Correct cgroup access on older kernels

This change adds an auto mount entry into config which ensures containers have access to the cgroups, even if they're read only. Without this change containers see a notable slowdown and repeating message regarding a failure when resetting the device list. This option has no effect and is not needed on newer kernels (4.15+) as cgroup namespaces and device access is inherent to the creation of a container namespace. > Example Error: http://paste.openstack.org/show/702764 While this change is introducing new config into the container it is not forcing a container restart. This is approach has been taken to ensure we're correcting the issue on greenfield deployments but not impacting running ones. Change-Id: I31b1b5a044687f52b1c54049ba03c65ecda34b51 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
2018-03-16 00:21:26 -05:00 · 2018-03-16 00:21:26 -05:00 · 774aef5472
parent beeb8573f6
commit 774aef5472
1 changed files with 8 additions and 0 deletions
--- a/tasks/lxc_container_config.yml
+++ b/tasks/lxc_container_config.yml
@ -25,6 +25,14 @@
  notify:
    - Lxc container restart

+- name: Ensure containers have access RO cgroups
+  lineinfile:
+    dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
+    line: "lxc.mount.auto = proc:rw sys:ro cgroup:ro"
+    insertafter: "^lxc.mount.auto"
+    backup: "true"
+  delegate_to: "{{ physical_host }}"
+
 - name: Ensure bind mount host directories exists
  file:
    path: "{{ item['host_directory'] }}"