fix: use a separate cgroup for each extension service

Fixes #8229

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

internal/app/machined/pkg/controllers/runtime/extension_service.go

@@ -113,19 +113,19 @@ func (ctrl *ExtensionServiceController) Run(ctx context.Context, r controller.Ru
 	return nil
 }
 
-func (ctrl *ExtensionServiceController) loadSpec(path string) (*extservices.Spec, error) {
+func (ctrl *ExtensionServiceController) loadSpec(path string) (extservices.Spec, error) {
 	var spec extservices.Spec
 
 	f, err := os.Open(path)
 	if err != nil {
-		return nil, err
+		return spec, err
 	}
 
 	defer f.Close() //nolint:errcheck
 
 	if err = yaml.NewDecoder(f).Decode(&spec); err != nil {
-		return nil, fmt.Errorf("error unmarshalling extension service config: %w", err)
+		return spec, fmt.Errorf("error unmarshalling extension service config: %w", err)
 	}
 
-	return &spec, nil
+	return spec, nil
 }

internal/app/machined/pkg/system/services/extension.go

@@ -33,7 +33,7 @@ import (
 
 // Extension service is a generic wrapper around extension services spec.
 type Extension struct {
-	Spec *extservices.Spec
+	Spec extservices.Spec
 
 	overlay *mount.Point
 }
@@ -107,7 +107,7 @@ func (svc *Extension) getOCIOptions(envVars []string) []oci.SpecOpts {
 	ociOpts := []oci.SpecOpts{
 		oci.WithRootFSPath(filepath.Join(constants.ExtensionServicesRootfsPath, svc.Spec.Name)),
 		containerd.WithRootfsPropagation(svc.Spec.Container.Security.RootfsPropagation),
-		oci.WithCgroup(constants.CgroupExtensions),
+		oci.WithCgroup(filepath.Join(constants.CgroupExtensions, svc.Spec.Name)),
 		oci.WithMounts(svc.Spec.Container.Mounts),
 		oci.WithHostNamespace(specs.NetworkNamespace),
 		oci.WithSelinuxLabel(""),

internal/app/machined/pkg/system/services/extension_test.go

@@ -47,7 +47,7 @@ func TestGetOCIOptions(t *testing.T) {
 	t.Run("default configurations are cleared away if user passes empty arrays for MaskedPaths and ReadonlyPaths", func(t *testing.T) {
 		// given
 		svc := &services.Extension{
-			Spec: &extservices.Spec{
+			Spec: extservices.Spec{
 				Container: extservices.Container{
 					Security: extservices.Security{
 						MaskedPaths:   []string{},
@@ -69,7 +69,7 @@ func TestGetOCIOptions(t *testing.T) {
 	t.Run("default configuration applies if user passes nil for MaskedPaths and ReadonlyPaths", func(t *testing.T) {
 		// given
 		svc := &services.Extension{
-			Spec: &extservices.Spec{
+			Spec: extservices.Spec{
 				Container: extservices.Container{
 					Security: extservices.Security{
 						MaskedPaths:   nil,
@@ -109,7 +109,7 @@ func TestGetOCIOptions(t *testing.T) {
 	t.Run("root fs is readonly unless explicitly enabled", func(t *testing.T) {
 		// given
 		svc := &services.Extension{
-			Spec: &extservices.Spec{
+			Spec: extservices.Spec{
 				Container: extservices.Container{
 					Security: extservices.Security{
 						WriteableRootfs: true,
@@ -129,7 +129,7 @@ func TestGetOCIOptions(t *testing.T) {
 	t.Run("root fs is readonly by default", func(t *testing.T) {
 		// given
 		svc := &services.Extension{
-			Spec: &extservices.Spec{
+			Spec: extservices.Spec{
 				Container: extservices.Container{
 					Security: extservices.Security{},
 				},
@@ -147,7 +147,7 @@ func TestGetOCIOptions(t *testing.T) {
 	t.Run("allows setting extra env vars", func(t *testing.T) {
 		// given
 		svc := &services.Extension{
-			Spec: &extservices.Spec{
+			Spec: extservices.Spec{
 				Container: extservices.Container{
 					Environment: []string{
 						"FOO=BAR",
@@ -172,7 +172,7 @@ func TestGetOCIOptions(t *testing.T) {
 
 		// given
 		svc := &services.Extension{
-			Spec: &extservices.Spec{
+			Spec: extservices.Spec{
 				Container: extservices.Container{
 					EnvironmentFile: envFile,
 				},