their current state.

I don't know anything about rootless container yet. I'd like to use this issue to gather references and think about the design. I'm also looking for people to challenge this.

References

• https://github.com/opencontainers/runc/blob/master/rootless_linux.go
• https://rootlesscontaine.rs/
• https://docs.docker.com/engine/security/rootless/

Now, This project has too few comments and documentation.
I would like to improve the development experience by improving them.

As discussed in #14 , we can rename cond to pipe as it is more understandable. If you won't mind, I would like to refactor it and its occurrences. Reason to open new issue is that it is more than just documentation, so didn't want to add it in #14. you're fine with it, assign me this issue.
Another good reason to do this, as the module comment for it indicates it is a

conditional variable performing busy waiting on lock

but it is actually related to unix pipes, and the name can cause more confusion later on.

Right now if we had a test failed when run cargo test, the failure message is missing and we can not locate the assert that failed directly.

And if comment the tests code in tty.rs, the failure message show up again. Just like the failure message is eaten by the tty.

Failure test without commenting tests in tty.rs.

Failure test with commenting tests in tty.rs.

It would be a little annoying for debugging when CI failed. So maybe we should find a way to make failure message come back.

cc @utam0k

Write an article for the first release of youki.

Feel free to post ideas.

I am looking into supporting cgroups v2.
However, I'm not an expert, so I'm looking for what I need, useful documentation, design suggestions, etc.
Also, if anyone would like to challenge me, I welcome you to challenge me with me.

References

• opencontainers/runc#654
• https://www.youtube.com/watch?v=P6Xnm0IhiSo&list=WL&index=58
• https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html
• https://github.com/opencontainers/runc/tree/master/libcontainer/cgroups/fs2

The integration tests can pass or fail depending on the system it's actually running on, one example of this is the network cgroups. On some systems the network cgroups mount into 2 different directories "net_prio" and "net_cls", on others they mount into one directory "net_cls,net_prio" or "net_prio,net_cls". This means that on some systems integration tests will pass, and others they will fail and Youki will not run properly. I believe this is specific to how distributions are setup. So it might be worth while to setup some kind of testing in 3-4 of the most popular distributions. These tests would be setup locally only, since our current CI cannot handle it at the moment.

My thoughts on which systems to test is:

• Redhat/Fedora
• Ubuntu LTS
• Latest stable Debian
• Alpine Linux, this is a good candidate to also test a system that doesn't use systemd

This test tooling will likely use a VM, something like vagrant might be most useful here. I don't believe testing container runtimes in a container will work all that well. Another choice might be something like Amazon's Firecracker.

In addition to providing multiple test environments this could also allow Windows and Mac users to more easily test changes.

The CI fails sporadically during the kill command test when calling the start command with " could not be started because it was Stopped". I have not yet been able to reproduce this behavior locally.

This is the output of youki (with additional traces) when running the test successfully.

