gvisor #b8fa96e201bf79d9012ab60fddc560ff4a39165c not working w/ systemd-cgroups + cgroupsv2 + containerd

Question

gvisor #b8fa96e201bf79d9012ab60fddc560ff4a39165c not working w/ systemd-cgroups + cgroupsv2 + containerd

gpl opened this issue 2 years ago · comments

Isogram commented 2 years ago

Description

We're trying to get gvisor working with cgroupsv2 and systemd-cgroup as we saw this cl: bf86207

However, we're unable to get a functioning result.

Steps to reproduce

On a Ubuntu 21.10 system, running kernel Linux 5.13.0-37-generic:

git clone https://github.com/google/gvisor; cd gvisor;
echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim

Then following the quick start steps here:

https://gvisor.dev/docs/user_guide/containerd/quick_start/

Invoking sudo crictl runp --runtime runsc sandbox.json results in:

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: OCI runtime create failed: creating container: finding current cgroups: Rel: can't make . relative to /: unknown

runsc version

Commit b8fa96e201bf79d9012ab60fddc560ff4a39165c

docker version (if using docker)

No response

uname

Linux 5.13.0-37-generic #42-Ubuntu SMP Tue Mar 15 14:34:06 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

kubectl (if using Kubernetes)

1.23.3

repo state (if built from source)

release-20220321.0-15-gb8fa96e20

runsc debug logs (if available)

No response

Isogram · Answer 1 · Tue Mar 29 2022 04:17:47 GMT+0800 (China Standard Time)

We believe it could be related to having two paths:

34 24 0:29 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:9 - cgroup2 cgroup2 rw
1479 28 0:29 / /run/cilium/cgroupv2 rw,relatime shared:650 - cgroup2 none rw

Lucas Manning · Answer 2 · Tue Mar 29 2022 08:25:39 GMT+0800 (China Standard Time)

Thanks for reporting this issue. The gVisor systemd-group implementation assumes that the cgroupv2 root is mounted at /sys/fs/cgroup, so that could be the issue here. What is your use case for the two separate paths, and are you able to get this setup to run using a different runtime like runc?

Isogram · Answer 3 · Tue Mar 29 2022 09:26:42 GMT+0800 (China Standard Time)

Yep, this current configuration works fine with runc+containerd; the second path is introduced by an extension to Kubernetes (cilium.io) that we use.

Lucas Manning · Answer 4 · Fri Apr 01 2022 01:02:57 GMT+0800 (China Standard Time)

@gpl Let us know if the issue persists; I believe #7343 should take care of the bug you reported.

Isogram · Answer 5 · Fri Apr 01 2022 03:57:47 GMT+0800 (China Standard Time)

The fix works perfectly for us; thank you!