Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support LinuxDeviceCgroup updates #3401

Open
agners opened this issue Mar 3, 2022 · 5 comments · May be fixed by #3402
Open

Support LinuxDeviceCgroup updates #3401

agners opened this issue Mar 3, 2022 · 5 comments · May be fixed by #3402

Comments

@agners
Copy link

agners commented Mar 3, 2022
edited
Loading

To be able to adjust device permissions at runtime, this issue seeks to implement support for Linux Device CGroup updates. It is a prerequisite to get such support in Moby/Docker, see also moby/moby#42255.

Currently supplying devices to runc update --resources - does not adjust cgroup(v2) device permissions for an existing container. Some issues with device updates have been outlined in #2366 and addressed in various PRs linked to that issue.

To implement support updates would need to pass devices to the internal config.Cgroups.Resources.Devices structure. Besides update also sets config.Cgroups.SkipDevices to false explicitly, which probably would need changing.

I guess the semantics of update would need to be defined exactly. A simplistic approach would be to implement a behavior similar to what CreateCgroupConfig implements: Clear the current list of devices, append the list provided by the update command, then append the defaultDevs.

In PR #2951 @cyphar added a comment saying:

	# Unfortunately we can't update device rules directly with runc ("runc
	# update" doesn't support it, and adding support would require ironing out
	# some long-standing design issues with device configuration). So instead
	# we just run "runc update" many times, relying on the fact that runc will
	# re-apply devices cgroup rules on each runc update.

What are those design issues exactly?
@agners agners linked a pull request Mar 3, 2022 that will close this issue
Open
@tripplet tripplet mentioned this issue Mar 8, 2022
Closed
@utam0k
Copy link
Member

utam0k commented Mar 26, 2022

FYI: containerd recently added support for it.
containerd/cgroups#225

@agners
Copy link
Author

agners commented Mar 28, 2022

@utam0k hm, that is the containerd API basically allowing to update using a Resource object correct? I guess it still requires the runc changes to make the device part actually work.

@utam0k
Copy link
Member

utam0k commented Mar 28, 2022

@agners As far as I know, containerd has its own device emulate. I guess it use own devices emulate to update resources. If I am wrong, please let me 🙏

@agners
Copy link
Author

agners commented Mar 30, 2022

@utam0k from what I understand containerd uses runc as low-level runtime by default. I don't think it has a built-in low level runtime, it requires runc to work (see https://github.com/containerd/containerd/blob/main/BUILDING.md#runc). It seems to support alternative runtimes such as crun.

@utam0k
Copy link
Member

utam0k commented Apr 3, 2022
edited
Loading

@agners That's right. But containerd has its own cgroup controller. Actually contained can update devices in cgv1.
https://github.com/containerd/cgroups

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add device resource update support agners/runc
2 participants
@agners @utam0k