Mounting of `/sys/fs/cgroup` is not necessary in Docker backend.
jieyu opened this issue · 6 comments
This allows each dc/os container to see the host cgroups. For the sake of isolation, this is not the ideal way. I don't see a reason why /sys/fs/cgroup needs to be bind mounted into the DC/OS container.
By default, in privileged mode, Docker gives you write access to the cgroup of the container itself.
There might be some tweak needed to make Mesos agent happy. This is definitely doable.
FWIW I also don't know why this is there and it comes from the port of DC/OS Docker - see https://github.com/dcos/dcos-docker/blob/feed8d98a88262b7023c0ed98f454644360318aa/Makefile#L58.
This is the original commit which added the mounting - mesosphere-backup/dcos-docker@bb56822. We have no context except the commit message "mount systemd all the things".
The comment by the code is "# Mount cgroups into agents for Mesos DRF." from @timaa2k . Any thoughts on whether removing this would be an issue @jieyu or how to maybe get around it?
Prompted by @vishnu2kmohan 's comment "Just wanted to let you know that it doesn't work on non-systemd distributions like Gentoo with OpenRC and I need to fake mount the systemd cgroup on my machine, just to get started."
I removed the mount in #1601 - let's see if this comes back to bite us! At least if it does we will know why we had this mount.
When we remove the mount, and do no tinkering, we see the following when attempting to deploy Kafka.
Feb 14 15:13:40 dcos-e2e-default-4d773-agent-2 mesos-agent[1873]: E0214 15:13:40.545511 1882 cgroups.cpp:712] Failed to assign container cd4b727a-885d-4674-9f8b-8c3c39aa8d81 pid 2850 to cgroup at '/sys/fs/cgroup/cpuset/docker/6c77bd70585c35ba8c7ccdd785f15278d29fbc2a025616a5359df66f3f24e7cb/mesos/cd4b727a-885d-4674-9f8b-8c3c39aa8d81': No space left on device
@jieyu , @Gilbert88 - any ideas what tinkering we need to do.
Because of the above, @mhrabovcin and I added "Mount cgroups by default, adding an option to not mount #1611". We would like to be able to offer users an option to not mount /sys/fs/cgroups while allowing them to deploy applications such as Kafka.