Revisit freezer controller detection for cgroup v2

The cgroup v2 freezer controller is not listed in the cgroup.controllers
file and is deliberately not available in the root cgroup. Therefore,
k0s sysinfo determines its presence based on the Linux kernel version.
This is problematic for old kernels that have many backported features,
such as RHEL and consorts.

However, it is still possible to detect the freezer controller via the
cgroups filesystem in cgroups other than the root group. To provide
a more reliable result for all kernels, k0s now tries to detect the
controller in its own cgroup. In the unlikely case that k0s is running
in the root cgroup, it will try to create an empty, temporary cgroup for
the freezer file detection. If it doesn't have sufficient permissions to
do so, it simply assumes the presence of the freezer controller.

See: 0655941 ("Add pre-flight checks and probes module")
Signed-off-by: Tom Wieczorek <[email protected]>

internal/pkg/sysinfo/probes/linux/cgroup_controllers.go

@@ -61,6 +61,9 @@ func (c *cgroupControllerProbe) Probe(reporter probes.Reporter) error {
 	} else if available, err := sys.probeController(c.name); err != nil {
 		return reporter.Error(desc, err)
 	} else if available.available {
+		if available.warning != "" {
+			return reporter.Warn(desc, available, available.warning)
+		}
 		return reporter.Pass(desc, available)
 	} else if c.require {
 		return reporter.Reject(desc, available, "")
@@ -70,8 +73,8 @@ func (c *cgroupControllerProbe) Probe(reporter probes.Reporter) error {
 }
 
 type cgroupControllerAvailable struct {
-	available bool
-	msg       string
+	available    bool
+	msg, warning string
 }
 
 func (a cgroupControllerAvailable) String() (msg string) {
@@ -98,7 +101,7 @@ func (p *cgroupControllerProber) probeController(s cgroupSystem, controllerName
 	p.once.Do(func() {
 		p.controllers = make(map[string]cgroupControllerAvailable)
 		p.err = s.loadControllers(func(name, msg string) {
-			p.controllers[name] = cgroupControllerAvailable{true, msg}
+			p.controllers[name] = cgroupControllerAvailable{true, msg, ""}
 		})
 	})
 	return p.controllers[controllerName], p.err

internal/pkg/sysinfo/probes/linux/cgroup_v2.go

@@ -22,6 +22,8 @@ package linux
 import (
 	"errors"
 	"fmt"
+	"os"
+	"path/filepath"
 	"regexp"
 	"strconv"
 
@@ -39,31 +41,74 @@ func (*cgroupV2) String() string {
 }
 
 func (g *cgroupV2) probeController(controllerName string) (cgroupControllerAvailable, error) {
+	switch controllerName {
+	case "devices":
+		return g.detectDevicesController()
+	case "freezer":
+		return g.detectFreezerController()
+	}
 	return g.controllers.probeController(g, controllerName)
 }
 
 func (g *cgroupV2) loadControllers(seen func(string, string)) error {
-	// Some controllers are implicitly enabled by the kernel. Those controllers
-	// do not appear in the cgroup.controllers file. Their availability is
-	// assumed based on the kernel version, as it is hard to detect them
-	// directly.
-	// https://github.com/torvalds/linux/blob/v5.3/kernel/cgroup/cgroup.c#L433-L434
-	if major, minor, err := parseKernelRelease(g.probeUname); err == nil {
-		/* devices: since 4.15 */ if major > 4 || (major == 4 && minor >= 15) {
-			seen("devices", "assumed")
-		}
-		/* freezer: since 5.2 */ if major > 5 || (major == 5 && minor >= 2) {
-			seen("freezer", "assumed")
-		}
-	} else {
-		return err
+	return g.detectListedRootControllers(seen)
+}
+
+// The device controller has no interface files. Its availability is assumed
+// based on the kernel version, as it is hard to detect it directly.
+// https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#device-controller
+func (g *cgroupV2) detectDevicesController() (cgroupControllerAvailable, error) {
+	major, minor, err := parseKernelRelease(g.probeUname)
+	if err != nil {
+		return cgroupControllerAvailable{}, err
 	}
 
-	if err := g.detectListedRootControllers(seen); err != nil {
-		return err
+	// since 4.15
+	available, op := false, "<"
+	if major > 4 || (major == 4 && minor >= 15) {
+		available, op = true, ">="
 	}
+	msg := fmt.Sprintf("kernel %d.%d %s 4.15", major, minor, op)
+	return cgroupControllerAvailable{available, msg, ""}, nil
+}
 
-	return nil
+// Detect the freezer controller. It doesn't appear in the cgroup.controllers
+// file. Check for the existence of the cgroup.freeze file in the k0s cgroup
+// instead, or try to create a dummy cgroup if k0s runs in the root cgroup.
+//
+// https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#core-interface-files
+func (g *cgroupV2) detectFreezerController() (cgroupControllerAvailable, error) {
+
+	// Detect the freezer controller by checking k0s's cgroup for the existence
+	// of the cgroup.freeze file.
+	// https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#processes
+	cgroupPath, err := cgroup2.NestedGroupPath("")
+	if err != nil {
+		return cgroupControllerAvailable{}, fmt.Errorf("failed to get k0s cgroup: %w", err)
+	}
+
+	if cgroupPath != "/" {
+		cgroupPath = filepath.Join(g.mountPoint, cgroupPath)
+	} else { // The root cgroup cannot be frozen. Try to create a dummy cgroup.
+		tmpCgroupPath, err := os.MkdirTemp(g.mountPoint, "k0s-freezer-detection-*")
+		if err != nil {
+			if errors.Is(err, os.ErrPermission) && os.Geteuid() != 0 {
+				return cgroupControllerAvailable{true, "assumed", "insufficient permissions, try with elevated permissions"}, nil
+			}
+
+			return cgroupControllerAvailable{}, fmt.Errorf("failed to create temporary cgroup: %w", err)
+		}
+		defer func() { err = errors.Join(err, os.Remove(tmpCgroupPath)) }()
+		cgroupPath = tmpCgroupPath
+	}
+
+	// Check if the cgroup.freeze exists
+	if stat, err := os.Stat(filepath.Join(cgroupPath, "cgroup.freeze")); (err == nil && stat.IsDir()) || os.IsNotExist(err) {
+		return cgroupControllerAvailable{false, "cgroup.freeze doesn't exist", ""}, nil
+	} else if err != nil {
+		return cgroupControllerAvailable{}, err
+	}
+	return cgroupControllerAvailable{true, "cgroup.freeze exists", ""}, nil
 }
 
 // Detects all the listed root controllers.

internal/pkg/sysinfo/probes/linux/cgroups_test.go

@@ -60,7 +60,7 @@ func TestCgroupsProbes_Probe(t *testing.T) {
 	t.Run("Pass", func(t *testing.T) {
 		init()
 
-		available := cgroupControllerAvailable{true, ""}
+		available := cgroupControllerAvailable{true, "", ""}
 
 		reporter.On("Pass", mock.Anything, mockSys).Return(nil)
 		mockSys.On("probeController", "foo").Return(available, nil)