On Tue, Oct 25, 2022 at 02:31:21PM +0200, Michal Koutný wrote:
Hello.
On Tue, Oct 25, 2022 at 11:33:56AM +0200, Pavel Hrdina <phrdina(a)redhat.com> wrote:
> Unfortunately this breaks a lot of things and we cannot use it even as
> workaround. Libvirt code has few assumptions as that's how unified mode
> works and when the cgroups v2 backend is enabled for hybrid topology we
> assume that cpuacct, devices controllers are enabled.
To be on the same side -- there's no cpuacct and devices on cgroup v2
(regardless of hybrid or unified mode).
From cgroup POV yes there is no cpuacct and devices controller on cgroup
v2, but the functionality of cpuacct is provided directly by cgroup v2
and for devices there is BPF.
> But in the case of hybrid topology they are enabled by cgroups
v1. Due
> to this change we no longer limit access to devices and cpu accounting
> no longer works.
Shouldn't v1 backend still carry that out? (On a higher level -- I
understand that having both backends enabled for the hybrid mode is
what's not working well.)
Exactly, there is the same ordering issue, if cgroup v2 backend is
enabled it is the only one used for cpuacct and devices within libvirt
code.
> I'm going to send a patch to revert this one and we need to
find yet
> another solution to the issue.
BTW do you have any pointers (a commit) when the hybrid mode could have
become broken for libvirt/lxc? (I estimate from the (lack of) user
reports that it must have worked at the time of libvirt 4.0.)
Only this specific hybrid mode of systemd which is cgroup v1 for
everything and unified for process tracking.
As I've already mentioned in previous reply, to fix the process tracking
we should ideally use
org.freedesktop.systemd1.Manager.AttachProcessesToUnit
dbus call to add the process into the cgroup
and to fix the other issue with bind mount we need to modify both cgroup
v1 and v2 code in libvirt to create the necessary directory if it
doesn't exist.
Pavel
Thanks,
Michal