Skip to content

fix(bootstrap): use host cgroup namespace for gateway container#329

Merged
drew merged 1 commit intomainfrom
fix/cgroupns-host-mode
Mar 16, 2026
Merged

fix(bootstrap): use host cgroup namespace for gateway container#329
drew merged 1 commit intomainfrom
fix/cgroupns-host-mode

Conversation

@drew
Copy link
Collaborator

@drew drew commented Mar 15, 2026

Summary

  • Set cgroupns_mode: host on the gateway Docker container to fix k3s startup failures on Docker Desktop 29.x with cgroup v2
  • Without this, the kubelet's ContainerManager fails: cgroup ["kubepods"] has some missing controllers: cpu, cpuset, hugetlb, memory, pids

Root Cause

Docker Desktop 29.x (Docker Engine 28.x+) defaults to cgroupns: private. With cgroup v2, a private cgroup namespace doesn't delegate the required controllers into the container's namespace. The k3s kubelet then fails to create QoS cgroup hierarchy for pod management.

Fix

Explicitly set cgroupns_mode: host in HostConfig when creating the gateway container. This is:

  • Backwards compatible with all Docker versions (host mode was the pre-20.10 default)
  • Consistent with how k3d and other k3s-in-Docker tooling operate
  • No security regression since the container already runs with privileged: true

Testing

  • Verified gateway starts successfully with openshell gateway start on Docker Desktop 29.2.1 / macOS 26.2 / cgroup v2
  • cargo check -p openshell-bootstrap passes
  • mise run pre-commit passes

@drew
fix(bootstrap): use host cgroup namespace for gateway container
84675dd 
Docker Desktop 29.x defaults to private cgroupns which prevents k3s
kubelet from accessing cgroup v2 controllers (cpu, cpuset, memory,
pids, hugetlb). This causes ContainerManager to fail during startup.

Explicitly set cgroupns_mode to host, which is backwards compatible
with all Docker versions and matches what k3s-in-Docker tooling
(k3d) requires.
@drew drew self-assigned this Mar 15, 2026
@drew drew added the e2e label Mar 15, 2026
@drew drew marked this pull request as draft March 15, 2026 22:20
@drew drew force-pushed the fix/cgroupns-host-mode branch from 8c88ac0 to 84675dd Compare March 16, 2026 13:55
@drew drew marked this pull request as ready for review March 16, 2026 14:47
@drew drew merged commit a458ca6 into main Mar 16, 2026
9 checks passed
@drew drew deleted the fix/cgroupns-host-mode branch March 16, 2026 15:20
@drew drew mentioned this pull request Mar 16, 2026
Merged
7 tasks
@brianwtaylor brianwtaylor mentioned this pull request Mar 17, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pimlock pimlock pimlock approved these changes

Assignees

@drew drew

Labels

e2e

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drew @pimlock