systemd-cgroup uses incorrect subsystem path in recent systemd versions

[euank]

This issue was discussed in a comment a while ago: moby/moby#16256 (comment)

Now that systemd 226+ is more common, this issue has further ramifications.

Under systemd versions of at least 226, systemd is under init.scope. The code here behaves incorrectly in this configuration.

The following is an example of what goes wrong in this configuration:

$ runc --systemd-cgroup run foo
$ cat /proc/$(pidof foo)/cgroups
9:net_cls:/system.slice/runc-foo.scope
8:memory:/init.scope/system.slice/runc-foo.scope
7:blkio:/init.scope/system.slice/runc-foo.scope
6:devices:/init.scope/system.slice/runc-foo.scope
5:cpuset:/system.slice/runc-foo.scope
4:perf_event:/system.slice/runc-foo.scope
3:cpu,cpuacct:/init.scope/system.slice/runc-foo.scope
2:freezer:/system.slice/runc-foo.scope
1:name=systemd:/system.slice/runc-foo.scope
$ # Note that some subsystems have `init.scope` as part of their path
$ head /sys/fs/cgroup/cpu,cpuacct/init.scope/system.slice/runc-foo.scope/tasks /sys/fs/cgroup/cpu,cpuacct/system.slice/runc-foo.scope/tasks
==> /sys/fs/cgroup/cpu,cpuacct/init.scope/system.slice/runc-foo.scope/tasks <==
1085
1090
1091
1092
==> /sys/fs/cgroup/cpu,cpuacct/system.slice/runc-foo.scope/tasks <==
$ 

Essentially, the problem is as described in the above comment: runc thinks some cgroup subsystems should be under init.scope under the mistaken assumption that the cgroup of pid 1 is always the root of the cgroup tree. In reality, everything should just be under the real root, /.

I've begun putting together a patch (currently WIP), but wanted an issue to point at.

This impacts projects, such as cadvisor, which read container's cgroups.

cc @vishh @marineam

[cyphar]

I'm fairly sure this is related to some of the discussion we had in #895. Essentially we aren't treating subsystem paths separately when creating the implicit cgroupsPath.

[euank]

cc @derekwaynecarr I believe RHEL uses the systemd driver.. Do you guys somehow avoid encountering this issue? Do you have a patch floating around somewhere (I didn't see it glancing through the list of docker patches Redhat carries, but worth asking), or is it on an older systemd version / one without pid 1 in init.scope?

[derekwaynecarr]

@mrunalp was going to look at this. systemd on fedora 24 is the first
release we have hit this. RHEL and CentOS are on systemd < 225 I believe
so pre init.scope

On Thursday, June 30, 2016, Euan Kemp notifications@github.com wrote:

cc @derekwaynecarr https://github.com/derekwaynecarr I believe RHEL
uses the systemd driver.. Do you guys somehow avoid encountering this
issue? Do you have a patch floating around somewhere (I didn't see it
glancing through the list of docker patches Redhat carries, but worth
asking), or is it on an older systemd version / one without pid 1 in
init.scope?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#931 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AF8dbArjuxEKi2pcNDuNmp-t-Bm-LCE0ks5qRHuRgaJpZM4JCltW
.

[mrunalp]

@euank The approach of using dbus to query the root slice sounds good to me.