fix: re-create cgroups when restarting runners

Make sure processes are only launched into freshly-created cgroups
with all limits set when they are restarted.

This also allows processes to restart after cgroup being killed via the
cgroup.kill mechanism.

Fixes #11785

Signed-off-by: Dmitrii Sharshakov <[email protected]>

Author: dsseng

internal/app/machined/pkg/runtime/v1alpha1/platform/platform.go

@@ -34,6 +34,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform/upcloud"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform/vmware"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform/vultr"
+	"github.com/siderolabs/talos/internal/pkg/containermode"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
@@ -67,7 +68,7 @@ const (
 
 // CurrentPlatform is a helper func for discovering the current platform.
 func CurrentPlatform() (p runtime.Platform, err error) {
-	if _, err := os.Stat("/usr/etc/in-container"); err == nil {
+	if containermode.InContainer() {
 		return newPlatform("container")
 	}
 

internal/app/machined/pkg/startup/cgroups.go

@@ -8,34 +8,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"os"
 
 	"github.com/containerd/cgroups/v3"
-	"github.com/containerd/cgroups/v3/cgroup1"
-	"github.com/containerd/cgroups/v3/cgroup2"
-	"github.com/opencontainers/runtime-spec/specs-go"
-	"github.com/siderolabs/go-debug"
-	"github.com/siderolabs/go-pointer"
 	"go.uber.org/zap"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/internal/pkg/cgroup"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
-func zeroIfRace[T any](v T) T {
-	if debug.RaceEnabled {
-		var zeroT T
-
-		return zeroT
-	}
-
-	return v
-}
-
 // CreateSystemCgroups creates system cgroups.
-//
-//nolint:gocyclo
 func CreateSystemCgroups(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next NextTaskFunc) error {
 	// in container mode cgroups mode depends on cgroups provided by the container runtime
 	if !rt.State().Platform().Mode().InContainer() {
@@ -53,163 +35,16 @@ func CreateSystemCgroups(ctx context.Context, log *zap.Logger, rt runtime.Runtim
 
 	log.Info("initializing cgroups", zap.String("root", cgroup.Root()))
 
-	groups := []struct {
-		name      string
-		resources *cgroup2.Resources
-	}{
-		{
-			name: constants.CgroupInit,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupInitReservedMemory),
-					Low: pointer.To[int64](constants.CgroupInitReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupInitMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupSystem,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupSystemReservedMemory),
-					Low: pointer.To[int64](constants.CgroupSystemReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupSystemRuntime,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory),
-					Low: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemRuntimeMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupUdevd,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupUdevdReservedMemory),
-					Low: pointer.To[int64](constants.CgroupUdevdReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupUdevdMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupPodRuntimeRoot,
-			resources: &cgroup2.Resources{
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeRootMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupPodRuntime,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory),
-					Low: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupKubelet,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupKubeletReservedMemory),
-					Low: pointer.To[int64](constants.CgroupKubeletReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupKubeletMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupDashboard,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Max: zeroIfRace(pointer.To[int64](constants.CgroupDashboardMaxMemory)),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupDashboardMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupApid,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min:  pointer.To[int64](constants.CgroupApidReservedMemory),
-					Low:  pointer.To[int64](constants.CgroupApidReservedMemory * 2),
-					Max:  zeroIfRace(pointer.To[int64](constants.CgroupApidMaxMemory)),
-					Swap: pointer.To[int64](0),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupApidMillicores))),
-				},
-			},
-		},
-		{
-			name: constants.CgroupTrustd,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min:  pointer.To[int64](constants.CgroupTrustdReservedMemory),
-					Low:  pointer.To[int64](constants.CgroupTrustdReservedMemory * 2),
-					Max:  zeroIfRace(pointer.To[int64](constants.CgroupTrustdMaxMemory)),
-					Swap: pointer.To[int64](0),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupTrustdMillicores))),
-				},
-			},
-		},
+	groups := []string{
+		constants.CgroupInit,
+		constants.CgroupSystem,
+		constants.CgroupPodRuntimeRoot,
 	}
 
 	for _, c := range groups {
-		if cgroups.Mode() == cgroups.Unified {
-			resources := c.resources
-
-			if rt.State().Platform().Mode().InContainer() {
-				// don't attempt to set resources in container mode, as they might conflict with the parent cgroup tree
-				resources = &cgroup2.Resources{}
-			}
-
-			cg, err := cgroup2.NewManager(constants.CgroupMountPath, cgroup.Path(c.name), resources)
-			if err != nil {
-				return fmt.Errorf("failed to create cgroup: %w", err)
-			}
-
-			if c.name == constants.CgroupInit {
-				if err := cg.AddProc(uint64(os.Getpid())); err != nil {
-					return fmt.Errorf("failed to move init process to cgroup: %w", err)
-				}
-			}
-		} else {
-			cg, err := cgroup1.New(cgroup1.StaticPath(c.name), &specs.LinuxResources{})
-			if err != nil {
-				return fmt.Errorf("failed to create cgroup: %w", err)
-			}
-
-			if c.name == constants.CgroupInit {
-				if err := cg.Add(cgroup1.Process{
-					Pid: os.Getpid(),
-				}); err != nil {
-					return fmt.Errorf("failed to move init process to cgroup: %w", err)
-				}
-			}
+		_, err := cgroup.CreateCgroup(c)
+		if err != nil {
+			return err
 		}
 	}
 

internal/app/machined/pkg/system/runner/containerd/containerd.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"os"
 	"syscall"
 	"time"
 
