Skip to content

Add process to init subcgroup when we're using dind with cgroups v2 #10845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 14, 2025
Merged

Add process to init subcgroup when we're using dind with cgroups v2 #10845

merged 1 commit into from
Feb 14, 2025

Conversation

antoine-gaillard
Copy link
Contributor

This is a fix for issue #10733

@katacontainersbot katacontainersbot added the size/small Small and simple task label Feb 6, 2025
@antoine-gaillard antoine-gaillard mentioned this pull request Feb 6, 2025
Closed
fidencio
fidencio approved these changes Feb 12, 2025
View reviewed changes
Copy link
Member

@fidencio fidencio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks @antoine-gaillard!

@fidencio
Copy link
Member

@antoine-gaillard, we need you to actually add a descriptive commit message as part of your commit and also add your Signed-off-by to align with the project's guidelines.

@antoine-gaillard
Copy link
Contributor Author

@antoine-gaillard, we need you to actually add a descriptive commit message as part of your commit and also add your Signed-off-by to align with the project's guidelines.

@fidencio thanks for looking at it, it should be good now

@antoine-gaillard
agent: Use init subcgroup for process attachment in DinD
4b5b788 
cgroups v2 enforces stricter delegation rules, preventing operations on
cgroups outside our ownership boundary. When running Docker-in-Docker (DinD),
processes must be attached to an "init" subcgroup within the systemd unit.
This fix detects and uses the init subcgroup when proxying process attachment.

Fixes kata-containers#10733

Signed-off-by: Antoine Gaillard <antoine.gaillard@datadoghq.com>
ananos
ananos approved these changes Feb 14, 2025
View reviewed changes
Copy link
Member

@ananos ananos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @antoine-gaillard!

@fidencio fidencio merged commit d587843 into kata-containers:main Feb 14, 2025
301 of 312 checks passed
mchtech added a commit to mchtech/kata-containers that referenced this pull request Feb 27, 2025
@mchtech
agent: support running systemd with cgroup v2
61ffe00 
When running systemd in container, processes should be attached to "init.scope".
systemd fixedly use "init.scope" as delegate sub-cgroup name, and the name cannot be changed.

This is a supplement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Feb 27, 2025
@mchtech
agent: support running systemd with cgroup v2
bcffd15 
When running systemd in container, processes should be attached to "init.scope".
systemd fixedly use "init.scope" as delegate sub-cgroup name, and the name cannot be changed.

This is a supplement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
@mchtech mchtech mentioned this pull request Feb 27, 2025
Open
mchtech added a commit to mchtech/kata-containers that referenced this pull request Feb 27, 2025
@mchtech
agent: support running systemd with cgroup v2
8f94096 
When running systemd in container, processes should be attached to "init.scope".
systemd fixedly use "init.scope" as delegate sub-cgroup name, and the name cannot be changed.

This is a supplement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Feb 28, 2025
@mchtech
agent: support running systemd with cgroup v2
198daa3 
When running systemd in container, processes should be attached to "init.scope".
systemd fixedly use "init.scope" as delegate sub-cgroup name, and the name cannot be changed.

This is a supplement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Feb 28, 2025
@mchtech
agent: support running systemd with cgroup v2
3a60b7a 
When running systemd in container, processes should be attached to "init.scope".
systemd fixedly use "init.scope" as delegate sub-cgroup name, and the name cannot be changed.

This is a supplement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Feb 28, 2025
@mchtech
agent: support running command in nesting cgroup v2
3bf0f41 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.

A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.

This method can support that init process running in sub-cgroup with any names, including but not limited to systemd (init.scope), even if the user moves the cgroup of the init process after the container starts running.

This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Mar 3, 2025
@mchtech
agent: support running command in nesting cgroup v2
6b86fc5 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.

A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.

This method can support that init process running in sub-cgroup with any names, including but not limited to systemd (init.scope), even if the user moves the cgroup of the init process after the container starts running.

This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request May 30, 2025
@mchtech
agent: support running command in nesting cgroup v2
b73c044 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request May 30, 2025
@mchtech
agent: support running command in nesting cgroup v2
2aaaaa1 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Jun 5, 2025
@mchtech
agent: support running command in nesting cgroup v2
80d1182 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Jul 18, 2025
@mchtech
agent: support running command in nesting cgroup v2
ecb68d1 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Jul 18, 2025
@mchtech
agent: support running command in nesting cgroup v2
746bd0b 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Jul 20, 2025
@mchtech
agent: support running command in nesting cgroup v2
b189d98 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Jul 21, 2025
@mchtech
agent: support running command in nesting cgroup v2
1a1e4e2 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
mchtech added a commit to mchtech/kata-containers that referenced this pull request Jul 23, 2025
@mchtech
agent: support running command in nesting cgroup v2
fafdd38 
Using a fixed sub cgroup name "init" only supports the DinD (Docker-in-Docker) scenario.
A more elegant approach is to obtain the path of the sub-cgroup based on the cgroup path of the first process in the container.
This patch can support that init process running in sub-cgroup with any names,
including but not limited to systemd (init.scope),
even if the user moves the cgroup of the init process after the container starts running.
This is a enhancement for PR kata-containers#10845.

Fixes kata-containers#10733

Signed-off-by: mchtech <michu_an@126.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fidencio fidencio fidencio approved these changes

@ananos ananos ananos approved these changes

Assignees
No one assigned
Labels
ok-to-test size/small Small and simple task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@antoine-gaillard @fidencio @ananos @katacontainersbot