Merge pull request #17032 from prezha/cgroup-v2-nesting

fix cannot enter cgroupv2 "/sys/fs/cgroup/docker" with domain controllers
2023-08-10 13:09:00 -07:00 · 2023-08-10 13:09:00 -07:00 · cd94167fc8
parent 1c430a46ac 14aeebe10a
commit cd94167fc8
2 changed files with 15 additions and 1 deletions
--- a/2
+++ b/2
@ -113,7 +113,7 @@ GVISOR_TAG ?= latest
 AUTOPAUSE_HOOK_TAG ?= v0.0.4

 # prow-test tag to push changes to
-PROW_TEST_TAG ?= v0.0.4
+PROW_TEST_TAG ?= v0.0.5

 BUILDX_BUILDER ?= multiarch

--- a/deploy/prow/wrapper.sh
+++ b/deploy/prow/wrapper.sh
@ -52,6 +52,20 @@ early_exit_handler() {

 trap early_exit_handler TERM INT

+# prevent 'cannot enter cgroupv2 "/sys/fs/cgroup/docker" with domain controllers -- it is in threaded mode: unknown' error
+# ref: https://github.com/containerd/containerd/issues/6659#issuecomment-1064754423
+# ref: https://github.com/moby/moby/blob/89b542b421f439b3c703098f7f1c29f661e430bb/hack/dind#L28-L38
+# cgroup v2: enable nesting
+if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
+	# move the processes from the root group to the /init group,
+	# otherwise writing subtree_control fails with EBUSY.
+	# An error during moving non-existent process (i.e., "cat") is ignored.
+	mkdir -p /sys/fs/cgroup/init
+	xargs -rn1 < /sys/fs/cgroup/cgroup.procs > /sys/fs/cgroup/init/cgroup.procs || :
+	# enable controllers
+	sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
+		> /sys/fs/cgroup/cgroup.subtree_control
+fi

 >&2 echo "wrapper.sh] [SETUP] Docker in Docker enabled, initializing ..."
 # If we have opted in to docker in docker, start the docker daemon,