Skip to content

feat: add cgroup CPU isolation for sandboxed walltime runs#427

Open
GuillaumeLagrange wants to merge 1 commit into
mainfrom
cod-3012-cpu-isolation-on-macro-runner-for-sandboxed-processes
Open

feat: add cgroup CPU isolation for sandboxed walltime runs#427
GuillaumeLagrange wants to merge 1 commit into
mainfrom
cod-3012-cpu-isolation-on-macro-runner-for-sandboxed-processes

Conversation

@GuillaumeLagrange

@GuillaumeLagrange GuillaumeLagrange commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Add an alternative to systemd-run where the caller can prepare cgroups and forward the info through CODSPEED_WALLTIME_ISOLATION=CGROUP:/path/to/cgroup.
The runner expects this group to have two leaves: support and bench.
When spawning the bench process, the runner

  • self places into support group
  • spawns the benchmark process and have it move itself in the bench group

@greptile-apps

greptile-apps Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown

Greptile Summary

This PR adds cgroup-based CPU isolation for sandboxed wall-time benchmark runs. The main changes are:

  • New IsolationMode handling for none, systemd, and cgroup isolation.
  • Cgroup support and bench leaf placement around the benchmark command.
  • Updated executor flow to separate benchmark isolation from sudo requirements.
  • Updated perf and samply profiler wrapping to use the new sudo contract.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
src/executor/wall_time/isolation.rs Adds the isolation mode model, cgroup command wrapping, and environment parsing for wall-time runs.
src/executor/wall_time/executor.rs Applies the resolved isolation mode once and passes the derived sudo requirement through the run path.
src/executor/wall_time/profiler/mod.rs Updates the profiler wrapping contract to describe sudo as a recorder requirement.
src/executor/wall_time/profiler/perf/mod.rs Uses the new sudo requirement when wrapping perf around the benchmark command.
src/executor/wall_time/profiler/samply/mod.rs Uses the new sudo requirement when wrapping samply around the benchmark command.

Reviews (3): Last reviewed commit: "feat: add cgroup CPU isolation for sandb..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 29, 2026
View reviewed changes
Comment thread src/executor/wall_time/isolation.rs Outdated
Comment thread src/executor/wall_time/isolation.rs Outdated
@codspeed-hq

codspeed-hq Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 7 untouched benchmarks

Comparing cod-3012-cpu-isolation-on-macro-runner-for-sandboxed-processes (d2f2793) with main (7ce2c98)

Open in CodSpeed

@GuillaumeLagrange GuillaumeLagrange force-pushed the cod-3012-cpu-isolation-on-macro-runner-for-sandboxed-processes branch from a15e7ed to 40f9325 Compare June 29, 2026 15:51
greptile-apps[bot]
greptile-apps Bot reviewed Jun 29, 2026
View reviewed changes
Comment thread src/executor/wall_time/isolation.rs
IsolationMode::Cgroup { scope_dir } => {
// Move the runner (and the profiler it later spawns) onto the
// system cores before wrapping the benchmark for the bench cores.
place_runner_in_support(scope_dir)?;

@greptile-apps greptile-apps Bot Jun 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Support leaf race In cgroup mode, this moves the runner into <scope>/support/cgroup.procs before the code waits for any leaf to exist. If the privileged setup creates support and bench asynchronously, this write can fail with a missing support/cgroup.procs path even though the cgroup layout would be ready shortly after. The run then exits before the benchmark starts, so the support leaf needs the same readiness handling as the bench leaf.

@GuillaumeLagrange @claude
feat: add cgroup CPU isolation for sandboxed walltime runs
d2f2793 
The walltime executor pins the benchmark to dedicated cores with
`systemd-run --scope --slice=codspeed.slice`, but that needs a reachable host
systemd — absent inside the macro-agent sandbox, where the runner is PID 1 of
a private namespace with no host authority.

Add a `Cgroup` isolation mode for that case, selected by
`CODSPEED_ISOLATION=CGROUP:<dir>`. The privileged side delegates that scope
cgroup already split and pinned into `all` / `support` / `bench` leaves; the
runner just relocates with two plain `cgroup.procs` writes — itself into
`support`, so it and the profiler stay off the bench cores, and the benchmark
into `bench` via a small `bash` shim. No cpuset arithmetic and no privilege:
the benchmark stays in the profiler's process subtree, so it records
unprivileged.

Unlike the systemd scope, this keeps the benchmark a descendant of the
profiler, so the `isolate` flag threaded through the profilers becomes
`requires_sudo`, which is true only for the systemd mode.

Refs COD-3012
Co-Authored-By: Claude <noreply@anthropic.com>
@GuillaumeLagrange GuillaumeLagrange force-pushed the cod-3012-cpu-isolation-on-macro-runner-for-sandboxed-processes branch from 40f9325 to d2f2793 Compare June 29, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GuillaumeLagrange