Docker and swap limit support, cpu cfs quota support, cpu cfs period support

Hello,

Can someone help me enable support for the following for docker (RPI4)
WARNING: No swap limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support

I want to install kubernetes for docker.

I'm seeing this as well, @BRX7. Also, warning, this turned into a long message because of pasted bits.
tl;dr optional features of Docker are not supported by the kernel, but you should still be able to run docker fine.

These warned modules are used to limit docker's ability to use more than a certain amount of specific system resources. I just installed docker for the first time ever tonight, so I'm not exactly sure what those are, but the maintainers of the official repository's docker package apparently do not believe they are necessary for a default install, so I'm not too concerned about it. (I'm not trying to be cagey, I'm literally going through the tutorial for the first time now.)

@Darksky may have more information on what those modules do/whether the kernel can be updated/switched out with another kernel that supports them. It's my understanding from other threads that some modules are not supported because there is no upstream support for those modules in Manjaro.

@yosukemat has docker running on his pi and was helping me earlier. Maybe he knows if you actually need to worry about these warnings. Again, I don't think you do, but I cannot say for certain.

See below for troubleshooting steps to make sure docker is running.

What is the output of the following command: systemctl status docker.service? The first few lines should look something like this:

~]$ systemctl status docker.service
docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-07-10 23:29:00 CDT; 14min ago

If the service is active, it is currently running. If that is the case, ask docker how it is doing.
Command: $ sudo docker info

Output will be quite long, but the beginning should look like this:

$ sudo docker info
Client:
Debug Mode: false

Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 19.03.11-ce

The tail end should resemble this:

Jul 10 23:28:58 $HOST dockerd[481]: time="2020-07-10T23:28:58.484288009-05:00" level=warning msg="Your kernel does not support cgroup cfs quotas"

Jul 10 23:28:58 $HOST dockerd[481]: time="2020-07-10T23:28:58.484335101-05:00" level=warning msg="Your kernel does not support cgroup rt period"

Jul 10 23:28:58 $HOST dockerd[481]: time="2020-07-10T23:28:58.484380768-05:00" level=warning msg="Your kernel does not support cgroup rt runtime"

Jul 10 23:28:58 $HOST dockerd[481]: time="2020-07-10T23:28:58.485096194-05:00" level=info msg="Loading containers: start."

Jul 10 23:28:58 $HOST dockerd[481]: time="2020-07-10T23:28:58.864681416-05:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"

Jul 10 23:28:59 $HOST dockerd[481]: time="2020-07-10T23:28:59.101563860-05:00" level=info msg="Loading containers: done."

Jul 10 23:28:59 $HOST dockerd[481]: time="2020-07-10T23:28:59.840076989-05:00" level=info msg="Docker daemon" commit=42e35e61f3 graphdriver(s)=overlay2 version=19.03.11-ce

Jul 10 23:28:59 $HOST dockerd[481]: time="2020-07-10T23:28:59.842266156-05:00" level=info msg="Daemon has completed initialization"

Jul 10 23:29:00 $HOST systemd[1]: Started Docker Application Container Engine.

Jul 10 23:29:00 $HOST dockerd[481]: time="2020-07-10T23:29:00.033060619-05:00" level=info msg="API listen on /run/docker.sock"

1 Like

Limiting how many resources docker can use on an already pretty limited machine does not really make sense, in my opinion.
It would just make most docker containers fail because they don't have enough resources to run at all.

Up until recently, the highest amount of RAM a consumer SBC had, was 4 GB.

2 Likes

Some modules are required for the docker image and then there are some it checks for that may or may not be required; depending on the image. Basically if the docker image works do not worry about it.

Here is the ouptput of a docker kernel config checker. There are a few modules that can be enabled if needed for a particular docker that says "not enabled. The ones that says "missing" are not in the kernel at all that can be enabled.

[ray@ray-pc Desktop]$ ./check-config.sh 
info: reading kernel config from ./config ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled (as module)
- CONFIG_BRIDGE: enabled (as module)
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled (as module)
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled (as module)
- CONFIG_POSIX_MQUEUE: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: not enabled
- CONFIG_MEMCG_SWAP_ENABLED: not enabled
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_IOSCHED_CFQ: missing
- CONFIG_CFQ_GROUP_IOSCHED: missing
- CONFIG_CGROUP_PERF: not enabled
- CONFIG_CGROUP_HUGETLB: missing
- CONFIG_NET_CLS_CGROUP: enabled (as module)
- CONFIG_CGROUP_NET_PRIO: not enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: not enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING:  not enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled (as module)
      - CONFIG_CRYPTO_GCM: enabled (as module)
      - CONFIG_CRYPTO_SEQIV: enabled (as module)
      - CONFIG_CRYPTO_GHASH: enabled (as module)
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled (as module)
      - CONFIG_INET_XFRM_MODE_TRANSPORT: missing
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: missing
  - "btrfs":
    - CONFIG_BTRFS_FS: enabled (as module)
    - CONFIG_BTRFS_FS_POSIX_ACL: enabled
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled (as module)
    - CONFIG_DM_THIN_PROVISIONING: enabled (as module)
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled (as module)

**Darksky NOTE: zfs is not supported by upstream. It is compiled as an
   external module which used to work but does not at this moment due
   to upstream code changes. There is a hack but the RPi folks decided to 
   not go with it as it is not supported upstream. The zfs folks are 
   trying to push a PR to upstream to fix the issue.**

  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

[ray@ray-pc Desktop]$ 

Thanks, Ray! I really appreciate the sample output and the explanation. What you said makes more sense than what I've read so far.

Where did the config checker script come from? I see it's running from your Desktop, so I'm guessing it's not part of the default install?

I saw a PR today on the RPi github. This is on my list for the next time I build new kernels to enable these modules in all pi kernels regardless if the PR gets merged or not.

bcm2711_defconfig: Kernel 4.19 configuration required by Docker

1 Like

This topic was automatically closed after 90 days. New replies are no longer allowed.

Forum kindly sponsored by