Evacuate cgroups and use cgroupfs for kubelets

691ff236 · kaiyou · a639ec3b · 691ff236 · 691ff236
Commit 691ff236 authored 2 years ago by kaiyou
--- a/pkg/cluster/kubeconfig.go
+++ b/pkg/cluster/kubeconfig.go
@@ -60,7 +60,7 @@ authorization:
 clusterDomain: "cluster.local"
 imageMinimumGCAge: "120h"
 resolvConf: "/etc/resolv.conf"
-cgroupDriver: systemd
+cgroupDriver: cgroupfs
 runtimeRequestTimeout: "15m"
 tlsCertFile: "{{.TLSCert}}"
 tlsPrivateKeyFile: "{{.TLSKey}}"

--- a/pkg/selfcontain/init.go
+++ b/pkg/selfcontain/init.go
@@ -9,10 +9,10 @@ import (
 )

 // libcontainer uses a three-step containerization technique:
-// 1. spawn a fifo for later communication with containerized init
-// 2. unshare the current process and fork/execve /proc/self/exe with a
-//    special argument to trigger later initialization
-// 3. Use the fifo to communicatie with init and initialize mounts, etc.
+//  1. spawn a fifo for later communication with containerized init
+//  2. unshare the current process and fork/execve /proc/self/exe with a
+//     special argument to trigger later initialization
+//  3. Use the fifo to communicatie with init and initialize mounts, etc.
 //
 // This init checks for said special argument and call into libcontainer
 // initialization routines, which in turn will execve the Process provided
@@ -25,11 +25,26 @@ func init() {
 		// Do not start the full featured runtime
 		runtime.GOMAXPROCS(1)
 		runtime.LockOSThread()
+		// Evacuate cgroups, which is required for many in-container cgroup
+		// use cases, since we are now at the root cgroup
+		// Libcontainer cgroup manager is not designed for evacuation and will
+		// fail in such a case, so we are using cgroupfs directly, which is
+		// explicitely available due to defaults, and simple since we are
+		// the only running process at the moment
+		err := os.Mkdir("/sys/fs/cgroup/selfcontain", 0o755)
+		if err != nil {
+			logrus.Fatal("could not create evacuation cgroup: ", err)
+		}
+		err = os.WriteFile("/sys/fs/cgroup/selfcon/cgroup.procs", []byte("0"), 0o755)
+		if err != nil {
+			logrus.Fatal("could not evacuate self: ", err)
+		}
 		// Run libcontainer initialization, which will fork/exec to the
 		// provided process executable, a.k.a ourselves
 		factory, _ := libcontainer.New("")
-		if err := factory.StartInitialization(); err != nil {
-			logrus.Fatal(err)
+		err = factory.StartInitialization()
+		if err != nil {
+			logrus.Fatal("could not run self-contained app: ", err)
 		}
 	}
 }