cgroupslib: allow initial controller check with delegated cgroups #23803
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tgross
force-pushed
the
cgroups-delegation
branch
from
358fa66
to
69341f8
Compare
tgross
changed the title
tgross
force-pushed
the
cgroups-delegation
branch
from
69341f8
to
d828b19
Compare
tgross
force-pushed
the
cgroups-delegation
branch
from
d828b19
to
aff62a2
Compare
tgross
force-pushed
the
cgroups-delegation
branch
from
aff62a2
to
830fd79
Compare
tgross
force-pushed
the
cgroups-delegation
branch
from
830fd79
to
7fec689
Compare
shoenig
reviewed
Aug 14, 2024
During Nomad client initialization with cgroups v2, we assert that the required cgroup controllers are available in the root `cgroup.subtree_control` file by idempotently writing to the file. But if Nomad is running with delegated cgroups, this will fail file permissions checks even if the subtree control file already has the controllers we need. Update the initialization to first check if the controllers are missing before attempting to write to them. This allows cgroup delegation so long as the cluster administrator has pre-created a Nomad owned cgroups tree and set the `Delegate` option in a systemd override. If not, initialization fails in the existing way. Although this is one small step along the way to supporting a rootless Nomad client, running Nomad as non-root is still unsupported. I've intentionally not documented setting up cgroup delegation in this PR, as this PR is insufficient by itself to have a secure and properly-working rootless Nomad client. Ref: #18211 Ref: #13669
tgross
force-pushed
the
cgroups-delegation
branch
from
7fec689
to
83c7d89
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
During Nomad client initialization with cgroups v2, we assert that the required cgroup controllers are available in the root
cgroup.subtree_controlfile by idempotently writing to the file. But if Nomad is running with delegated cgroups, this will fail file permissions checks even if the subtree control file already has the controllers we need.Update the initialization to first check if the controllers are missing before attempting to write to them. This allows cgroup delegation so long as the cluster administrator has pre-created a Nomad owned cgroups tree and set the
Delegateoption in a systemd override. If not, initialization fails in the existing way.Although this is one small step along the way to supporting a rootless Nomad client, running Nomad as non-root is still unsupported. I've intentionally not documented setting up cgroup delegation in this PR, as this PR is insufficient by itself to have a secure and properly-working rootless Nomad client.
Ref: #18211
Ref: #13669
Ref: https://hashicorp.atlassian.net/browse/NET-10652
Ref: https://hashicorp.atlassian.net/browse/NET-10668