[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Unprivileged cgroups v2 & delegation



Dear all,

With the arrival of cgroups v2 in recent Linux distributions, there now exists means for having unprivileged cgroups and resource delegation. Is this a feature that could possibly also be added to HTCondor?

HTCondor commonly provides us (ALICE) with the slot where we run our job pilots across the Grid. These pilots have since become highly tasked with managing the resources we have within each slot, so to best utilise the resources given to us. This process has become increasingly challenging, as we often have several user payloads running in parallel in the same slot (as seen by the BQ), and users often requesting arbitrary resources (cpu and memory in particular).

However, Cgroups v2 provides means for unprivileged users to delegate controllers (e.g. for memory). This would enable our pilots to further subdivide the resources given to us within each slot, allowing us to better "box-in" each subjob -- a very useful feature in our use-case. The benefit of this approach is that the unprivileged user is not able to further request/delegate more resource than what was originally given to the slot, but only subpartition those existing resources

For this to work though, the unprivileged user must first be given ownership of the new cgroup given to them by Condor, as well as the subtree_controller/procs files within that cgroup. Is there a chance this could be provided by condor? As an example, adding the following lines (diff) enables us to use this feature within recent versions.

Best regards,
-Maxim Storetvedt