Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rootless: enable resource limitation (requires cgroup v2, systemd) #3005

Merged
merged 2 commits into from
Mar 24, 2021
Merged

rootless: enable resource limitation (requires cgroup v2, systemd) #3005

merged 2 commits into from
Mar 24, 2021

Conversation

AkihiroSuda
Copy link
Contributor

@AkihiroSuda AkihiroSuda commented Mar 2, 2021
edited
Loading

Proposed Changes

rootless: enable resource limitation (requires cgroup v2, systemd)

Types of Changes

New Feature

Verification

$ sudo mkdir -p /etc/systemd/system/[email protected]
$ cat <<EOF | sudo tee /etc/systemd/system/[email protected]/delegate.conf
[Service]
Delegate=cpu cpuset io memory pids
EOF
$ sudo systemctl daemon-reload

  • Copy k3s-rootless.service to ~/.config/systemd/user/k3s-rootless.service

  • Run systemctl --user daemon-reload

  • Run systemctl --user enable --now k3s-rootless

  • Run KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A. Make sure the pods are running.

  • Run a test pod like this:

apiVersion: v1
kind: Pod
metadata:
  name: test-limits
spec:
  containers:
  - name: test-limits
    image: alpine
    command: ["top"]
    resources:
      limits:
        cpu: 420m
        memory: 42Mi
$ cat /proc/41309/cgroup 
0::/user.slice/user-1001.slice/[email protected]/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/671b393f08437d7e89e234d9d395aecef155104c7c241f5701844360ffebacac

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/[email protected]/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/671b393f08437d7e89e234d9d395aecef155104c7c241f5701844360ffebacac/cpu.max 
42000 100000

$ cat /sys/fs/cgroup/user.slice/user-1001.slice/[email protected]/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/671b393f08437d7e89e234d9d395aecef155104c7c241f5701844360ffebacac/memory.max 
44040192

Linked Issues

Issue #3004

Further Comments

Now rootless mode can be used with cgroup v2 resource limitations.

A pod is executed in a cgroup like /user.slice/user-1001.slice/[email protected]/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475.

This is accomplished by running kubelet in a cgroup namespace, and enabling cgroupfs driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, k3s server --rootless needs to be launched as systemctl --user service.
Please see the comment lines in k3s-rootless.service for the usage.

Running k3s server --rootless via a terminal is not supported and results in disabling cgroup.

To run k3s server --rootless on a terminal forcibly, systemd-run --user -p Delegate --tty needs to be prepended to create a systemd scope.

@AkihiroSuda AkihiroSuda mentioned this pull request Mar 2, 2021
Closed
This was referenced Mar 2, 2021
Closed
Merged
@AkihiroSuda AkihiroSuda force-pushed the rootless-resource-limit branch 2 times, most recently from c1433b8 to bb3ece2 Compare March 16, 2021 04:35
@AkihiroSuda AkihiroSuda mentioned this pull request Mar 16, 2021
Merged
@AkihiroSuda AkihiroSuda force-pushed the rootless-resource-limit branch from bb3ece2 to 2d682ae Compare March 16, 2021 05:47
@AkihiroSuda AkihiroSuda changed the title [WIP] rootless: enable resource limitation (requires cgroup v2, systemd) rootless: enable resource limitation (requires cgroup v2, systemd) Mar 16, 2021
@AkihiroSuda AkihiroSuda marked this pull request as ready for review March 16, 2021 05:48
@AkihiroSuda AkihiroSuda requested a review from a team as a code owner March 16, 2021 05:48
@AkihiroSuda
bump up RootlessKit
63dc6cc 
Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
rootless: enable resource limitation (requires cgroup v2, systemd)
2780334 
Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/[email protected]/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda AkihiroSuda force-pushed the rootless-resource-limit branch from 2d682ae to 2780334 Compare March 16, 2021 06:04
@AkihiroSuda
Copy link
Contributor Author

@dweomer @ibuildthecloud PTAL

@brandond brandond merged commit 6e8284e into k3s-io:master Mar 24, 2021
@AkihiroSuda
Copy link
Contributor Author

Thanks for merging. I'd like to add CI for this after #2887 (or its equivalent) gets merged.

@eduncan911
Copy link

eduncan911 commented Jun 17, 2021
edited
Loading

Is there public documentation for this somewhere, that steps people through the process?

@brandond
Copy link
Member

Rootless is still kinda experimental and not very well documented. @AkihiroSuda would you mind taking a shot at the docs? I think this bit in particular could use a writeup:

To enable cgroup v2 resource limitation, k3s server --rootless needs to be launched as systemctl --user service.
Please see the comment lines in k3s-rootless.service for the usage.

Running k3s server --rootless via a terminal is not supported and results in disabling cgroup.

To run k3s server --rootless on a terminal forcibly, systemd-run --user -p Delegate --tty needs to be prepended to create a systemd scope.

@AkihiroSuda
Copy link
Contributor Author

I added some basic docs to https://rancher.com/docs/k3s/latest/en/advanced/#running-k3s-with-rootless-mode-experimental

Let me know if I have to add more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

@dweomer dweomer dweomer approved these changes

@briandowns briandowns briandowns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AkihiroSuda @eduncan911 @brandond @dweomer @briandowns