Create a system container #8681
Conversation
|
1% number is for 30 pods? |
|
From my experiments, it does not depend on the number of pods. It seems to be some constant work done by the system. In GCE it is mainly due to network-related services it runs. |
cmd/kubelet/app/server.go
Outdated
There was a problem hiding this comment.
Add a comment that rolling back the flag requires a reboot.
There was a problem hiding this comment.
Discussed offline: We should tie this to CgroupRoot.
|
e2e finished and it's green! |
|
LGTM |
|
Note to oncall, this depends on #8586 |
|
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
|
CLAs look good, thanks! |
The system container is a resource-only container which contains all non-kernel processes that are not already part of a container. This will allow monitoring of their resource usage and limiting it (eventually).
|
@dchen1107 waiting for your nod for the freeze as you were looking at this one too. |
|
@vmarmol talked about this offline, I had some concerns. But on another side, I am really eager to have the entire system's resource usages monitored by kubernetes, and the stats could be propagated to upper layers, such as scheduler, monitoring, etc. to make smarter decision. LGTM. |
Depends on #8586
No limits today, allows monitoring (and limiting in the future) the resource usage of other system services on the machine. From my tests I show ~1% of a core is used by these.
This PR only enables it for Debian (similar to #8586), although systemd does something very similar with /system.slice such that there are no rogue processes in root.
/cc @rjnagal @dchen1107
Running e2e now, but manual tests have been successful.