fix: re-create cgroups when restarting runners

Make sure processes are only launched into freshly-created cgroups
with all limits set when they are restarted.

This also allows processes to restart after cgroup being killed via the
cgroup.kill mechanism.

Fixes #11785

Signed-off-by: Dmitrii Sharshakov <[email protected]>

Author: dsseng

internal/app/machined/pkg/startup/cgroups.go

@@ -12,30 +12,15 @@ import (
 
 	"github.com/containerd/cgroups/v3"
 	"github.com/containerd/cgroups/v3/cgroup1"
-	"github.com/containerd/cgroups/v3/cgroup2"
 	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/siderolabs/go-debug"
-	"github.com/siderolabs/go-pointer"
 	"go.uber.org/zap"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/internal/pkg/cgroup"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
-func zeroIfRace[T any](v T) T {
-	if debug.RaceEnabled {
-		var zeroT T
-
-		return zeroT
-	}
-
-	return v
-}
-
 // CreateSystemCgroups creates system cgroups.
-//
-//nolint:gocyclo
 func CreateSystemCgroups(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next NextTaskFunc) error {
 	// in container mode cgroups mode depends on cgroups provided by the container runtime
 	if !rt.State().Platform().Mode().InContainer() {
@@ -53,157 +38,25 @@ func CreateSystemCgroups(ctx context.Context, log *zap.Logger, rt runtime.Runtim
 
 	log.Info("initializing cgroups", zap.String("root", cgroup.Root()))
 
-	groups := []struct {
-		name      string
-		resources *cgroup2.Resources
-	}{
-		{
-			name: constants.CgroupInit,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupInitReservedMemory),
-					Low: pointer.To[int64](constants.CgroupInitReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupInitMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupSystem,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupSystemReservedMemory),
-					Low: pointer.To[int64](constants.CgroupSystemReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupSystemRuntime,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory),
-					Low: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemRuntimeMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupUdevd,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupUdevdReservedMemory),
-					Low: pointer.To[int64](constants.CgroupUdevdReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupUdevdMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupPodRuntimeRoot,
-			resources: &cgroup2.Resources{
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeRootMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupPodRuntime,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory),
-					Low: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupKubelet,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupKubeletReservedMemory),
-					Low: pointer.To[int64](constants.CgroupKubeletReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupKubeletMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupDashboard,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Max: zeroIfRace(pointer.To[int64](constants.CgroupDashboardMaxMemory)),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupDashboardMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupApid,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min:  pointer.To[int64](constants.CgroupApidReservedMemory),
-					Low:  pointer.To[int64](constants.CgroupApidReservedMemory * 2),
-					Max:  zeroIfRace(pointer.To[int64](constants.CgroupApidMaxMemory)),
-					Swap: pointer.To[int64](0),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupApidMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupTrustd,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min:  pointer.To[int64](constants.CgroupTrustdReservedMemory),
-					Low:  pointer.To[int64](constants.CgroupTrustdReservedMemory * 2),
-					Max:  zeroIfRace(pointer.To[int64](constants.CgroupTrustdMaxMemory)),
-					Swap: pointer.To[int64](0),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupTrustdMillicores))),
-				},
-			},
-		},
+	groups := []string{
+		constants.CgroupInit,
+		constants.CgroupSystem,
+		constants.CgroupPodRuntimeRoot,
 	}
 
 	for _, c := range groups {
 		if cgroups.Mode() == cgroups.Unified {
-			resources := c.resources
-
-			if rt.State().Platform().Mode().InContainer() {
-				// don't attempt to set resources in container mode, as they might conflict with the parent cgroup tree
-				resources = &cgroup2.Resources{}
-			}
-
-			cg, err := cgroup2.NewManager(constants.CgroupMountPath, cgroup.Path(c.name), resources)
+			_, err := cgroup.CreateCgroupV2(c)
 			if err != nil {
-				return fmt.Errorf("failed to create cgroup: %w", err)
-			}
-
-			if c.name == constants.CgroupInit {
-				if err := cg.AddProc(uint64(os.Getpid())); err != nil {
-					return fmt.Errorf("failed to move init process to cgroup: %w", err)
-				}
+				return err
 			}
 		} else {
-			cg, err := cgroup1.New(cgroup1.StaticPath(c.name), &specs.LinuxResources{})
+			cg, err := cgroup1.New(cgroup1.StaticPath(c), &specs.LinuxResources{})
 			if err != nil {
 				return fmt.Errorf("failed to create cgroup: %w", err)
 			}
 
-			if c.name == constants.CgroupInit {
+			if c == constants.CgroupInit {
 				if err := cg.Add(cgroup1.Process{
 					Pid: os.Getpid(),
 				}); err != nil {

internal/app/machined/pkg/system/runner/containerd/containerd.go

@@ -10,9 +10,11 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"os"
 	"syscall"
 	"time"
 
+	"github.com/containerd/cgroups/v3"
 	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/contrib/seccomp"
 	"github.com/containerd/containerd/v2/pkg/cio"
@@ -168,6 +170,23 @@ func (c *containerdRunner) Run(eventSink events.Recorder) error {
 		return fmt.Errorf("error creating log: %w", err)
 	}
 
+	if cgroups.Mode() == cgroups.Unified {
+		cg, err := cgroup.CreateCgroupV2(c.opts.CgroupPath)
+		if err != nil {
+			return fmt.Errorf("error creating cgroup: %w", err)
+		}
+
+		// If the task is not cleaned up by containerd or another error
+		// happens during the lifecycle, remove the cgroup before exiting
+		// if one still exists
+		defer func() {
+			err := cg.Delete()
+			if err != nil && !os.IsNotExist(err) {
+				eventSink(events.StateStopping, "Failed to remove cgroup for %s, %s", c, err)
+			}
+		}()
+	}
+
 	defer logW.Close() //nolint:errcheck
 
 	var w io.Writer = logW

internal/app/machined/pkg/system/runner/process/process.go

@@ -413,7 +413,22 @@ func setSchedulingPolicy(p *processRunner, pid int, schedulingPolicy uint) error
 	return nil
 }
 
+//nolint:gocyclo
 func (p *processRunner) run(eventSink events.Recorder) error {
+	if cgroups.Mode() == cgroups.Unified {
+		cg, err := cgroup.CreateCgroupV2(p.opts.CgroupPath)
+		if err != nil {
+			return fmt.Errorf("error creating cgroup: %w", err)
+		}
+
+		defer func() {
+			err := cg.Delete()
+			if err != nil {
+				eventSink(events.StateStopping, "Failed to remove cgroup for %s, %s", p, err)
+			}
+		}()
+	}
+
 	cmdWrapper, err := p.build()
 	if err != nil {
 		return fmt.Errorf("error building command: %w", err)