[INFO src/state.rs:16] 2021-07-08T12:12:31.874083870+02:00 CALLED STATE
[INFO src/delete.rs:26] 2021-07-08T12:12:31.876735623+02:00 CALLED DELETE
[INFO src/create.rs:34] 2021-07-08T12:12:31.880261860+02:00 CALLED CREATE
[INFO src/cgroups/common.rs:155] 2021-07-08T12:12:31.891048269+02:00 cgroup manager V1 will be used
[WARN src/capabilities.rs:27] 2021-07-08T12:12:31.916619716+02:00 CAP_CHECKPOINT_RESTORE doesn't support.
[WARN src/capabilities.rs:27] 2021-07-08T12:12:31.916699714+02:00 CAP_PERFMON doesn't support.
[WARN src/capabilities.rs:27] 2021-07-08T12:12:31.916721314+02:00 CAP_BPF doesn't support.
[INFO src/state.rs:16] 2021-07-08T12:12:31.984294516+02:00 CALLED STATE
[INFO src/kill.rs:20] 2021-07-08T12:12:31.994463136+02:00 CALLED KILL
[INFO src/state.rs:16] 2021-07-08T12:12:32.003495876+02:00 CALLED STATE
[INFO src/delete.rs:26] 2021-07-08T12:12:32.007922697+02:00 CALLED DELETE
[INFO src/cgroups/common.rs:155] 2021-07-08T12:12:32.020250779+02:00 cgroup manager V1 will be used
[INFO src/state.rs:16] 2021-07-08T12:12:32.051025233+02:00 CALLED STATE
[INFO src/create.rs:34] 2021-07-08T12:12:32.054227576+02:00 CALLED CREATE
[INFO src/cgroups/common.rs:155] 2021-07-08T12:12:32.063796607+02:00 cgroup manager V1 will be used
[WARN src/capabilities.rs:27] 2021-07-08T12:12:32.116028281+02:00 CAP_PERFMON doesn't support.
[WARN src/capabilities.rs:27] 2021-07-08T12:12:32.116231877+02:00 CAP_BPF doesn't support.
[WARN src/capabilities.rs:27] 2021-07-08T12:12:32.116306276+02:00 CAP_CHECKPOINT_RESTORE doesn't support.
[INFO src/start.rs:19] 2021-07-08T12:12:32.145331061+02:00 CALLED START
[INFO src/state.rs:16] 2021-07-08T12:12:32.148588804+02:00 CALLED STATE
[INFO src/kill.rs:20] 2021-07-08T12:12:32.151353455+02:00 CALLED KILL
[INFO src/state.rs:16] 2021-07-08T12:12:32.153879310+02:00 CALLED STATE
[INFO src/delete.rs:26] 2021-07-08T12:12:32.156782258+02:00 CALLED DELETE
[INFO src/cgroups/common.rs:155] 2021-07-08T12:12:32.165717500+02:00 cgroup manager V1 will be used
[INFO src/state.rs:16] 2021-07-08T12:12:32.190686057+02:00 CALLED STATE
[INFO src/create.rs:34] 2021-07-08T12:12:32.193853601+02:00 CALLED CREATE
[INFO src/cgroups/common.rs:155] 2021-07-08T12:12:32.203325533+02:00 cgroup manager V1 will be used
[WARN src/capabilities.rs:27] 2021-07-08T12:12:32.251435881+02:00 CAP_BPF doesn't support.
[WARN src/capabilities.rs:27] 2021-07-08T12:12:32.251517179+02:00 CAP_CHECKPOINT_RESTORE doesn't support.
[WARN src/capabilities.rs:27] 2021-07-08T12:12:32.251542679+02:00 CAP_PERFMON doesn't support.
[INFO src/start.rs:19] 2021-07-08T12:12:32.277765314+02:00 CALLED START
[INFO src/state.rs:16] 2021-07-08T12:12:32.280738961+02:00 CALLED STATE
[INFO src/kill.rs:20] 2021-07-08T12:12:32.283505912+02:00 CALLED KILL
[INFO src/state.rs:16] 2021-07-08T12:12:32.286962351+02:00 CALLED STATE
[INFO src/delete.rs:26] 2021-07-08T12:12:32.289950498+02:00 CALLED DELETE
[INFO src/cgroups/common.rs:155] 2021-07-08T12:12:32.299679825+02:00 cgroup manager V1 will be used
[INFO src/state.rs:16] 2021-07-08T12:12:32.347732274+02:00 CALLED STATE

This is where we are checking the state.

pub fn refresh_status(&mut self) -> Result<Self> {
        let new_status = match self.pid() {
            Some(pid) => {
                // Note that Process::new does not spawn a new process
                // but instead creates a new Process structure, and fill
                // it with information about the process with given pid
                if let Ok(proc) = Process::new(pid.as_raw()) {
                    use procfs::process::ProcState;
                    match proc.stat.state().unwrap() {
                        ProcState::Zombie | ProcState::Dead => ContainerStatus::Stopped,
                        _ => match self.status() {
                            ContainerStatus::Creating | ContainerStatus::Created => self.status(),
                            _ => ContainerStatus::Running,
                        },
                    }
                } else {
                    ContainerStatus::Stopped
                }
            }
            None => ContainerStatus::Stopped,
        };
        Ok(self.update_status(new_status))
    }

It appears like the container process doesn't exist anymore. The question is why do we see this behavior only in the kill tests?

ref: https://github.com/opencontainers/runc/blob/master/man/runc-events.8.md

ref: https://github.com/opencontainers/runc/blob/master/docs/terminals.md#other-file-descriptors

Youki is currently using the integration tests from rutime-tools, but there are some areas where this isn't sufficient (e.g. cgv2), so we will implement our own.

Hi,
Nice project. Have you seen https://github.com/tailhook/unshare? This may be a library you could use for your lower-level implementation.

Regards,
Sojan

The current logo is too confusing.
I'm not very good at drawing, so I'm looking for help.

With the release of clone as a new systemcall in kernel version 5.7^, we can now use it to hopefully reduce the number of forks youki does when creating a container (See here).

cc @utam0k @Furisto @flxo

ref: https://github.com/opencontainers/runc/blob/master/man/runc-run.8.md

❯ ls
config.json  rootfs
❯ sudo ~/crun run mycontainer
❯ ~/youki run mycontainer
error: Found argument 'run' which wasn't expected, or isn't valid in this context

If you tried to supply `run` as a PATTERN use `-- run`

USAGE:
    youki [FLAGS] [OPTIONS] <SUBCOMMAND>

For more information try --help

Hello, I am very interested in the container runtime, but I don’t have much relevant experience. I noticed that the run command is not implemented.

And I can try to do it if you agree.

Hooks are a vital aspect when mapping complex input devices i.e. gpu or accelerator devices into the container namespace. The most common use case is using machine learning workloads in a container workload that requires cuda access i.e. for CI jobs of juice

Spec ref: https://github.com/opencontainers/runtime-spec/blob/master/config.md#posix-platform-hooks

While running cargo test on main branch, cgroups v2 freezer test_set_freezer_state seems to fail randomly.
Curiously it seems some kind of race condition makes it fail? Because sometimes when running cargo test, it prints

test cgroups::v2::freezer::tests::test_set_freezer_state ... FAILED

and shows that test has failed, with a message

error: test failed, to rerun pass '--lib'

below result of all running tests,
sometimes it prints

test cgroups::v1::freezer::tests::test_set_freezer_state ... ok

but still stops running unit and doc tests, with error message

error: test failed, to rerun pass '--lib'

and sometimes this test passes, and all test are run and pass.

Another thing I have noted is that order of tests is changes, as in probably cargo runs tests in parallel, which might play a role in this?

The test uses Arc, and the order of tests in cargo test output changes each time, so I feel this might be some issue related to concurrency and race conditions, but could be something else as well.

ref: https://github.com/opencontainers/runc/blob/master/man/runc-checkpoint.8.md

The spec.rs that reads the oci-spec specification is a general-purpose code that can be used not only in this project.
Therefore, I would like to extract and provide it as a separate crate from youki in this repository.
Ideally, the youki itself should use the crate.
If anyone is interested in this, I would like to challenge you.

cc @utam0k

This issue is for tracking PR to pass the command line integration test.
If you are interested, you can comment on this issue and I will assign it to you. This issue is for tracking PR to pass the command line integration test. Some of them may already pass the tests.

• create(assigned @0xdco)
  https://github.com/opencontainers/runtime-tools/tree/master/validation/create
• kill
  https://github.com/opencontainers/runtime-tools/tree/master/validation/kill
• delete(@duduainankai )
  https://github.com/opencontainers/runtime-tools/tree/master/validation/delete
• start(assigned @TinySong)
  https://github.com/opencontainers/runtime-tools/tree/master/validation/start
• state
  https://github.com/opencontainers/runtime-tools/tree/master/validation/state

Goal

Each of them will be targeted to pass integration tests. If possible, it is good to have unit tests as well.
It would be helpful to have a look at the GitHub Actions file to see how to run the integration tests.

This issue is for tracking the implementation of cgroups v2.
Since cpu and cpuset of cgoups has already been implemented, you can implement it while referring to it.
If you are interested, you can comment on this issue and I will assign it to you.

• cpu #48
• cpuset #48
• memory(assigned @tsturzl ) #141
• huge tlb(@0xdco) #135
• pids(assigned @TinySong) #119
• freezer(assigned @duduainankai) #123
• io(assigned @TinySong) #128

Devices are special and will be handled separately from this issue.
#230

Goal

There isn't an integration test for cgv2, so please make sure that the results of the operation and unit tests are successful.

Reference

• https://www.kernel.org/doc/Documentation/cgroup-v2.txt
• https://github.com/opencontainers/runc/tree/master/libcontainer/cgroups/fs2

Please add a CODE-OF-CONDUCT.md and SECURITY.md to this project. Feel free to cut/paste the ones from https://github.com/containers/buildah and then just touch up the project name within. Also, please include a contact email in the README.md if possible so that we can send any security issues to it.

