support default-cgroupns-mode=private #720
Description
Description
Private CGroup modes are required for some (privileged) workloads, like Cilium's eBPF kube-proxy replacement:
Official documentation: https://docs.cilium.io/en/v1.13/installation/kind/#install-cilium (in the large notice box)
Related issue at Cilium: cilium/cilium#25479
Setting default-cgroupns-mode: private inside the docker key in colima's config leads to runc crash:
❯ docker run -it --rm alpine ls -la /proc/self/ns/cgroup
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
08409d417260: Pull complete
Digest: sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11
Status: Downloaded newer image for alpine:latest
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "cgroup" to rootfs at "/sys/fs/cgroup": mount cgroup:/sys/fs/cgroup/openrc (via /proc/self/fd/7), flags: 0xf, data: openrc: invalid argument: unknown.
You can confirm cgroupv2 per-container slices by running the above command twice and confirming different IDs are assigned; colima without options produces the same ID.
❯ docker run -it --rm alpine ls -la /proc/self/ns/cgroup
lrwxrwxrwx 1 root root 0 May 23 07:48 /proc/self/ns/cgroup -> cgroup:[4026531835]
❯ docker run -it --rm alpine ls -la /proc/self/ns/cgroup
lrwxrwxrwx 1 root root 0 May 23 07:48 /proc/self/ns/cgroup -> cgroup:[4026531835]