spire
spire copied to clipboard
Published
20 hours ago •
spiffe
spiffe
support autodetection of cgroup mode in docker workloadattestor
Proposal
We should be able to detect from a few checks on filesystem types in /sys/fs and adjust cgroup matchers appropriately since only one mode can operate at a time on a node (or in a container). This would allow decoupling of cgroup version migration on a given host from SPIRE Agent reconfiguration/rollout on the same host. Effectively, the detection logic should be identical to systemd detection. Essentially, this means go code roughly equivalent to:
% stat -fc %T /sys/fs/cgroup
tmpfs
% stat -fc %T /sys/fs/cgroup/systemd
cgroupfs
% stat -fc %T /sys/fs/cgroup/unified
stat: cannot read file system information for '/sys/fs/cgroup/unified': No such file or directory
Background
There are apparently 3 modes in which cgroup operates:
- cgroup v1 with cgroup fs driver
- cgroup v2 with systemd fs driver
- "hybrid" where they sort of coexist
The hybrid mode was introduced around systemd v232 release to address incompatibilities after cgroup v2 was initially released.
Please see prior hacky proposal, prior research, and more details in #4251.
- Version: 1.7.4 (and before)
- Platform: linux
- Subsystem: docker workloadattestor
