- Verified with grootfs-release v0.15.0
Lots of nice little changes and two big ones: CPU maximums support and alpha/experimental support for running containers without root.
Experimental! Support for running containers without root
This is very much a v1 which we would not suggest running in production (yet!). It is now possible to run garden without needing root (other than for one-time setup). This increases the security posture of garden and the number of places where it can potentially be used. Manual instructions and known gaps in the attached doc: https://github.com/cloudfoundry/garden-runc-release/blob/develop/docs/rootless-containers.md.
You can also opt-in using the
experimental_rootless_mode bosh property which will do all the work for you!
NOTE: Not ready - or secure - for production use yet, but feedback very welcome!
It is now possible to request a maximum CPU limit proportional to the existing fair-share CPU limit. The previous cpu limit just ensured that if two containers competed for cpu they would receive it in proportion to their requested cpu share (in the Cloud Foundry use case, this meant in proportion to their memory limit). This meant, for example, if only one container was active on a host it could potentially consume all of the host’s resources – far more than were paid for.
cpu_quota_per_share_in_us property, which - if set - applies to all containers created on a host, enforces an additional maximum amount of cpu usage in each quota period (which unless changed on the system is 100ms) in proportion to the existing shares limit.
Example: Using Cloud Foundry as an example, since CF sets a container’s cpu limit (
ContainerSpec.Limits.Cpu.LimitInShares) based on the memory limit, if
cpu_quota_per_share_in_us is set to 100 on a single-core system then a 64MB container will be able to use a maximum of 6.4ms (64 * 100us = 6400us = 6.4ms) of cpu every 100ms.
A Few More Things..
- Container MTU now defaults to the MTU of the external network interface on the host rather than 1500. This is pretty much always what you want and avoids issues on environments with lower MTUs than the default.
- We now strip all entries starting 127.* from resolv.conf on the host when setting up networking for the container. Since 127.* on the host can never be accessed in the container it’s never the right thing for it to survive into the container’s resolv.conf (and causes slow DNS lookups when it does).
- Our CI now tracks container creation performance using bucket bench
- Golang bumped to 1.8.0
- Squished some misleading log messages. Feel good knowing you will no longer be misled (as much).
Upload this release version to the Director:
$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.3.0 --sha1 816044289381e3b7b66dd73fbcb20005594026a3
Modify deployment manifest to use this release in addition to any other used releases:
releases: - name: garden-runc version: "1.3.0"
Finally add needed deployment jobs and specify values for required properties.
Optionally download sha1: 816044289381e3b7b66dd73fbcb20005594026a3 release tarball locally:
# ...or download it directly using curl $ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.3.0 # or with wget... $ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/garden-runc-release?v=1.3.0