Add racct/rctl support
cyrilzhangfreebsd opened this issue ยท 4 comments
The OCI runtime spec has support for rlimits under the process configuration. However, these limits are fairly minimal. FreeBSD has more resource limits, which can be applied to jails through rctl. It might be useful to add support for these racct limits to runj, even though it is not in the OCI specification.
To accomplish this, we'd add a new configuration option, structured similarly to the existing "rlimits" option in the spec. Then, it is a matter of adding a function that formats the rctl rule and calls rctl from the operating system, which would be called in the create command. I have an example of what this would look like here: https://github.com/cyrilzhangfreebsd/runj/tree/racct
Alternatively, we could add a new configuration file separate from config.json to contain configuration that is outside of the OCI spec.
Finally, I understand if you consider this enhancement to be outside of the project's scope. If you would not mind, I'd appreciate if you could provide some feedback on the changes I linked above, as I would continue to make experimental out-of-scope changes on my fork.
I can't speak for @samuelkarp (obviously), but one thing that's been discussed in the #freebsd channel on the CNCF Slack is that this project is going to be a great place to figure out what runtime-spec changes make sense to properly support FreeBSD within the OCI, so with my OCI runtime-spec maintainer hat on (although also with the caveat that I'm very, very green when it comes to FreeBSD), I think this is a great place to start this conversation. If this is something that's really common for limiting FreeBSD jails and requires support within the runtime to accomplish correctly, it absolutely makes sense to have that as part of the FreeBSD-specific bits of the OCI runtime spec.
@tianon did a good job of channeling what I was going to say, but I'll use my own words too
Finally, I understand if you consider this enhancement to be outside of the project's scope.
So first things first: I absolutely consider extensions to the OCI specs (runtime, image, and distribution if applicable) to be within the scope of this project; I'm very much in favor of using runj to prove out these changes before coming together and proposing changes to the specifications formally.
The OCI runtime spec has support for rlimits under the process configuration. However, these limits are fairly minimal. FreeBSD has more resource limits, which can be applied to jails through
rctl. It might be useful to add support for these racct limits to runj, even though it is not in the OCI specification.
What's the relationship between rlimits and rctl/racct limits? Is the best documentation the man page?
To accomplish this, we'd add a new configuration option, structured similarly to the existing "rlimits" option in the spec. Then, it is a matter of adding a function that formats the
rctlrule and callsrctlfrom the operating system, which would be called in the create command. I have an example of what this would look like here: https://github.com/cyrilzhangfreebsd/runj/tree/racctAlternatively, we could add a new configuration file separate from config.json to contain configuration that is outside of the OCI spec.
Extending the bundle config is definitely the route I think is appropriate, rather than adding a separate configuration file. However, there is a change I'd suggest to the commit you currently have in that branch: OS-specific extensions are embedded within OS-specific structs in the bundle config. If you look at the upstream struct you'll see that there are three specific fields for each of Linux, Solaris, and Windows. For FreeBSD, it'd likely be most appropriate to add a FreeBSD field here with a struct that contains the RacctLimit slice you have in your commit.
#freebsd channel on the CNCF Slack
Oh, one more thing: I think @tianon meant to refer to the OCI Slack: https://chat.opencontainers.org/
What's the relationship between rlimits and rctl/racct limits? Is the best documentation the man page?
rctl/racct is FreeBSD specific, unlike rlimits. rlimits are also applied to a single process from within the process, whereas racct limits can be applied to an entire jail. I believe the best documentation is the man pages, yes.
I've added the FreeBSD field and opened a PR now, so you can have a look there and let me know your thoughts.