Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Every unit created by runc need daemon reload since systemd v230. #4568

Open
wenjianhn opened this issue Dec 23, 2024 · 4 comments · May be fixed by #4569
Open

Every unit created by runc need daemon reload since systemd v230. #4568

wenjianhn opened this issue Dec 23, 2024 · 4 comments · May be fixed by #4569

Comments

@wenjianhn
Copy link

wenjianhn commented Dec 23, 2024
edited
Loading

Description

Every unit created by runc need daemon reload since systemd v230.

Steps to reproduce the issue

  1. sudo runc --systemd-cgroup --root /tmp/runc run mycontainerid
  2. sudo systemctl show -P NeedDaemonReload runc-mycontainerid.scope

Describe the results you received and expected

Actual:

$ sudo systemctl show -P NeedDaemonReload runc-mycontainerid.scope
yes

Expected:

$ sudo systemctl show -P NeedDaemonReload runc-mycontainerid.scope
no

What version of runc are you using?

v1.2.0-109

Host OS information

No response

Host kernel information

No response
wenjianhn added a commit to wenjianhn/runc that referenced this issue Dec 23, 2024
@wenjianhn
libct/cg/sd: set the DeviceAllow property before DevicePolicy
cac15b7 
Every unit created by runc need daemon reload since systemd v230.
This breaks support for NVIDIA GPUs, see
opencontainers#3708 (comment)

Add a workaround for the below systemd issue.
systemd/systemd#35710

Instead of filling the empty DeviceAllow array, a new array is created
with allowed devices. Remove the comment about it, since it's misleading.

Closes opencontainers#4568

Signed-off-by: Jian Wen <[email protected]>
@wenjianhn wenjianhn linked a pull request Dec 23, 2024 that will close this issue
Open
@kolyshkin
Copy link
Contributor

kolyshkin commented Dec 23, 2024
edited
Loading

So, does runc properly generates DeviceAllow entries for nvidia devices (the subject of #3708). If no, what is the reason? If yes, why does systemd daemon reload breaks it?

@wenjianhn
Copy link
Author

@kolyshkin No. The DeviceAllow entries doesn't have any nvidia devices since we have not enabled this workaround.

A runc hook was used to inject the devices to the cgroup(device.allow) behind the back of systemd.
The injection will be flushed away by systemctl daemon-reload.

See NVIDIA/nvidia-docker#1671 (comment)

@wenjianhn
Copy link
Author

I didn't know that systemctl daemon-reload would reload all the units(even if configuration had not changed on disk).
Reloading all the units in order to make the configuration of a single unit up to date :(

As a matter of fact, this issue doesn't break support for NVIDIA GPUs.
cc @vsxen @cyphar

@kolyshkin
Copy link
Contributor

@kolyshkin No. The DeviceAllow entries doesn't have any nvidia devices since we have not enabled this workaround.

There is no need for any workarounds or hacks -- if you use runc >= 1.1.7 and systemd >= v240, it should work with the stock runc (see #3671 (comment)). This will also solve the issue of removing the access to nvidia devices upon daemon-reload, as systemd is now aware of all the devices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

libct/cg/sd: set the DeviceAllow property before DevicePolicy wenjianhn/runc
2 participants
@wenjianhn @kolyshkin