Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make /sys/fs/cgroup rw by default with cgroup2 #42040

Open
agowa opened this issue Feb 17, 2021 · 1 comment · May be fixed by #42043
Open

make /sys/fs/cgroup rw by default with cgroup2 #42040

agowa opened this issue Feb 17, 2021 · 1 comment · May be fixed by #42043
Labels
area/cgroup2 cgroup v2 area/runtime

Comments

@agowa
Copy link

agowa commented Feb 17, 2021
edited

Description

Make /sys/fs/cgroup rw by default within the container if cgroup2 is used. Currently running e.g. systemd within the container fails because it cannot create it's cgroups as /sys/fs/cgroup is mounted ro. Also now with cgroup2 being supported the old container escapes of v1 are no longer an issue.

For anyone wanting a q'n'd fix for this problem I've attached: #42043

Steps to reproduce the issue:
1.
2.
3.

Describe the results you received:

Describe the results you expected:
Applications within the container being able to create child cgroups and "manage" there own assigned scope.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Docker version 20.10.3, build 48d30b5b32

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-tp-docker)

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 57
 Server Version: 20.10.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b.m
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.10.16-arch1-1
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 27.11GiB
 Name: ArchBook
 ID: ARJ3:2WKK:VWM6:MEG5:SVQF:NKWZ:SVQQ:2KNQ:P7WI:MG3W:SGX6:3TX6
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: agowa338
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):
@agowa agowa linked a pull request Feb 17, 2021 that will close this issue
Draft
@LewisGaul LewisGaul mentioned this issue May 2, 2022
Open
@kinarashah kinarashah mentioned this issue Oct 12, 2022
Closed
This was referenced Sep 25, 2023
Closed
Open
@eugene-bright
Copy link

The workaround I found for myself:

--cgroupns=private --cgroup-parent=myservice.slice -v /sys/fs/cgroup/myservice.slice:/sys/fs/cgroup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cgroup2 cgroup v2 area/runtime
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Make /sys/fs/cgroup rw agowa/moby
3 participants
@thaJeztah @agowa @eugene-bright