@@ -168,6 +169,21 @@ func (c *containerdRunner) Run(eventSink events.Recorder) error {
 		return fmt.Errorf("error creating log: %w", err)
 	}
 
+	cg, err := cgroup.CreateCgroup(c.opts.CgroupPath)
+	if err != nil {
+		return fmt.Errorf("error creating cgroup: %w", err)
+	}
+
+	// If the task is not cleaned up by containerd or another error
+	// happens during the lifecycle, remove the cgroup before exiting
+	// if one still exists
+	defer func() {
+		err := cg.Delete()
+		if err != nil && !os.IsNotExist(err) {
+			eventSink(events.StateStopping, "Failed to remove cgroup for %s, %s", c, err)
+		}
+	}()
+
 	defer logW.Close() //nolint:errcheck
 
 	var w io.Writer = logW

internal/app/machined/pkg/system/runner/process/process.go

@@ -413,7 +413,20 @@ func setSchedulingPolicy(p *processRunner, pid int, schedulingPolicy uint) error
 	return nil
 }
 
+//nolint:gocyclo
 func (p *processRunner) run(eventSink events.Recorder) error {
+	cg, err := cgroup.CreateCgroup(p.opts.CgroupPath)
+	if err != nil {
+		return fmt.Errorf("error creating cgroup: %w", err)
+	}
+
+	defer func() {
+		err := cg.Delete()
+		if err != nil {
+			eventSink(events.StateStopping, "Failed to remove cgroup for %s, %s", p, err)
+		}
+	}()
+
 	cmdWrapper, err := p.build()
 	if err != nil {
 		return fmt.Errorf("error building command: %w", err)

internal/app/machined/pkg/system/services/apid.go

@@ -177,12 +177,7 @@ func (o *APID) Runner(r runtime.Runtime) (runner.Runner, error) {
 		{Type: "bind", Destination: filepath.Dir(constants.APISocketPath), Source: filepath.Dir(constants.APISocketPath), Options: []string{"rbind", "rw"}},
 	}
 
-	if _, err := os.Stat("/usr/etc/in-container"); err == nil {
-		mounts = append(
-			mounts,
-			specs.Mount{Type: "bind", Destination: "/usr/etc/in-container", Source: "/usr/etc/in-container", Options: []string{"bind", "ro"}},
-		)
-	}
+	mounts = bindMountContainerMarker(mounts)
 
 	env := []string{
 		constants.TcellMinimizeEnvironment,

internal/app/machined/pkg/system/services/extension.go

@@ -176,12 +176,7 @@ func (svc *Extension) Runner(r runtime.Runtime) (runner.Runner, error) {
 
 	mounts := append([]specs.Mount{}, svc.Spec.Container.Mounts...)
 
-	if _, err := os.Stat("/usr/etc/in-container"); err == nil {
-		mounts = append(
-			mounts,
-			specs.Mount{Type: "bind", Destination: "/usr/etc/in-container", Source: "/usr/etc/in-container", Options: []string{"bind", "ro"}},
-		)
-	}
+	mounts = bindMountContainerMarker(mounts)
 
 	envVars, err := svc.parseEnvironment()
 	if err != nil {

internal/app/machined/pkg/system/services/trustd.go

@@ -154,12 +154,7 @@ func (t *Trustd) Runner(r runtime.Runtime) (runner.Runner, error) {
 		{Type: "bind", Destination: filepath.Dir(constants.TrustdRuntimeSocketPath), Source: filepath.Dir(constants.TrustdRuntimeSocketPath), Options: []string{"rbind", "ro"}},
 	}
 
-	if _, err := os.Stat("/usr/etc/in-container"); err == nil {
-		mounts = append(
-			mounts,
-			specs.Mount{Type: "bind", Destination: "/usr/etc/in-container", Source: "/usr/etc/in-container", Options: []string{"bind", "ro"}},
-		)
-	}
+	mounts = bindMountContainerMarker(mounts)
 
 	env := environment.Get(r.Config())
 	env = append(env,

internal/app/machined/pkg/system/services/utils.go

@@ -9,8 +9,10 @@ import (
 	"os"
 	"path/filepath"
 
+	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 
+	"github.com/siderolabs/talos/internal/pkg/containermode"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
 
@@ -34,3 +36,15 @@ func prepareRootfs(id string) error {
 
 	return nil
 }
+
+// bindMountContainerMarker bind-mounts a file used for container detection into a container service.
+func bindMountContainerMarker(mounts []specs.Mount) []specs.Mount {
+	if containermode.InContainer() {
+		mounts = append(
+			mounts,
+			specs.Mount{Type: "bind", Destination: constants.ContainerMarkerFilePath, Source: constants.ContainerMarkerFilePath, Options: []string{"bind", "ro"}},
+		)
+	}
+
+	return mounts
+}