Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support of cgroup_parent in docker_container #6

Closed
spokofono opened this issue Oct 7, 2020 · 4 comments · Fixed by #59
Closed

Add support of cgroup_parent in docker_container #6

spokofono opened this issue Oct 7, 2020 · 4 comments · Fixed by #59
Labels
docker-plain plain Docker (no swarm, no compose, no stack)

Comments

@spokofono
Copy link

SUMMARY

When trying to limit container's memory using kernel_memory, memory, memory_swap on centos, it says:

kernel memory accounting disabled in this runc build

AFAIK, this is a problem with containerd.io and some people solved it using old containerd.io rpm. I trying not to downgrade packages and always stay with latest stable packages. I found the manual way using cgroup-parent feature -I'm trying to use docker-container only for change check, but it seems this module creates volumes different way that classic docker run command, which always end up as changed. So I'm stucked for now.

ISSUE TYPE
  • Missing support for starting container with --cgroup-parent
  • Missing documentation how docker-container creates containers
  • Why was kernel memory accounting disabled in containerd.io?
COMPONENT NAME

docker_container

ADDITIONAL INFORMATION

Error from dockerd:

localhost dockerd[1141]: time="2020-10-07T14:07:18.456343821+02:00" level=error msg="Handler for POST /v1.40/containers/bae9b84145e6fa3b889d61910bc95655a12543eead19494c00ee2904cb145535/start returned error: OCI runtime create failed: container_linux.go:345: starting container process caused \"process_linux.go:430: container init caused \\\"process_linux.go:396: setting cgroup config for procHooks process caused \\\\\\\"kernel memory accounting disabled in this runc build\\\\\\\"\\\"\": unknown"

Manual limit of container

$ sudo dnf install libcgroup-tools
$ sudo cgcreate -g memory:influx-limit
echo 314572800  > /sys/fs/cgroup/memory/influx-limit/memory.limit_in_bytes
docker run -ti --cgroup-parent=/influx-limit/ -p 8086:8086 -v /var/lib/docker/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro -v /mnt/influxdb/:/var/lib/influxdb:rw "soc/influx:alpine" 

Create using ansible:

# tasks:
- name: Influx - Check container changes
  docker_container:
    name: influxdb
    image: "{{ harbor_registry }}/soc/influx:alpine"
    restart_policy: always
    ports: "{{ influxdb_port }}:8086"
    volumes:
      - "{{ influxdb_dir }}/influxdb.conf:/etc/influxdb/influxdb.conf:ro"
      - "{{ influxdb_datadir }}:/var/lib/influxdb:rw"
    state: started
  check_mode: yes
  diff: yes
  notify: Recreate influxdb
  tags: influx

- name: Influx - Create cgroup limit group
  command: cgcreate -g memory:influxdb-limit
  register: output
  changed_when: "output.stdout != ''"

- name: Influx - Setup influxdb cgroup limit
  shell: "echo {{ influxdb_cgroup_parent.memory }} > /sys/fs/cgroup/memory/influxdb-limit/memory.limit_in_bytes"
  notify: Recreate influxdb

# handler:
- name: Recreate influxdb
  shell: >
    docker ps | grep -c influxdb && docker stop influxdb && docker rm influxdb;   
    docker run -d
    --name influxdb
    --init=false
    -p 0.0.0.0:{{ influxdb_port }}:8086
    -v {{ influxdb_dir }}/influxdb.conf:/etc/influxdb/influxdb.conf:ro
    -v {{ influxdb_datadir }}:/var/lib/influxdb:rw
    --restart=always
    --cgroup-parent=/influxdb-limit/
    {{ harbor_registry }}/soc/influx:alpine

but there is always change:

TASK [influx : Influx - Check container] ********************************************************************************************************************
Wednesday 07 October 2020  12:45:11 +0200 (0:00:01.136)       0:00:06.984 *****                                                                              
--- before                                                                                                                                                   
+++ after                                                                                                                                                    
@@ -1,5 +1,6 @@                                                                                                                                               
{                                                                                                                                                                
"expected_volumes": [                                                                                                                                   +        "/etc/influxdb/influxdb.conf",                                                                                                                      
         "/var/lib/influxdb"                                                                                                                                 
     ]                                                                                                                                                       
 }                                                                                                                                                           
                                                                                                                                                             
changed: [vm]   

I also tried --mount type=bind ..., but result was the same.

When looking on docker inspect, both commands, ansible's docker_container as well as docker run create bind mounts as they should, but docker_container also changes container's config, and that is the cause of that change I believe. But I did not find a way how to adjust it, it seems the docker generates this config file when starting container.

So, the easiest would be to add cgroup-parent into docker_container such as podman has, IMHO https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_container_module.html#parameter-cgroup_parent

Thank you.

$ ansible --version
ansible 2.9.9
  config file = /home/user/SOC/brickleberry/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/lib/python3.7/site-packages/ansible
  executable location = /home/user/.local/bin/ansible
  python version = 3.7.9 (default, Aug 19 2020, 17:05:11) [GCC 9.3.1 20200408 (Red Hat 9.3.1-2)]
@ansibullbot
Copy link

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link

@spokofono: Greetings! Thanks for taking the time to open this issue. In order for the community to handle your issue effectively, we need a bit more information.

Here are the items we could not find in your description:

  • ansible version

Please set the description of this issue with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/ISSUE_TEMPLATE/bug_report.md

click here for bot help

@felixfontein
Copy link
Collaborator

Missing documentation how docker-container creates containers

https://docker-py.readthedocs.io/en/stable/api.html#docker.api.container.ContainerApiMixin.create_container

About cgroup_parent: this isn't supported by the module right now. Should be easy to add though, docker-py supports it already for some time.

@gundalow gundalow transferred this issue from ansible-collections/community.general Oct 30, 2020
@felixfontein felixfontein added the docker-plain plain Docker (no swarm, no compose, no stack) label Jan 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docker-plain plain Docker (no swarm, no compose, no stack)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants