entrypoint: detect cgroupns for cgroup v1

In case the KIND container is run on a cgroup v1 host with --cgroupns=private, there is no need to do any dances with cgroups. Detect this and skip cgroup setup. Otherwise, print a big fat warning that the host cgroupns support is going to be removed. Add a TODO item to not forget. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
kubernetes-sigs · Apr 8, 2022 · 491bd70 · 491bd70
1 parent d27c783
commit 491bd70
Showing 1 changed file with 15 additions and 4 deletions.
diff --git a/images/base/files/usr/local/bin/entrypoint b/images/base/files/usr/local/bin/entrypoint
@@ -203,18 +203,29 @@ fix_cgroup() {
     return
   fi
   echo 'INFO: detected cgroup v1'
-  echo 'INFO: fix cgroup mounts for all subsystems'
+  local current_cgroup
+  current_cgroup=$(grep -E '^[^:]*:([^:]*,)?cpu(,[^,:]*)?:.*' /proc/self/cgroup | cut -d: -f3)
+  if [ "$current_cgroup" = "/" ]; then
+    echo "INFO: cgroupns detected, no need to fix cgroups"
+    return
+  fi
+
+  echo 'WARNING: cgroupns is not enabled! Please run with --cgroupns=private,'
+  echo 'WARNING: Support for host cgroup namespace will be removed!'
+  # TODO: replace the above warning with an error, and remove the rest
+  # of this function once all users have switched to cgroupns.
+
   # See: https://d2iq.com/blog/running-kind-inside-a-kubernetes-cluster-for-continuous-integration
   # Capture initial state before modifying
   #
   # Basically we're looking for the cgroup-path for the cpu controller for the
   # current process. this tells us what cgroup-path the container is in.
   # Then we collect the subsystems that are active on this path.
-  # We assume the cpu controller is in use on all node containers.
+  # We assume the cpu controller is in use on all node containers,
+  # and other controllers use the same sub-path.
   #
   # See: https://man7.org/linux/man-pages/man7/cgroups.7.html
-  local current_cgroup
-  current_cgroup=$(grep -E '^[^:]*:([^:]*,)?cpu(,[^,:]*)?:.*' /proc/self/cgroup | cut -d: -f3)
+  echo 'INFO: fix cgroup mounts for all subsystems'
   local cgroup_subsystems
   cgroup_subsystems=$(findmnt -lun -o source,target -t cgroup | grep "${current_cgroup}" | awk '{print $2}')
   # Unmount the cgroup subsystems that are not known to runtime used to