From f6e2e0042d66b87b09b8e03a1ab9026eaf545b12 Mon Sep 17 00:00:00 2001 From: sharnoff Date: Thu, 16 Mar 2023 17:09:45 -0700 Subject: [PATCH] Fix + re-enable VM cgroup creation + running (#3820) Re-enable cgroup shenanigans in VMs, with some special care taken to make sure that our version of cgroup-tools supports cgroup v2 (debian bullseye does not, and probably won't because it requires a breaking change in libcgroup). This involves manually building libcgroup / cgroup-tools from source, then copying the output into the final build stage. We originally considered pulling the package from debian's testing repo (which is up-to-date), but decided against it. Refer to the PR for more details. Prior work, for reference: * 2153d2e0 - Run compute_ctl in a cgroup in VMs * 1360361f - Fix missing VM cgconfig.conf * 8dae8799 - Disable VM cgroup shenanigans --- Dockerfile.vm-compute-node | 61 ++++++++++++++++++++++++++++++++------ vm-cgconfig.conf | 12 ++++++++ 2 files changed, 64 insertions(+), 9 deletions(-) create mode 100644 vm-cgconfig.conf diff --git a/Dockerfile.vm-compute-node b/Dockerfile.vm-compute-node index faea311708..957166ecd1 100644 --- a/Dockerfile.vm-compute-node +++ b/Dockerfile.vm-compute-node @@ -2,26 +2,69 @@ ARG SRC_IMAGE ARG VM_INFORMANT_VERSION=v0.1.14 +# on libcgroup update, make sure to check bootstrap.sh for changes +ARG LIBCGROUP_VERSION=v2.0.3 -# Pull VM informant and set up inittab +# Pull VM informant, to copy from later FROM neondatabase/vm-informant:$VM_INFORMANT_VERSION as informant +# Build cgroup-tools +# +# At time of writing (2023-03-14), debian bullseye has a version of cgroup-tools (technically +# libcgroup) that doesn't support cgroup v2 (version 0.41-11). Unfortunately, the vm-informant +# requires cgroup v2, so we'll build cgroup-tools ourselves. +FROM debian:bullseye-slim as libcgroup-builder +ARG LIBCGROUP_VERSION + +RUN set -exu \ + && apt update \ + && apt install --no-install-recommends -y \ + git \ + ca-certificates \ + automake \ + cmake \ + make \ + gcc \ + byacc \ + flex \ + libtool \ + libpam0g-dev \ + && git clone --depth 1 -b $LIBCGROUP_VERSION https://github.com/libcgroup/libcgroup \ + && INSTALL_DIR="/libcgroup-install" \ + && mkdir -p "$INSTALL_DIR/bin" "$INSTALL_DIR/include" \ + && cd libcgroup \ + # extracted from bootstrap.sh, with modified flags: + && (test -d m4 || mkdir m4) \ + && autoreconf -fi \ + && rm -rf autom4te.cache \ + && CFLAGS="-O3" ./configure --prefix="$INSTALL_DIR" --sysconfdir=/etc --localstatedir=/var --enable-opaque-hierarchy="name=systemd" \ + # actually build the thing... + && make install + +# Combine, starting from non-VM compute node image. +FROM $SRC_IMAGE as base + +# Temporarily set user back to root so we can run adduser, set inittab +USER root +RUN adduser vm-informant --disabled-password --no-create-home + RUN set -e \ && rm -f /etc/inittab \ && touch /etc/inittab RUN set -e \ + && echo "::sysinit:cgconfigparser -l /etc/cgconfig.conf -s 1664" >> /etc/inittab \ && CONNSTR="dbname=neondb user=cloud_admin sslmode=disable" \ - && ARGS="--auto-restart --pgconnstr=\"$CONNSTR\"" \ + && ARGS="--auto-restart --cgroup=neon-postgres --pgconnstr=\"$CONNSTR\"" \ && echo "::respawn:su vm-informant -c '/usr/local/bin/vm-informant $ARGS'" >> /etc/inittab -# Combine, starting from non-VM compute node image. -FROM $SRC_IMAGE as base - -# Temporarily set user back to root so we can run adduser -USER root -RUN adduser vm-informant --disabled-password --no-create-home USER postgres -COPY --from=informant /etc/inittab /etc/inittab +ADD vm-cgconfig.conf /etc/cgconfig.conf COPY --from=informant /usr/bin/vm-informant /usr/local/bin/vm-informant + +COPY --from=libcgroup-builder /libcgroup-install/bin/* /usr/bin/ +COPY --from=libcgroup-builder /libcgroup-install/lib/* /usr/lib/ +COPY --from=libcgroup-builder /libcgroup-install/sbin/* /usr/sbin/ + +ENTRYPOINT ["/usr/sbin/cgexec", "-g", "*:neon-postgres", "/usr/local/bin/compute_ctl"] diff --git a/vm-cgconfig.conf b/vm-cgconfig.conf new file mode 100644 index 0000000000..a2e201708e --- /dev/null +++ b/vm-cgconfig.conf @@ -0,0 +1,12 @@ +# Configuration for cgroups in VM compute nodes +group neon-postgres { + perm { + admin { + uid = vm-informant; + } + task { + gid = users; + } + } + memory {} +}