rootlessport: reduce memory usage of the process #11565
Conversation
openshift-ci
bot
added
the
approved
Luap99
force-pushed
the
rootlessport-bin
branch
from
eb8e17e to
119cfbb
Compare
openshift-ci
bot
added
the
needs-rebase
Luap99
force-pushed
the
rootlessport-bin
branch
from
119cfbb to
e15df9b
Compare
openshift-ci
bot
removed
the
needs-rebase
Luap99
force-pushed
the
rootlessport-bin
branch
from
e15df9b to
1aeff92
Compare
Luap99
force-pushed
the
rootlessport-bin
branch
3 times, most recently
from
2a55a97 to
ce3e659
Compare
|
Should we do the same for the pause process? |
Luap99
force-pushed
the
rootlessport-bin
branch
2 times, most recently
from
c51864f to
bc4e311
Compare
If you want do it for the pause process then it should be a small c program to safe the unnecessary overhead from go. |
contrib/cirrus/setup_environment.sh
Outdated
| @@ -236,7 +236,7 @@ case "$TEST_FLAVOR" in | |||
| # Use existing host bits when testing is to happen inside a container | |||
| # since this script will run again in that environment. | |||
| # shellcheck disable=SC2154 | |||
| if ((CONTAINER==0)) && [[ "$TEST_ENVIRON" == "host" ]]; then | |||
| if ((CONTAINER==0)); then | |||
There was a problem hiding this comment.
@cevich @edsantiago PTAL. This was required to build the new binary on the host and then I mount it in the container for the tests. I think this change is correct, otherwise this was never called for container tests since TEST_ENVIRON was set to container
There was a problem hiding this comment.
Deferring to @cevich. I don't grok this code, and even tig blame doesn't help me understand the reasoning behind it. I can't even understand the comment. Sorry.
There was a problem hiding this comment.
Right, this is because setup_environment.sh is called by runner.sh (a second time) when testing is to happen inside a container:
So the volume mount for /var/libexec/podman doesn't seem right either, normally the podman binary for testing would be compiled + installed inside the container environment (again, by way of calling setup_environment.sh again).
Note: I haven't seen the rest of this PR, so I'm not sure what it's all about. I'll take a look now...
There was a problem hiding this comment.
TEST_ENVIRON is always set to container for all container test, regardless if we are outside or inside the container, thus it was never compiled in the container.
There was a problem hiding this comment.
Also the container==0 condition means that this happens outside the container. If you want to compile only inside it should be container==1 AFAICT
There was a problem hiding this comment.
Ya, there's a test setup bug here, it's entirely my fault 😢
contrib/cirrus/runner.sh
Outdated
| @@ -119,6 +119,7 @@ exec_container() { | |||
| exec podman run --rm --privileged --net=host --cgroupns=host \ | |||
| -v /dev/fuse:/dev/fuse \ | |||
| -v "$GOPATH:$GOPATH:Z" \ | |||
| -v /usr/libexec/podman:/usr/libexec/podman \ | |||
There was a problem hiding this comment.
This isn't right. For the TEST_ENVIRON=container case, we basically treat the container like a VM. Very little should leak into the container from the host.
|
Okay I think I follow what you're after, and there's a test-setup bug here. I believe the comment is correct, and the conditional is wrong. Which is why the comment is confusing 😕 Damn. This may expose a bunch of bugs...I believe the intended logic should be:
So we want something like: if [[ "$TEST_ENVIRON" == "host" ]]; then
if ((CONTAINER)); then
die ("Refusing to config. host-test in container");
fi
remove_packaged_podman_files
make install PREFIX=/usr ETCDIR=/etc
elif [[ "$TEST_ENVIRON" == "container" ]]; then
if ((CONTAINER)); then
remove_packaged_podman_files
make install PREFIX=/usr ETCDIR=/etc
fi
else
die("Invalid value for $$TEST_ENVIRON=$TEST_ENVIRON")
fiI dunno if maybe there's a simpler/cleaner way to structure that or not. Just what I can think of off-hand. |
|
@cevich That looks good to me. I will add this and remove the volume mount. |
Luap99
force-pushed
the
rootlessport-bin
branch
from
bc4e311 to
6c24f4a
Compare
Don't use reexec for the rootlessport process, instead make it a separate binary to reduce the memory usage. The problem with reexec is that it will import all packages that podman uses and therefore loads a lot of stuff into the heap. The rootlessport process however only needs the rootlesskit library. The memory usage is a concern since the rootlessport process will spawn two process per container which has ports forwarded. The processes stay until the container dies. On my laptop the current reexec version uses 47800 KB RSS. The new separate binary only uses 4540 KB RSS. This is more than a 90% improvement. The Makefile has been updated to compile the new binary and install it to the libexec directory. Fixes containers#10790 [NO TESTS NEEDED] Signed-off-by: Paul Holzinger <[email protected]>
Luap99
force-pushed
the
rootlessport-bin
branch
from
6c24f4a to
3ba69dc
Compare
|
@containers/podman-maintainers PTAL. This is a good improvement. |
the pause process doesn't load the go runtime, but still it keeps the podman executable in memory. So a custom binary would be better, and we could also re-use it for the pod init process to not require an image |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, Luap99 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I started working on that yesterday :^) |
|
FYI, @siretart for Debian / Ubuntu packaging |
github-actions
bot
added
the
locked - please file new issue/PR
Don't use reexec for the rootlessport process, instead make it a
separate binary to reduce the memory usage. The problem with reexec is
that it will import all packages that podman uses and therefore loads a
lot of stuff into the heap. The rootlessport process however only needs
the rootlesskit library.
The memory usage is a concern since the rootlessport process will spawn
two process per container which has ports forwarded. The processes stay
until the container dies. On my laptop the current reexec version uses
47800 KB RSS. The new separate binary only uses 4540 KB RSS. This is
more than a 90% improvement.
The Makefile has been updated to compile the new binary and install it
to the libexec directory.
Fixes #10790