Merge pull request #39619 from mburke5678/OSDOCS-3047-cgroup2

OSDOCS3047: Dev Preview: Cgroups v2 phase 2

Author: mburke5678

modules/installation-configuration-parameters.adoc

@@ -451,6 +451,10 @@ Optional installation configuration parameters are described in the following ta
 |A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle may also be used when a proxy has been configured.
 |String
 
+|`cgroupsV2`
+|Enables link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control groups version 2] (cgroups v2) on specific nodes in your cluster. The {product-title} process for enabling cgroups v2 disables all cgroup version 1 controllers and hierarchies. The {product-title} cgroups version 2 feature is in Developer Preview and is not supported by Red Hat at this time.
+|`true` 
+
 |`compute`
 |The configuration for the machines that comprise the compute nodes.
 |Array of `MachinePool` objects.

modules/nodes-nodes-cgroups-2.adoc

@@ -0,0 +1,142 @@
+// Module included in the following assemblies:
+//
+// * nodes/nodes-nodes-working.adoc
+// * post_installation_configuration/machine-configuration-tasks.adoc
+
+[id="nodes-nodes-cgroups-2_{context}"]
+= Enabling Linux control groups version 2 (cgroups v2)
+
+You can enable link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control groups version 2] (cgroups v2) on specific nodes in your cluster by using a machine config. The {product-title} process for enabling cgroups v2 disables all cgroups version 1 controllers and hierarchies.
+
+[IMPORTANT]
+====
+The {product-title} cgroups version 2 feature is in Developer Preview and is not supported by Red Hat at this time.
+====
+
+.Prerequisites
+* You have a running {product-title} cluster that uses version 4.10 or later.
+* You are logged in to the cluster as a user with administrative privileges.
+* You have the `node-role.kubernetes.io` value for the node(s) you want to configure.
++
+[source,terminal]
+----
+$ oc describe node <node-name>
+----
++
+.Example output
+[source,terminal]
+----
+Name:               ci-ln-v05w5m2-72292-5s9ht-worker-a-r6fpg
+Roles:              worker
+Labels:             beta.kubernetes.io/arch=amd64
+                    beta.kubernetes.io/instance-type=n1-standard-4
+                    beta.kubernetes.io/os=linux
+                    failure-domain.beta.kubernetes.io/region=us-central1
+                    failure-domain.beta.kubernetes.io/zone=us-central1-a
+                    kubernetes.io/arch=amd64
+                    kubernetes.io/hostname=ci-ln-v05w5m2-72292-5s9ht-worker-a-r6fpg
+                    kubernetes.io/os=linux
+                    node-role.kubernetes.io/worker= <1>
+#...
+----
+<1> This value is the node role you need.
+
+.Procedure
+
+. Enable cgroups v2 on nodes:
+
+* Create a machine config file YAML, such as `worker-cgroups-v2.yaml`:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: "worker" <1>
+  name: worker-enable-cgroups-v2
+spec:
+  kernelArguments:
+    - systemd.unified_cgroup_hierarchy=1 <2>
+    - cgroup_no_v1="all" <3>
+----
+<1> Specifies the `node-role.kubernetes.io` value for the nodes you want to configure, such as `master`, `worker`, or `infra`.
+<2> Enables cgroups v2 in systemd.
+<3> Disables cgroups v1.
+
+* Create the new machine config:
++
+[source,terminal]
+----
+$ oc create -f worker-enable-cgroups-v2.yaml
+----
+
+. Check the machine configs to see that the new one was added:
++
+[source,terminal]
+----
+$ oc get MachineConfig
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
+00-master                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+00-worker                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+01-master-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+01-master-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+01-worker-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+01-worker-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+99-master-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+99-master-ssh                                                                                 3.2.0             40m
+99-worker-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+99-worker-ssh                                                                                 3.2.0             40m
+rendered-master-23e785de7587df95a4b517e0647e5ab7   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+rendered-worker-5d596d9293ca3ea80c896a1191735bb1   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.2.0             33m
+worker-enable-cgroups-v2                                                                      3.2.0             10s
+----
+
+. Check the nodes to see that scheduling on each affected node is disabled. This indicates that the change is being applied:
++
+[source,terminal]
+----
+$ oc get nodes
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                       STATUS                     ROLES    AGE   VERSION
+ci-ln-fm1qnwt-72292-99kt6-master-0         Ready                      master   58m   v1.22.1+6859754
+ci-ln-fm1qnwt-72292-99kt6-master-1         Ready                      master   58m   v1.22.1+6859754
+ci-ln-fm1qnwt-72292-99kt6-master-2         Ready                      master   58m   v1.22.1+6859754
+ci-ln-fm1qnwt-72292-99kt6-worker-a-h5gt4   Ready,SchedulingDisabled   worker   48m   v1.22.1+6859754
+ci-ln-fm1qnwt-72292-99kt6-worker-b-7vtmd   Ready                      worker   48m   v1.22.1+6859754
+ci-ln-fm1qnwt-72292-99kt6-worker-c-rhzkv   Ready                      worker   48m   v1.22.1+6859754
+----
+
+. After a node returns to the `Ready` state, you can verify that cgroups v2 is enabled by checking that the `sys/fs/cgroup/cgroup.controllers` file is present on the node. This file is created by cgroups v2.
++
+* Start a debug session for that node:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
++
+* Locate the `sys/fs/cgroup/cgroup.controllers` file. If this file is present, cgroups v2 is enabled on that node.
++
+.Example output
+[source,terminal]
+----
+cgroup.controllers	cgroup.stat		cpuset.cpus.effective  io.stat		pids
+cgroup.max.depth	cgroup.subtree_control	cpuset.mems.effective  kubepods.slice	system.slice
+cgroup.max.descendants	cgroup.threads		init.scope	       memory.pressure	user.slice
+cgroup.procs		cpu.pressure		io.pressure	       memory.stat
+----
+
+.Additional resources
+
+* For information about enabling cgroups v2 during installation, see the _Optional parameters_ table in the _Installation configuration parameters_ section of your installation process.
+

