Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: disable driver when running as non-root on cgroups v2 hosts #16063

Merged
merged 2 commits into from
Feb 6, 2023
Merged

docker: disable driver when running as non-root on cgroups v2 hosts #16063

merged 2 commits into from
Feb 6, 2023

Conversation

shoenig
Copy link
Member

@shoenig shoenig commented Feb 6, 2023
edited
Loading

This PR modifies the docker driver to behave like exec when being run
as a non-root user on a host machine with cgroups v2 enabled. Because
of how cpu resources are managed by the Nomad client, the nomad agent
must be run as root to manage docker-created cgroups.

Fixes #15927

@shoenig
docker: disable driver when running as non-root on cgroups v2 hosts
d70f634 
This PR modifies the docker driver to behave like exec when being run
as a non-root user on a host machine with cgroups v2 enabled. Because
of how cpu resources are managed by the Nomad client, the nomad agent
must be run as root to manage docker-created cgroups.
@shoenig
cl: update cl
49ece99
@shoenig
Copy link
Member Author

shoenig commented Feb 6, 2023

Spot check

running as non root

➜ ps -ef | grep -v grep | grep nomad | fields 1
shoenig

Drivers
Driver       Detected  Healthy  Message                  Time
docker       false     false    Driver must run as root  2023-02-06T11:21:06-06:00
exec         false     false    Driver must run as root  2023-02-06T11:21:06-06:00
java         false     false    Driver must run as root  2023-02-06T11:21:06-06:00
mock_driver  true      true     Healthy                  2023-02-06T11:21:06-06:00
qemu         false     false    <none>                   2023-02-06T11:21:06-06:00
raw_exec     true      true     Healthy                  2023-02-06T11:21:06-06:00

running as root

Drivers
Driver       Detected  Healthy  Message  Time
docker       true      true     Healthy  2023-02-06T11:22:29-06:00
exec         true      true     Healthy  2023-02-06T11:22:29-06:00
java         true      true     Healthy  2023-02-06T11:22:29-06:00
mock_driver  true      true     Healthy  2023-02-06T11:22:29-06:00
qemu         false     false    <none>   2023-02-06T11:22:29-06:00
raw_exec     true      true     Healthy  2023-02-06T11:22:29-06:00

@shoenig shoenig marked this pull request as ready for review February 6, 2023 17:23
@shoenig shoenig merged commit 34c8246 into main Feb 6, 2023
@shoenig shoenig deleted the docker-cgv2-root branch February 6, 2023 20:09
natelandau added a commit to natelandau/ansible-homelab-config that referenced this pull request Mar 17, 2023
@natelandau
fix(nomad): run nomad as root user to enable docker plugin on raspber…
5526024 
…ry pis

Nomad is running as root rather than the Nomad user due to the Docker driver not being started when cgroups v2 are enabled. More info: hashicorp/nomad#16063
@exFalso exFalso mentioned this pull request Oct 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schmichael schmichael schmichael approved these changes

@lgfa29 lgfa29 Awaiting requested review from lgfa29

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

docker: disable driver if running on cgv2 but without root
2 participants
@shoenig @schmichael