cgroups inside of pod/container?

[Simon]

Hi all,

I have a use case that gives non-root users access to create/destroy cgroup. Cgroup is used for both resource isolation and the ability to reliably kill run-away processes. Our current implementation without containers leverages a pre-configured directory (for example /sys/fs/cgroup/{cpu,cpuset}/user_owned), and gives users r/w access. This way, non-root users can create a subdirectory and configure the right amount of resource, for example.

This doesn't work with k8s/docker for now. K8s currently leverages cpu quota to limit how many cores a container can use (via docker); docker by default mounts /sys/fs/cgroup/{cpu,cpuacct,cpuset}/docker/<container_id>/ as read-only at /sys/fs/cgroup/{cpu,cpuacct,cpuset} inside of a container.

My question is... if I want to allow programs inside of containers to create/destroy children cgroups, what is my best option?

Thanks.

-Simon

[Vishnu Kannan]

This is a feature that has not been implemented yet. For now, you can mount `/sys/fs/cgroup/` as a hostPath volume and create cgroups relative to the cgroup that your container is running under - `cat /proc/self/cgroup`.

Thanks.

-Simon

--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-dev+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-dev@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/4c2c627a-e8e6-4d95-8e71-e2991f085093%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.