Comments (6)
I merged opencontainers/runc#160 (at opencontainers/runc@4f7ff04) into runc's master (at opencontainers/runc@0f85e4e), reverted opencontainers/runc@cc232c47 (part of opencontainers/runc#232) to avoid clobbering my adjustment, and wrote a host-side hook to handle the adjustment:
$ cat /tmp/oom-score-adj.sh
#!/bin/sh
ADJ="$1"
#PID=$(jq -r .pid)
PID=$(jq -r .init_process_pid)
echo "${ADJ}" > "/proc/${PID}/oom_score_adj"
The init_process_pid
vs. pid
in the state JSON is a difference between runC's state as of opencontainers/runc#160 and the spec that landed in #87 (after the initial runC work).
Then I added the hook to my config.json
:
$ cat config.json
{
…
"hooks": {
"prestart": [
{
"path": "/tmp/oom-score-adj.sh",
"args": ["oom-score-adj.sh", "+10"]
}
],
"poststop": null
},
…
}
Then launching the container gives the right score:
# runc
/ # cat /proc/1/oom_score
10
So the hook approach ((2) in my original post here) is valid, and not particularly difficult. I propose we document that approach in this spec (for the reasons outlined in my original post here) and roll back opencontainers/runc#232 in runC.
from runtime-spec.
The init process
is a runC thing. In my mind, pre-start hooks are launched when the container environment has been established. Whether there is an init process
involved or not is an implementation detail.
Do we have other use cases which demand the need for giving access to the init process from a hook?
from runtime-spec.
On Mon, Oct 12, 2015 at 01:18:28PM -0700, Vish Kannan wrote:
The
init process
is a runC thing.
Regardless of implementation, a runtime will almost certainly need to
call setns(2), unshare(2), pivot_root(2) or some such activity before
execing the user-specified container process. I don't know how you'd
do that without some runtime-specified code being run in the container
process before the user-specified code is executed.
In my mind, pre-start hooks are launched when the container
environment has been established.
Agreed. And the container isn't established until there's a process
in there holding open PID namespaces, mount namespaces, etc., etc.
Do we have other use cases which demand the need for giving access
to the init process from a hook?
What do you mean “giving access”? Just “listing the
container-process's PID in the pre-start state JSON”?
from runtime-spec.
On Mon, Oct 12, 2015 at 01:33:20PM -0700, W. Trevor King wrote:
Mon, Oct 12, 2015 at 01:18:28PM -0700, Vish Kannan:
The
init process
is a runC thing.Regardless of implementation, a runtime will almost certainly need
to call setns(2), unshare(2), pivot_root(2) or some such activity
before execing the user-specified container process. I don't know
how you'd do that without some runtime-specified code being run in
the container process before the user-specified code is executed.
@vishh pointed out that the unshare and pivot_root calls can live in a
separate container-side process that exits before the process that
will become the user-specified container process starts 1. You'll
still need runtime-specified setns calls in the process that will
become the user-specified container process, but if you allow for a
missing PID namespace at pre-start time those hooks may land in the
window between the two container processes:
- Launch container-side setup process to unshare, pivot_root, etc.
- Bind mount those new namespaces somewhere persistent.
- Container-side setup process exits.
- Run pre-start hooks
- Launch container-side process to unshare a PID namespace (if the
user wanted a new one), configure uid/group mappings, setns,
setuid, setgid, setgroups, drop caps, and exec user-specified code.
You can get a fair ways toward handling its unshare/setns bits with
util-linux's unshare(1) and nsenter(1). But by the time you add all
the rest of the logic I still think you're outside the realm of what's
easily possible with stock binaries, and we might as well just use the
same container process for (1) and (5).
So I don't think it's a particularly large win to support the “two
separate container process's” runtime implementation. And once you've
got a single container process, your pre-start hooks can rely on
having a PID namespace and a useful PID in their state JSON.
Am I missing something?
from runtime-spec.
with hooks being in the spec, the setting of this should be supported.
Closing this issue.
from runtime-spec.
On Wed, Mar 16, 2016 at 10:24:02AM -0700, Vincent Batts wrote:
with hooks being in the spec, the setting of this should be supported.
This issue was “how do we want to support things like oom_score_adj”,
with me arguing for folks to handle it in a hook instead (option 2 in
the topic post) of adding a new config-side setting (option 1) or the
user-configured application (option 3). The bigger picture issue is
which kernel APIs this spec wraps and how thin a wrapper it should be
(see also 1). I think those are still important questions to sort
out, but in this case #222 chose in favor of a new config-side
setting. @vishh had a few comments/links motivating that choice
[2,3,4], but I'm still not clear on why a config-side setting was
chosen over the hook-based approach 5.
Anyway, I'm happy to continue this discussion on the mailing list, or
as needed as new settings are proposed.
Subject: removal of cgroups from the OCI Linux spec
Date: Wed, 28 Oct 2015 17:01:59 +0000
Message-ID: <CAD2oYtO1RMCcUp52w-xXemzDTs+J6t4hS5Mm4mX+uBnVONGDfA@mail.gmail.com>
from runtime-spec.
Related Issues (20)
- runtime.md: State MUST be serialized with specific indentation pattern? HOT 3
- `runAsGroup` vs `supplementalGroups` HOT 3
- support PostExit Hook HOT 11
- Proposal: Add the `update` operation HOT 1
- When using Windows containers in Containerd the windows layerFolder is null and the root is blank HOT 10
- whether update container delete doc
- When running `make rust-oci-tests` getting error `container state could not be retrieved successfully.` HOT 3
- features.md: add unsafe annotation list HOT 2
- config-linux: Should we clarify when should we set the swap limit? HOT 2
- idmapped mounts: should they be applied recursively?
- dev versions don't respect semver HOT 6
- features: mountExtensions: how best to represent feature support for idmap? HOT 5
- Update `config_linux.md` when libseccomp `v2.6.0` is relased
- Why does the oci runtime spec define the runtime operation after the proposal of" runtime CLI spec" has been rejected? HOT 2
- Proposal: Support filter (Includes and Excludes) feature in LinuxSyscall HOT 7
- Proposal: Network Devices HOT 12
- Build error with clang++ 17 HOT 7
- Proposal: use pre-generated BPF filter HOT 3
- Damarcus Jones Professional
- Proposal: synchronize cgroupv1 deprecation announcements HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from runtime-spec.