fix: re-create cgroups when restarting runners

dsseng · dsseng · commit f4c34c79f7f4 · 2025-09-09T10:46:09.000+02:00
Make sure processes are only launched into freshly-created cgroups with all limits set when they are restarted. This also allows processes to restart after cgroup being killed via the cgroup.kill mechanism. Fixes #11785 Signed-off-by: Dmitrii Sharshakov <dmitry.sharshakov@siderolabs.com>
diff --git a/internal/app/machined/pkg/startup/cgroups.go b/internal/app/machined/pkg/startup/cgroups.go
@@ -33,177 +33,158 @@ func zeroIfRace[T any](v T) T {
 	return v
 }
 
-// CreateSystemCgroups creates system cgroups.
-//
-//nolint:gocyclo
-func CreateSystemCgroups(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next NextTaskFunc) error {
-	// in container mode cgroups mode depends on cgroups provided by the container runtime
-	if !rt.State().Platform().Mode().InContainer() {
-		// assert that cgroupsv2 is being used when running not in container mode,
-		// as Talos sets up cgroupsv2 on its own
-		if cgroups.Mode() != cgroups.Unified {
-			return errors.New("cgroupsv2 should be used")
-		}
-	}
-
-	// Initialize cgroups root path.
-	if err := cgroup.InitRoot(); err != nil {
-		return fmt.Errorf("error initializing cgroups root path: %w", err)
-	}
-
-	log.Info("initializing cgroups", zap.String("root", cgroup.Root()))
-
-	groups := []struct {
-		name      string
-		resources *cgroup2.Resources
-	}{
-		{
-			name: constants.CgroupInit,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupInitReservedMemory),
-					Low: pointer.To[int64](constants.CgroupInitReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupInitMillicores))),
-				},
+// CreateCgroupV2 creates a cgroupv2 with given resources.
+func CreateCgroupV2(name string, inContainer bool) (*cgroup2.Manager, error) {
+	groups := map[string]*cgroup2.Resources{
+		constants.CgroupInit: {
+			Memory: &cgroup2.Memory{
+				Min: pointer.To[int64](constants.CgroupInitReservedMemory),
+				Low: pointer.To[int64](constants.CgroupInitReservedMemory * 2),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupInitMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupSystem,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupSystemReservedMemory),
-					Low: pointer.To[int64](constants.CgroupSystemReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemMillicores))),
-				},
+		constants.CgroupSystem: {
+			Memory: &cgroup2.Memory{
+				Min: pointer.To[int64](constants.CgroupSystemReservedMemory),
+				Low: pointer.To[int64](constants.CgroupSystemReservedMemory * 2),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupSystemRuntime,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory),
-					Low: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemRuntimeMillicores))),
-				},
+		constants.CgroupSystemRuntime: {
+			Memory: &cgroup2.Memory{
+				Min: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory),
+				Low: pointer.To[int64](constants.CgroupSystemRuntimeReservedMemory * 2),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupSystemRuntimeMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupUdevd,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupUdevdReservedMemory),
-					Low: pointer.To[int64](constants.CgroupUdevdReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupUdevdMillicores))),
-				},
+		constants.CgroupUdevd: {
+			Memory: &cgroup2.Memory{
+				Min: pointer.To[int64](constants.CgroupUdevdReservedMemory),
+				Low: pointer.To[int64](constants.CgroupUdevdReservedMemory * 2),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupUdevdMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupPodRuntimeRoot,
-			resources: &cgroup2.Resources{
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeRootMillicores))),
-				},
+		constants.CgroupPodRuntimeRoot: {
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeRootMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupPodRuntime,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory),
-					Low: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeMillicores))),
-				},
+		constants.CgroupPodRuntime: {
+			Memory: &cgroup2.Memory{
+				Min: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory),
+				Low: pointer.To[int64](constants.CgroupPodRuntimeReservedMemory * 2),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupPodRuntimeMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupKubelet,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min: pointer.To[int64](constants.CgroupKubeletReservedMemory),
-					Low: pointer.To[int64](constants.CgroupKubeletReservedMemory * 2),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupKubeletMillicores))),
-				},
+		constants.CgroupKubelet: {
+			Memory: &cgroup2.Memory{
+				Min: pointer.To[int64](constants.CgroupKubeletReservedMemory),
+				Low: pointer.To[int64](constants.CgroupKubeletReservedMemory * 2),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupKubeletMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupDashboard,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Max: zeroIfRace(pointer.To[int64](constants.CgroupDashboardMaxMemory)),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupDashboardMillicores))),
-				},
+		constants.CgroupDashboard: {
+			Memory: &cgroup2.Memory{
+				Max: zeroIfRace(pointer.To[int64](constants.CgroupDashboardMaxMemory)),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupDashboardMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupApid,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min:  pointer.To[int64](constants.CgroupApidReservedMemory),
-					Low:  pointer.To[int64](constants.CgroupApidReservedMemory * 2),
-					Max:  zeroIfRace(pointer.To[int64](constants.CgroupApidMaxMemory)),
-					Swap: pointer.To[int64](0),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupApidMillicores))),
-				},
+		constants.CgroupApid: {
+			Memory: &cgroup2.Memory{
+				Min:  pointer.To[int64](constants.CgroupApidReservedMemory),
+				Low:  pointer.To[int64](constants.CgroupApidReservedMemory * 2),
+				Max:  zeroIfRace(pointer.To[int64](constants.CgroupApidMaxMemory)),
+				Swap: pointer.To[int64](0),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupApidMillicores))),
 			},
 		},
-		{
-			name: constants.CgroupTrustd,
-			resources: &cgroup2.Resources{
-				Memory: &cgroup2.Memory{
-					Min:  pointer.To[int64](constants.CgroupTrustdReservedMemory),
-					Low:  pointer.To[int64](constants.CgroupTrustdReservedMemory * 2),
-					Max:  zeroIfRace(pointer.To[int64](constants.CgroupTrustdMaxMemory)),
-					Swap: pointer.To[int64](0),
-				},
-				CPU: &cgroup2.CPU{
-					Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupTrustdMillicores))),
-				},
+		constants.CgroupTrustd: {
+			Memory: &cgroup2.Memory{
+				Min:  pointer.To[int64](constants.CgroupTrustdReservedMemory),
+				Low:  pointer.To[int64](constants.CgroupTrustdReservedMemory * 2),
+				Max:  zeroIfRace(pointer.To[int64](constants.CgroupTrustdMaxMemory)),
+				Swap: pointer.To[int64](0),
+			},
+			CPU: &cgroup2.CPU{
+				Weight: pointer.To[uint64](cgroup.MillicoresToCPUWeight(cgroup.MilliCores(constants.CgroupTrustdMillicores))),
 			},
 		},
 	}
 
