snapd

Need an interface to assign other processes to cgroups

Bug #1664644 reported by George Kraft
This bug report is a duplicate of:  Bug #1664638: Need an interface for kubernetes. Edit Remove
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Incomplete
Medium
Unassigned

Bug Description

Related: https://bugs.launchpad.net/snapd/+bug/1664638

While working on a snap for kubelet, we saw the following error:

container_manager_linux.go:625] error opening pid file /var/run/docker.pid: open /var/run/docker.pid: permission denied

After looking at the code it appears that it falls back to using `pidof` to find the docker PID. So this may not be a problem on its own.

However, it looks like it's doing this so it can assign the docker process to a cgroup. See https://github.com/kubernetes/kubernetes/blob/2541c16692c7777b0aeda8124f7895855b1b9232/pkg/kubelet/cm/container_manager_linux.go#L635-L692

So we will need a way to give kubelet permission to assign other processes to cgroups. I believe it wants to assign the containerd process as well, maybe others.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for filing a bug. The docker pid issue could be allowed by adding the following rule to dockerConnectedPlugAppArmor in the docker interface:

/{,var/}run/docker.pid r,

However, assigning to a cgroup is not currently handled by any interfaces. Do you have a simple reproducer to demonstrate the functionality you require?

tags: added: snapd-interface
Changed in snapd:
status: New → Incomplete
importance: Undecided → Medium
Revision history for this message
George Kraft (cynerva) wrote :

Thanks Jamie.

The script in https://bugs.launchpad.net/snapd/+bug/1664638 should be able to reproduce this. I've attached it here for convenience as well.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I took a look at this and strongly feel we need a separate kubernetes interface rather than something specific for managing cgroups. I'm going to close this bug as a duplicate of bug #1664638 and then continue the conversation in bug #1664638.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.