Skip to content

Support --cpuset-cpus and --cpuset-mems in podman kube play #26174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support --cpuset-cpus and --cpuset-mems in podman kube play #26174

wants to merge 2 commits into from

Conversation

fpoirotte
Copy link
Contributor

This commit adds two new annotations named io.podman.annotations.cpuset/$ctrname and io.podman.annotations.memory-nodes/$ctrname

The first one allows restricting a container's execution to specific CPU cores while the second one restricts memory allocations to specific NUMA memory nodes. They are also added automatically when the --cpuset-cpus and --cpuset-mems options are used.

This is largely inspired by previous work from Jan Kaluza (f15b088) to add support for --pids-limit in podman kube play.

Fixes: #26172

Does this PR introduce a user-facing change?

- The `podman kube play` command can now restrict container execution to specific CPU cores using the `io.podman.annotations.cpuset/$ctrname` annotation.
- The `podman kube play` command can now restrict container execution to specific memory nodes on NUMA systems using the `io.podman.annotations.memory-nodes/$ctrname` annotation.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 21, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fpoirotte
Once this PR has been reviewed and has the lgtm label, please assign giuseppe for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fpoirotte fpoirotte force-pushed the kube_cpuset_cgroup branch from 5e48343 to 52f2ff1 Compare May 21, 2025 13:27
mheon
mheon reviewed May 21, 2025
View reviewed changes
pkg/specgen/generate/kube/kube.go
@@ -393,6 +393,28 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
}
}

if cpuset, ok := annotations[define.CpusetAnnotation+"/"+opts.Container.Name]; ok {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not for this PR, but I wonder if we shouldn't detect annotations referring to nonexistent containers and warn the user... Would help folks rolling YAML by hand

@mheon
Copy link
Member

mheon commented May 21, 2025

Test failures seem unrelated, the file it's complaining about wasn't changed by this PR.
Code LGTM

Luap99
Luap99 reviewed May 21, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to fix CI this needs to be rebased now that #26175 is merged.

@fpoirotte fpoirotte force-pushed the kube_cpuset_cgroup branch from 52f2ff1 to 22c2661 Compare May 21, 2025 14:55
@fpoirotte
Copy link
Contributor Author

I rebased the commit. It seems the tests are now failing because the machine running the CI does not delegate the cpuset cgroup controller to the systemd user slice (see for example https://api.cirrus-ci.com/v1/artifact/task/4778134366584832/html/int-podman-debian-13-rootless-host-sqlite.log.html#t--Podman-kube-play-test-cpuset-annotation--1).

@mheon
Copy link
Member

mheon commented May 21, 2025 via email

@fpoirotte fpoirotte force-pushed the kube_cpuset_cgroup branch from bd87914 to 1418bc4 Compare May 21, 2025 17:24
@packit-as-a-service Packit-as-a-Service
Copy link

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

1 similar comment
@packit-as-a-service Packit-as-a-Service
Copy link

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

fpoirotte added 2 commits May 22, 2025 11:45
@fpoirotte
Support --cpuset-<cpus/mems> in podman kube play
5bfdb25 
This commit adds two new annotations named
io.podman.annotations.cpuset/$ctrname and
io.podman.annotations.memory-nodes/$ctrname

The first one allows restricting a container's execution to specific
CPU cores while the second restricts memory allocations to specific
NUMA memory nodes. They are also added automatically when the
--cpuset-cpus and --cpuset-mems options are used.

Fixes: containers#26172

Signed-off-by: François Poirotte <[email protected]>
@fpoirotte
Disable the tests for rootless pods
9d4267c 
Access to the cpuset cgroup controller is needed to run these tests.
Configuration on the CI workers prevents access to this controller
for rootless pods.

Signed-off-by: François Poirotte <[email protected]>
@fpoirotte fpoirotte force-pushed the kube_cpuset_cgroup branch from 1418bc4 to 9d4267c Compare May 22, 2025 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mheon mheon mheon left review comments

@Luap99 Luap99 Luap99 left review comments

Assignees
No one assigned
Labels
release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for --cpuset-cpus & --cpuset-mems in podman kube play
3 participants
@fpoirotte @mheon @Luap99