If /sys/kernel/mm/transparent_hugepage/enabled=always, the shim process
will use huge pages, which will consume a lot of memory.
Just like this:
ps -efo pid,rss,comm | grep shim
PID RSS COMMAND
2614 7464 containerd-shim
I don't think shim needs to use huge pages, and if we turn off the huge
pages option, we can save a lot of memory resources.
After we set THP_DISABLE=true:
ps -efo pid,comm,rss
PID COMMAND RSS
1629841 containerd-shim 5648
containerd
|
|--shim1 --start
|
|--shim2 (this shim will on host)
|
|--runc create (when containerd send create request by ttrpc)
|
|--runc init (this is the pid 1 in container)
we should set thp_disabled=1 in shim1 --start, because if we set this
in shim 2, the huge page has been setted while func main() running,
we set thp_disabled cannot change the setted huge pages.
So We need to set thp_disabled=1 in shim1 so that shim2 inherits the
settings of the parent process shim1, and shim2 has closed the
hugepage when it starts.
For runc processes, we need to set thp_disabled='before' in shim2 after
fork() and before execve(). So we use cmd.pre_exec to do this.
It's a very small change so I figured it's simpler to open a PR than an issue first.
The sync `state` method returns `Container` but for async returns `Vec<usize>`, and I couldn't locate an explanation for why these might be different so I assume it's a mistake. From a user perspective too I want Container rather than a usize vec.
Signed-off-by: Andrew Baxter <i@isandrew.com>
Refine the way to setup Io drivers for runC.
The capability to capture output/error messages from runc depends on
the Io driver used. Some add two more Io drivers: InheritedStdIo and
PipedStdIo. Also document whether the Io driver supports capturing
output/error messages.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
1) it should use "runc resume" instead of "runc pause" for resume()
2) the order of arguments to run() is wrong, other options may appear
between "--bundle" and "bundle_id".
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Make async version of Runc::create() to return `Response` instead of
`()`, to keep symmetry with sync version.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
In runc::launch(), it does
let stdout = String::from_utf8(result.stdout).unwrap();
let stderr = String::from_utf8(result.stderr).unwrap();
This is risk of DoS attack because the content result.stdout/sterr may
contain contents generated by the container, so it may contain malicious
non-UTF8 characters.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Introduce helper function monitor.rs::execute() to avoid duplicated
code, and also correctly setup stdout/stderr for ProcessMonitor.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
On Unix, tokio::process::ExitStatus::code() will return None if the
process was terminated by a signal. So handle to avoid panicking
caused by unwrap().
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Enhance documentation for ProcessMonitor, to explicitly state the
requirement of ProcessMonitor::start().
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
Move runc commandline related constants into options.rs, so options.rs
hosts all commandline parsing related code. And util.rs only hosts
utilities.
Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
ningmingxiao
Bryant Biggs
jiaxiao zhou
zhang yu 10307750
Andrew Baxter
Maksym Pavlenko
jiaxiao zhou
dependabot[bot]
Yuna Tomida
Zhang Tianyang
Feng Shaobao
Liu Jiang