modules/nodes-nodes-kernel-arguments.adoc

@@ -29,6 +29,12 @@ Multithreading allows multiple logical threads for each CPU.
 You could consider `nosmt` in multi-tenant environments to reduce
 risks from potential cross-thread attacks. By disabling SMT, you essentially choose security over performance.
 
+* **systemd.unified_cgroup_hierarchy**: Enables 
+link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control groups version 2] (cgroups v2). 
+Cgroup v2 is the next version of the kernel 
+link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01[control groups]
+and offers multiple improvements.
+
 See link:https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt[Kernel.org kernel parameters]
 for a list and descriptions of kernel arguments.
 

modules/nodes-nodes-working-deleting.adoc

@@ -60,5 +60,4 @@ spec:
   replicas: 2
 ----
 ====
-+
-For more information on scaling your cluster using a machine set, see _Manually scaling a machine set_.
+

nodes/nodes/nodes-nodes-working.adoc

@@ -1,5 +1,6 @@
 
 :context: nodes-nodes-working
+
 [id="nodes-nodes-working"]
 = Working with nodes
 include::modules/common-attributes.adoc[]
@@ -26,14 +27,17 @@ include::modules/nodes-nodes-working-master-schedulable.adoc[leveloffset=+1]
 == Deleting nodes
 
 include::modules/nodes-nodes-working-deleting.adoc[leveloffset=+2]
+
+.Additional resources
+
+* For more information on scaling your cluster using a MachineSet,
+see xref:../../machine_management/manually-scaling-machineset.adoc#machineset-manually-scaling-manually-scaling-machineset[Manually scaling a MachineSet].
+
 include::modules/nodes-nodes-working-deleting-bare-metal.adoc[leveloffset=+2]
 
 include::modules/nodes-nodes-working-setting-booleans.adoc[leveloffset=+1]
 include::modules/nodes-nodes-kernel-arguments.adoc[leveloffset=+1]
 ifdef::openshift-webscale[]
 include::modules/nodes-nodes-rtkernel-arguments.adoc[leveloffset=+1]
 endif::openshift-webscale[]
-== Additional resources
-
-For more information on scaling your cluster using a MachineSet,
-see xref:../../machine_management/manually-scaling-machineset.adoc#machineset-manually-scaling-manually-scaling-machineset[Manually scaling a MachineSet].
+include::modules/nodes-nodes-cgroups-2.adoc[leveloffset=+1]

post_installation_configuration/machine-configuration-tasks.adoc

@@ -35,6 +35,7 @@ include::modules/rhcos-enabling-multipath-day-2.adoc[leveloffset=+2]
 
 * See xref:../installing/installing_bare_metal/installing-bare-metal.adoc#rhcos-enabling-multipath_installing-bare-metal[Enabling multipathing with kernel arguments on RHCOS] for more information about enabling multipathing during installation time.
 
+include::modules/nodes-nodes-cgroups-2.adoc[leveloffset=+2]
 include::modules/nodes-nodes-rtkernel-arguments.adoc[leveloffset=+2]
 include::modules/machineconfig-modify-journald.adoc[leveloffset=+2]
 include::modules/rhcos-add-extensions.adoc[leveloffset=+2]