Revisit devices and freezer controller detection for cgroup v2 #3077
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
twz123
added
bug
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
from
440b300
to
b25ccba
Compare
twz123
changed the title
|
The PR is marked as stale since no activity has been recorded in 30 days |
|
The PR is marked as stale since no activity has been recorded in 30 days |
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
6 times, most recently
from
a5b27d3
to
b252379
Compare
twz123
removed
the
backport/release-1.27
twz123
changed the title
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
6 times, most recently
from
96c150a
to
69ebba0
Compare
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
from
69ebba0
to
42d0b2c
Compare
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
from
42d0b2c
to
3b4a730
Compare
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
from
3b4a730
to
e26ad5c
Compare
kke
reviewed
Sep 11, 2023
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
3 times, most recently
from
16116ac
to
c47aea3
Compare
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
from
c47aea3
to
6a022d0
Compare
This is the same library that is used by containerd when it comes to cgroupv2 handling. k0s already links against it, and it exposes enought knobs in order to be the backend for the cgroupv2 sysinfo backend, so this seems a good choice to reduce the amount of low-level plumbing here. Signed-off-by: Tom Wieczorek <[email protected]>
The cgroup v2 freezer controller is not listed in the cgroup.controllers file and is deliberately not available in the root cgroup. Therefore, k0s sysinfo determines its presence based on the Linux kernel version. This is problematic for old kernels that have many backported features, such as RHEL and consorts. However, it is still possible to detect the freezer controller via the cgroups filesystem in cgroups other than the root group. To provide a more reliable result for all kernels, k0s now tries to detect the controller in its own cgroup. In the unlikely case that k0s is running in the root cgroup, it will try to create an empty, temporary cgroup for the freezer file detection. If it doesn't have sufficient permissions to do so, it issues an "unknown" warning. See: 0655941 ("Add pre-flight checks and probes module") Signed-off-by: Tom Wieczorek <[email protected]>
The cgroup v2 device controller is not listed in the cgroup.controllers file and is solely available via the kernel's BPF interface. Therefore, k0s sysinfo determines its presence based on the Linux kernel version. This is problematic for old kernels that have many backported features, such as RHEL and consorts. However, it is still possible to detect the device controller by trying to attach a dummy device filter to an empty, temporary cgroup. In case k0s is unable to create the cgroup or attach the device filter because of missing permissions, the sysinfo probe will issue an "unknown" warning. See: 0655941 ("Add pre-flight checks and probes module") Signed-off-by: Tom Wieczorek <[email protected]>
twz123
force-pushed
the
cgroupv2-devices-freezer-detection
branch
from
6a022d0
to
fba2a21
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The cgroup v2 freezer and device controllers are not listed in the
cgroup.controllersfile, Therefore, k0s sysinfo determines their presence based on the Linux kernel version. This is problematic for old kernels that have many backported features, such as RHEL and consorts.Introduce a hopefully more reliable way of detecting them.
Use github.com/containerd/cgroups/v3 for cgroupv2 sysinfo. This is the same library that is used by containerd when it comes to cgroupv2 handling. k0s already links against it, and it exposes enough knobs in order to be the backend for the cgroupv2 sysinfo backend, so this seems a good choice to reduce the amount of low-level plumbing here.
The freezer controller still has its
cgroup.freezefile, albeit this is deliberately not available in the root cgroup. Therefore, k0s sysinfo now tries to detect the controller file in its own cgroup. In the unlikely case that k0s is running in the root cgroup, it will try to create an empty, temporary cgroup for the freezer file detection. If it doesn't have sufficient permissions to do so, it issues an "unknown" warning.The device controller solely available via the kernel's BPF interface. Therefore, k0s sysinfo now tries to attach a dummy device filter to an empty, temporary cgroup. In case k0s is unable to create the cgroup or attach the device filter because of missing permissions, the sysinfo probe will issue an "unknown" warning.
Fixes:
See:
Type of change
How Has This Been Tested?
Checklist: