Multiple containers in the same cgroup #3132
Description
Currently runc allows multiple containers to share the same cgroup. While such shared configuration might be OK, there are some issues.
- When each container has its own resource limits, the order of start determines which limits will be effectively applied.
- When one of containers is paused, all others are paused, too.
- When a container is paused, any attempt to do runc create/run/exec end up with
runc initstuck inside a frozen cgroup. - When a systemd cgroup manager is used, this is not working at all -- such as, stop (or even failed start) of any container results in stop unit being sent to systemd, and so (depending on unit properties) other containers can receive SIGTERM, be killed after a timeout etc.
All this may lead to various hard-to-debug situations in production (runc init stuck, cgroup removal error, wrong resource limits etc).
I originally found issue 3 from the list above and tried to solve it in #3131, and this is how I found issue 4.
What can be done to avoid these bad situations?
- Require that the cgroup (systemd unit) of a container being created is not present.
- Require that the cgroup (systemd unit) of a container being created is either not present or empty (no processes).
- Require that the cgroup is not frozen before running
runc init(this is what runc run/create: refuse non-empty cgroup; runc exec: refuse frozen cgroup #3131 does).
Surely, these measures might break some existing usage scenarios. This is why:
- runc 1.1 will warn about non-empty cgroup for a new container (runc run/create);
- runc 1.2 will make this warning an error.