Hi, thanks for the project, it's very intresting!
I would like to work on seccomp feature if possible.

Now that #178 is in, we should implement these hooks. Ref: https://github.com/opencontainers/runtime-spec/blob/master/config.md#posix-platform-hooks

• prestart (deprecated, so maybe we don't have to do this? Investigate if latest docker and/or podman still use this)
• createRuntime
• createContainer
• startContainer
• post start
• post stop

The create.rs should be split up more, but I don't have a good idea how to split it up, so if you have any suggestions, please let me know.

Ideas

• builder pattern(#117 (comment))
  https://doc.rust-lang.org/1.0.0/style/ownership/builders.html

The current youki has far too few unit tests.
We are planning to increase the test coverage for the following files.
Perhaps this is a very good opportunity to understand the code and how it works. If you are interested, please comment on the issue and declare the files you want to test.

• src/spec.rs
• src/namespaces
• src/cgrpups/devices.rs(assigned @tsturzl) #75
• src/cgroups/manage.rs
• src/create.rs(assigned @TinySong)
• src/capability.rs (assigned @sensaiankit)
• src/rootfs.rs(assigned @constreference )
• src/tty.rs(assigned @constreference ) #102

We have a new repository available for the OCI spec: https://github.com/containers/oci-spec-rs

The main goal would be now to move over the code, setup the CI and make this repository dependent on it.

Youki changed the owner from utam0k to containers.
The link needs to be changed accordingly.

This issue is for tracking the implementation of cgroups.
Since devices of cgoups has already been implemented, you can implement it while referring to it.
If you are interested, you can comment on this issue and I will assign it to you.

• devices
• network(assigned @tsturzl)
  The integration test is this: https://github.com/opencontainers/runtime-tools/tree/master/validation/linux_cgroups_network
• pids (assigned @0xdco) utam0k#26
• hugepageLimits(assigned @Furisto) utam0k#15
• memory (assigned @tsturzl) utam0k#16
• cpu(assigned @Furisto) #63
  The integration test is this: https://github.com/opencontainers/runtime-tools/tree/master/validation/linux_cgroups_cpus
• blockIO(assigned @Furisto) utam0k#31
• cpuacct (assigned @yjuba) #92
• cpuset (assigned @Furisto) #63
• perf_event (assigned @fbrv) #166
• freezer (assigned @duduainankai ) #93

Goal

Each of them will be targeted to pass integration tests. If possible, it is good to have unit tests as well.
It would be helpful to have a look at the GitHub Actions file to see how to run the integration tests.

Reference

• https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#control-groups
• https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/index.html

e.g. https://github.com/utam0k/youki/runs/2706688448

I tried on Fedora and Centos, I believe it should be systemd-devel

Hello youki team,

I'm one of the co-chairs of the CNCF SIG-Runtime, I'm reaching out and think it would be great for you to present/discuss the project at one of our meetings. An overview of the project would be great.

Let me know if this something you'd be interested in doing. If yes, please feel free to add it to our agenda or reach out to me (raravena80 at gmail.com)

Thanks!

ref: https://github.com/opencontainers/runc/blob/master/man/runc-ps.8.md

Hey folks, I think I do not have to mention that this is an interesting project. Great work so far! 👏

I'd like to point to our other side-project containrs, which targets to implement a higher level runtime like containerd and CRI-O: https://github.com/cri-o/containrs

Do you think it would make sense to share some types, for example integrating them into youki and then re-using later on in our project? I see some overlaps, for example:

• in the OCI runtime spec: https://github.com/cri-o/containrs/blob/master/src/oci/spec/runtime.rs
• capabilities: https://github.com/cri-o/containrs/blob/master/src/capability.rs'
• seccomp: https://github.com/cri-o/containrs/blob/master/src/seccomp.rs

We should be able to concurrently configure each of the cgroup subsystems to hopefully see some performance improvements. One thing to note is write order within a controller is important to keep track of since values can be validated against each other by the kernel. Initially it may be best to write configs in each controller in series and have each controller be executing concurrently with the next, and eventually move into more granular concurrency.

ref: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#masked-paths