openrc and docker cgroup v2 path conflict

[ncopa]

I have been trying to solve a weird downstream bug with rc_group_mode=unified which recently was enabled as the default.

To reproduce the issue, start docker as an openrc service: rc-service docker start

Then try run a docker container with memory limits:

alp319:~$ docker run --rm --memory 128M alpine echo hello
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: cannot enter cgroupv2 "/sys/fs/cgroup/docker" with domain controllers -- it is in domain threaded mode: unknown.

For some reason it ends up in domain threaded mode:

alp319:~$ cat /sys/fs/cgroup/docker/cgroup.type 
domain threaded

Now try restart the service, and notice that it originally is not in domain threaded mode:

alp319:~$ doas /etc/init.d/docker restart
doas (ncopa@alp319) password: 
 * Stopping Docker Daemon ...                                                                                                                                                              [ ok ]
 * Starting Docker Daemon ...                                                                                                                                                              [ ok ]
alp319:~$ cat /sys/fs/cgroup/docker/cgroup.type 
domain

Run any container and, it switches back to domain threaded mode (it works without memory limits):

alp319:~$ docker run --rm alpine echo hello
hello
alp319:~$ cat /sys/fs/cgroup/docker/cgroup.type 
domain threaded

A workaround for this is to set --cgroup-parent to something other than docker.

When trying to find out what sets this, I realized that openrc will create and use /sys/fs/cgroup/$SVCNAME. In the docker case this ends up with /sys/fs/cgroup/docker. Now, the default --cgroup-parent in docker is "docker", so docker tries to manage its containers under /sys/fs/cgroup/docker. But since openrc has its stuff there,it gets confused, and sets domain threaded mode (I believe).

To properly fix this, I believe we should not use /sys/fs/cgroup/$SVCNAME to avoid the conflict with docker. We could use something like:

diff --git a/sh/rc-cgroup.sh b/sh/rc-cgroup.sh
index e5c7ae7f..759b68d2 100644
--- a/sh/rc-cgroup.sh
+++ b/sh/rc-cgroup.sh
@@ -191,7 +191,7 @@ cgroup2_set_limits()
        cgroup_path="$(cgroup2_find_path)"
        [ -z "${cgroup_path}" ] && return 0
        mountinfo -q "${cgroup_path}"|| return 0
-       rc_cgroup_path="${cgroup_path}/${RC_SVCNAME}"
+       rc_cgroup_path="${cgroup_path}/openrc.${RC_SVCNAME}"
        [ ! -d "${rc_cgroup_path}" ] && mkdir "${rc_cgroup_path}"
        [ -f "${rc_cgroup_path}"/cgroup.procs ] &&
                printf 0 > "${rc_cgroup_path}"/cgroup.procs

Dowstream issues:

• https://gitlab.alpinelinux.org/alpine/aports/-/issues/15506
• https://gitlab.alpinelinux.org/alpine/aports/-/issues/15570
• https://lore.kernel.org/cgroups/rare3lakkfrp7lkcfosuhivot6vuwuuwkgj74bbzmsjjpgwkt7@udo2e6layb3d/T/#u
• [Alpine] docker top, runc ps fail with cgroup2 with: unable to get all container pids  opencontainers/runc#4097

[ncopa]

I believe this also affects lxc: https://gitlab.alpinelinux.org/alpine/aports/-/issues/15607

This is sort of critical.

@williamh can you please take a look?