legacy mode

legacy mode

[Serge E. Hallyn]

Hi,

after the unified cgroup overview at the containers mini-summit last week,
I mentioned the idea of supporting backward-compatible cgroupfs mounts in
the unified hierarchy.

The problem this would solve is running older userspace (i.e. libvirt in
a container running an older distro) on a newer kernel which has unified
hierarchy mounted.

I was thinking this could do the same tricks I'm doing in cgmanager to
support the existing cgmanager API with the unified hierarchy:  i.e. create
a leaf node for every cgroup, and redirect any tasks written to the
cgroup.procs file for $cgroup to $cgroup/.leaf.  I realize there will
likely be other changes, but keeping in mind that new unified-only features
aren't relevant for legacy support, maybe this sort of approach wouldn't
be as bad as I originally thought it would be.  Not supporting release-agent
is also a non-issue imo.

The combination of cgroup namespaces, a "legacy-mount" mode, and fully
proper hierarchical support leading to full safe delegation, would
allow cgmanager and lxcfs to be killed with extreme privilege - WIN!

So is anyone interested on working on a legacy mount option?  What other
issues need to be considered there?

thanks,
-serge

Re: legacy mode

[Tejun Heo]

Hello,

On Thu, Aug 27, 2015 at 03:21:37PM -0500, Serge E. Hallyn wrote:
> The problem this would solve is running older userspace (i.e. libvirt in
> a container running an older distro) on a newer kernel which has unified
> hierarchy mounted.

But the leaf restriction isn't the only change.  The interface files
are different too and for some controllers the basic operation model
is different, so I don't see how just adding .leaf would do much good.

If the legacy userspace doesn't do any resource control, the leaf rule
restriction doesn't apply anyway, so nothing to worry about.

Thanks.

-- 
tejun

Re: legacy mode

[Serge E. Hallyn]

On Thu, Aug 27, 2015 at 04:27:22PM -0400, Tejun Heo wrote:
> Hello,
> 
> On Thu, Aug 27, 2015 at 03:21:37PM -0500, Serge E. Hallyn wrote:
> > The problem this would solve is running older userspace (i.e. libvirt in
> > a container running an older distro) on a newer kernel which has unified
> > hierarchy mounted.
> 
> But the leaf restriction isn't the only change.  The interface files

That was an example.  It would also have to automatically enable
controllers in child cgroups, and I'm not sure what to do about
the tasks file.

> are different too and for some controllers the basic operation model
> is different, so I don't see how just adding .leaf would do much good.

Yeah and some of these may be a problem, but the problems I outlined
above are the ones which are *really* breaking old userspace.

Keeping in mind what I've seen most people use for containers, what I've
seen in the Documentation/cgroups/unified.txt file shouldn't be too terrible.
My last test was on 3.19.0-18-generic and I assume it gets worse, and
we'll need to proxy attempts at memory limit setting, for instance.

> If the legacy userspace doesn't do any resource control, the leaf rule
> restriction doesn't apply anyway, so nothing to worry about.

My main use case is nested lxc, presumably with systemd inside some of
the nested containers, so this would definately be an issue.

-serge

Re: legacy mode

[Tejun Heo]

Hello, Serge.

On Thu, Aug 27, 2015 at 03:45:00PM -0500, Serge E. Hallyn wrote:
> > If the legacy userspace doesn't do any resource control, the leaf rule
> > restriction doesn't apply anyway, so nothing to worry about.
> 
> My main use case is nested lxc, presumably with systemd inside some of
> the nested containers, so this would definately be an issue.

W/o controllers in the nested environment, it should be fine.  W/
controllers, I don't think this is going to fly.  I don't think trying
to bridge the two versions is a healthy direction in the long term.

Thanks.

-- 
tejun

Re: legacy mode

[Serge E. Hallyn]

On Thu, Aug 27, 2015 at 04:48:25PM -0400, Tejun Heo wrote:
> Hello, Serge.
> 
> On Thu, Aug 27, 2015 at 03:45:00PM -0500, Serge E. Hallyn wrote:
> > > If the legacy userspace doesn't do any resource control, the leaf rule
> > > restriction doesn't apply anyway, so nothing to worry about.
> > 
> > My main use case is nested lxc, presumably with systemd inside some of
> > the nested containers, so this would definately be an issue.
> 
> W/o controllers in the nested environment, it should be fine.  W/
> controllers, I don't think this is going to fly.  I don't think trying
> to bridge the two versions is a healthy direction in the long term.

That's unfortunate as it suggests that lxcfs is the only way around
this problem :(

Re: legacy mode

[Eric W. Biederman]

Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> writes:

> Hello, Serge.
>
> On Thu, Aug 27, 2015 at 03:45:00PM -0500, Serge E. Hallyn wrote:
>> > If the legacy userspace doesn't do any resource control, the leaf rule
>> > restriction doesn't apply anyway, so nothing to worry about.
>> 
>> My main use case is nested lxc, presumably with systemd inside some of
>> the nested containers, so this would definately be an issue.
>
> W/o controllers in the nested environment, it should be fine.  W/
> controllers, I don't think this is going to fly.  I don't think trying
> to bridge the two versions is a healthy direction in the long term.

Which strongly suggests that the unified hierarchy will never be
deployable as it breaks too much userspace.

Eric