Skip to content

Fix cgroup checks for containers #3093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix cgroup checks for containers #3093

wants to merge 1 commit into from

Conversation

Kevinjil
Copy link
Contributor

@Kevinjil Kevinjil commented Sep 8, 2025

There does not have to be a slice string in containers. For example, when running the container in podman:

domjudge@5ad0debee049:/$ cat /proc/self/cgroup
0::/libpod_parent/libpod-5ad0debee049e150d851d81fa3e8184ee20725412e5702c7ffe3aae7e5173207

Fixes starting issue introduced in b272039

@Kevinjil Kevinjil requested a review from meisterT September 8, 2025 19:14
@Kevinjil
Copy link
Contributor Author

Kevinjil commented Sep 8, 2025

Note: container ran with this command:

sudo podman --cgroup-manager cgroupfs run --cgroupns host --rm -it --entrypoint /bin/bash docker.io/domjudge/domjudge-contributor

@meisterT
Copy link
Member

meisterT commented Sep 8, 2025

We added this check specifically for a problem that @nickygerritsen had.

When not properly set he saw
0::/

So one option would be to test that it's not just this but there is more after the /.

WDYT?

@Kevinjil
Copy link
Contributor Author

Kevinjil commented Sep 8, 2025

I am not sure that we should enforce a path prefix in the cgroup hierarchy. When running in a systemd slice it will exist, and when running in a container it might exist depending on your deployment. There might be people out there using a different setup where there is no path prefix.

Let me dig a little deeper.

@Kevinjil Kevinjil marked this pull request as draft September 8, 2025 20:51
@Kevinjil Kevinjil marked this pull request as ready for review September 10, 2025 19:10
@Kevinjil
Copy link
Contributor Author

@meisterT After digging some deeper, I do not think it makes sense to enforce a prefix of the initiating process in the cgroup hierarchy.

@vmcj
Copy link
Member

vmcj commented Sep 12, 2025

@meisterT After digging some deeper, I do not think it makes sense to enforce a prefix of the initiating process in the cgroup hierarchy.

If this is a revert I prefer to see the old commit also for the discussion.

Just to be sure, you can run a working judgedaemon in your podman container?

@meisterT
Copy link
Member

@Kevinjil have you found a platform where we would see 0::/ but it is correctly set up and works?

@Kevinjil
Copy link
Contributor Author

So far, from what I've noticed, is that you can perfectly fine run processes with a cgroup line of 0::/.

I've been playing around with a non-systemd distro to see how they behave. I picked Alpine, which uses OpenRC. When you open a shell, you are actually in the 0::/ cgroup. But, as soon as you launch it on boot using the init system, it assigns you a cgroups service is running.

As time is limited, I assume that most init systems will assign a cgroup with prefix if you run a service when cgroups are enabled. I'll update the PR.

P.S. something to discuss during NWERC: we might want to either update our software requirements in the manual or change some scripts, as there are quite some hidden assumptions.

@Kevinjil
Fix cgroup checks for containers
7b49876 
So far, from what I've noticed, is that you can perfectly fine run
processes with a cgroup line of 0::/.

I've been playing around with a non-systemd distro to see how they
behave. I picked Alpine, which uses OpenRC. When you open a shell,
you are actually in the 0::/ cgroup. But, as soon as you launch it
on boot using the init system, it assigns you a cgroups service is
running.

As time is limited, I assume that most init systems will assign a
cgroup with prefix if you run a service when cgroups are enabled.
Therefore, we now assume that we have an invalid configuration if the cgroup prefix is empty.
@Kevinjil Kevinjil force-pushed the fix-cgroup-container branch from e221511 to 7b49876 Compare September 16, 2025 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meisterT meisterT Awaiting requested review from meisterT

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kevinjil @meisterT @vmcj