footloose
footloose copied to clipboard
weaveworks
Add support for cgroupv2 (#270)
Add support for cgroupv2 so it works with Docker Desktop 4.3 and newer.
Also Use golang 1.17.6
Fixes https://github.com/weaveworks/footloose/issues/270
on a second thought, I think we need to use docker info to detect cgroup version instead of testing for /sys/fs/cgroup mount type, which will always fail on MacOs.
I have tested this of the k0s integration test suite and it works on my ARM64 MacBook with docker desktop 4.4.2 which uses cgroupv2.
Changing the /sys/fs/cgroup mount from ro to rw does the trick.
But to determine whether we should apply ro or rw, having a check on docker info -f "{{.CgroupVersion}}" may NOT help.
This was my test:
docker info shows CgroupVersion = 1
$ uname -a
Darwin Brights-MBP-2.local 21.5.0 Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:37 PDT 2022; root:xnu-8020.121.3~4/RELEASE_ARM64_T6000 arm64
$ docker info -f "{{.ServerVersion}} -> {{.CgroupVersion}}"
20.10.16 -> 1
-v /sys/fs/cgroup:/sys/fs/cgroup:ro won't work
I used below scripts to simulate how footloose works:
docker create \
-it \
--label works.weave.owner=footloose \
--label works.weave.cluster=sandbox \
--name sandbox-centos-0 \
--hostname centos-0 \
--tmpfs /run \
--tmpfs /run/lock \
--tmpfs /tmp:exec,mode=777 \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--mount type=volume,dst=/var \
-p 22 \
--privileged \
--network footloose-cluster \
--network-alias centos-0 \
centos:7 \
/sbin/init
docker start sandbox-centos-0
docker exec -it sandbox-centos-0 /bin/bash
But the systemd is broken:
[root@centos-0 /]# ps aufx
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 26 0.2 0.0 3740 2704 pts/1 Ss 02:36 0:00 /bin/bash
root 42 0.0 0.0 7748 2836 pts/1 R+ 02:36 0:00 \_ ps aufx
root 1 0.0 0.0 7092 3280 pts/0 Ss+ 02:35 0:00 /sbin/init
[root@centos-0 /]# systemctl list-units
Failed to get D-Bus connection: Operation not permitted
but -v /sys/fs/cgroup:/sys/fs/cgroup:rw does the trick
docker create \
-it \
--label works.weave.owner=footloose \
--label works.weave.cluster=sandbox \
--name sandbox-centos-0 \
--hostname centos-0 \
--tmpfs /run \
--tmpfs /run/lock \
--tmpfs /tmp:exec,mode=777 \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
--mount type=volume,dst=/var \
-p 22 \
--privileged \
--network footloose-cluster \
--network-alias centos-0 \
centos:7 \
/sbin/init
docker start sandbox-centos-0
docker exec -it sandbox-centos-0 /bin/bash
And systemd works fine:
[root@centos-0 /]# ps aufx
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 84 0.2 0.0 3716 2576 pts/2 Ss 03:37 0:00 /bin/bash
root 97 0.0 0.0 7748 2840 pts/2 R+ 03:37 0:00 \_ ps aufx
root 1 1.0 0.0 7620 4508 ? Ss 03:37 0:00 /sbin/init
root 21 0.2 0.0 13168 3824 ? Ss 03:37 0:00 /usr/lib/systemd/systemd-journald
root 30 0.2 0.0 5492 3000 ? Ss 03:37 0:00 /usr/lib/systemd/systemd-udevd
dbus 65 0.0 0.0 8076 3488 ? Ss 03:37 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 73 0.0 0.0 4260 2340 ? Ss 03:37 0:00 /usr/lib/systemd/systemd-logind
root 74 0.0 0.0 7620 952 ? S 03:37 0:00 (agetty)
[root@centos-0 /]# systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
-.mount loaded active mounted /
dev-hugepages.mount loaded active mounted Huge Pages File System
dev-mqueue.mount loaded active mounted POSIX Message Queue File System
etc-hostname.mount loaded active mounted /etc/hostname
...
Note: there might be a potential bug in my Rancher Desktop (v1.4.1) or Docker (20.10.16). If I ran the command with
roafterrw, both would work. This might be caused by cache or something but it's not the focus in our test -- have a restart of RD would help.
I confirm that this patch is working using this environment:
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
Server:
Containers: 12
Running: 1
Paused: 0
Stopped: 11
Images: 131
Server Version: 20.10.17
Storage Driver: zfs
Zpool: zroot
Zpool Health: ONLINE
Parent Dataset: zroot/ROOT/default
Space Used By Parent: 199338377216
Space Available: 79569801216
Parent Quota: no
Compression: on
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 10c12954828e7c7c9b6e0ea9b0c02b01407d3ae1.m
runc version:
init version: de40ad0
Security Options:
seccomp
Profile: default
cgroupns
Kernel Version: 5.18.9-arch1-1
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.39GiB
Name: albx1.ebi.ac.uk
ID: ZPZD:4ULJ:UA63:PHIT:3EG5:OLCZ:DQCR:L4K5:3YJE:CVRB:ZPH6:CWEU
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: albeus
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Is this patch going to be merged?
This patch would assume that
- if
CgroupVersionis 1 it will mount as-v /sys/fs/cgroup:/sys/fs/cgroup:ro; - else if
CgroupVersionis 2 it will mount as-v /sys/fs/cgroup:/sys/fs/cgroup:rw.
In your case, as the CgroupVersion is 2, it will mount as -v /sys/fs/cgroup:/sys/fs/cgroup:rw.
And yes, the -v /sys/fs/cgroup:/sys/fs/cgroup:rw does the trick.
But as per what I had tested (and shared above), it wouldn't work in my env as somehow my latest Rancher Desktop (v1.4.1) with Docker v20.10.16 comes with CgroupVersion=1, on my MacBook Pro with M1 chip.
That's why I created a new PR here, https://github.com/weaveworks/footloose/pull/277, to address this cgroups issue, with additional feature added. And all work fine in my daily work with my patch for quite some time already.