feature: crun-like systemd cgroup driver mode #4072
Comments
kolyshkin
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
kolyshkin
changed the title
Runc creates systemd scope (and tries to convert all cgroup-related container settings to systemd unit properties), and on top of that applies all the settings directly to cgroupfs. This method has a few problems:
It violates cgroups "single-writer" rule (described here and here).
Not all cgroup-related container settings can be converted to systemd unit properties.
For those settings that can be converted, such conversion is not always straightforward (examples are cpuset and device access rules).
Unlike runc, crun uses a different approach: it creates a systemd scope with only
Delegate=yesproperty set (i.e. no conversion from container settings to systemd unit properties is performed), then creates a sub-cgroup (aptly namedcontainer) under the scope, and then only deals with the sub-cgroup. Essentially, this solves all the problems listed above.I propose to add an option (runtime flag, build flag etc.) to switch runc systemd cgroup drivers to crun-like mode. In addition to solving the above problems, this will make it easier for upper-level tools to switch between crun and runc.
Obsoletes: #2436
The text was updated successfully, but these errors were encountered: