New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Open VZ (Virtuozzo 7) and Docker issue (email from SSDNodes)
abytecurious
Member
in General
I received this email from SSDNodes yesterday.
Recently SSDNodes became aware of an issue in our Virtuozzo 7 platform that affected
customers with a container VPS. We have investigated this issue and are now writing
to inform you of the outcome of that investigation.
Containers operate by dividing up the extensive resources of our host nodes into smaller
blocks of resource, each being allocated to just one container. That way each container
receives the correct share of host node resources.
Docker does the same thing, as docker is also a container technology.
The mechanism within Linux that divides up the resources is called "cgroups".
Cgroups are also used by some programs to manage their own resources. Unfortunately
there is a fixed limit on the number of cgroups that can exist on one Linux system.
The problem we have encountered is where the activities of a small group of customers,
particularly those using Docker inside containers, can result in all the cgroup capacity
on a host node being used up. Once that happens no more cgroups can be created on that
machine. If no more cgroups can be created, no more containers can be started.
We consider that this is a bug in the Virtuozzo 7 platform as the resource usage of one
or a small number of customers should not cause resource exhaustion on the host. We have
logged a support request with Virtuozzo asking that they fix this issue.
Unfortumately some of our host nodes have run out of cgroups and this is now preventing
the containers of existing customers from being started (for example, after a reinstall).
Those customers are, understandably, concerned that their service is currently down.
All we can do is reboot each host node when the cgroups are full. We are now going to
begin doing that periodically until Virtuozzo fix the issue. When a host node is
restarted all containers on that host will also be restarted. We regret the inconvenience
this will cause our customers, but we trust you understand that under the circumstances
we have no other option.
Finally, we would like to clarify that customers using KVM rather than container
technology are not affected by this issue. This is because containers share the kernel
of the host node but with KVM you are running your own separate kernel. KVM is a more
stable and secure technology. We recommend that container customers upgrade to KVM.
A pro-rated credit for the container service plus a further credit of $15 per client
will be available for customers who choose to do so.
I am not an expert, but it was an interesting read. SSDNodes launched this new line (featuring Virtuozzo7) with the selling point that Docker support was not available on their OpenVZ line. The node restart took about 2 hours and the next reboot would be random. Kinda sucks for those who run production stuff there.
TL;DR: If providers are looking to use Virtuozzo 7 as a way of offering Docker support on OVZ, it is not there yet.
Comments
Docker under OVZ is kind of stupid, anyhow.
From the openvz.org Wiki.
Regardless of what the provider says you should always RTFM.
FTFY.
Note that this statement is only because people seem to use it like a package manager. I haven't seen any deployments on intended use.
That is because docker actively promotes it to use it that way(at least they did in the past).
The people that are using it for large deployments that match the high level discussions around it's potential use do exist, but they're not talking about it as loudly (or not in the places you're listening). Just consider this: Docker is an actual company that makes money. There's something going on there that you're not going to run into in your normal path. People are paying for this:
https://www.docker.com/pricing
And I'm pretty sure they're not paying that just to spin up Apache a little faster.