-	for _, c := range groups {
-		if cgroups.Mode() == cgroups.Unified {
-			resources := c.resources
+	resources, ok := groups[name]
 
-			if rt.State().Platform().Mode().InContainer() {
-				// don't attempt to set resources in container mode, as they might conflict with the parent cgroup tree
-				resources = &cgroup2.Resources{}
-			}
+	if !ok || inContainer {
+		// don't attempt to set resources in container mode, as they might conflict with the parent cgroup tree
+		resources = &cgroup2.Resources{}
+	}
 
-			cg, err := cgroup2.NewManager(constants.CgroupMountPath, cgroup.Path(c.name), resources)
-			if err != nil {
-				return fmt.Errorf("failed to create cgroup: %w", err)
-			}
+	cg, err := cgroup2.NewManager(constants.CgroupMountPath, cgroup.Path(name), resources)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create cgroup: %w", err)
+	}
 
-			if c.name == constants.CgroupInit {
-				if err := cg.AddProc(uint64(os.Getpid())); err != nil {
-					return fmt.Errorf("failed to move init process to cgroup: %w", err)
-				}
+	if name == constants.CgroupInit {
+		if err := cg.AddProc(uint64(os.Getpid())); err != nil {
+			return nil, fmt.Errorf("failed to move init process to cgroup: %w", err)
+		}
+	}
+
+	return cg, nil
+}
+
+// CreateSystemCgroups creates system cgroups.
+func CreateSystemCgroups(ctx context.Context, log *zap.Logger, rt runtime.Runtime, next NextTaskFunc) error {
+	// in container mode cgroups mode depends on cgroups provided by the container runtime
+	if !rt.State().Platform().Mode().InContainer() {
+		// assert that cgroupsv2 is being used when running not in container mode,
+		// as Talos sets up cgroupsv2 on its own
+		if cgroups.Mode() != cgroups.Unified {
+			return errors.New("cgroupsv2 should be used")
+		}
+	}
+
+	// Initialize cgroups root path.
+	if err := cgroup.InitRoot(); err != nil {
+		return fmt.Errorf("error initializing cgroups root path: %w", err)
+	}
+
+	log.Info("initializing cgroups", zap.String("root", cgroup.Root()))
+
+	groups := []string{
+		constants.CgroupInit,
+		constants.CgroupSystem,
+		constants.CgroupPodRuntimeRoot,
+	}
+
+	for _, c := range groups {
+		if cgroups.Mode() == cgroups.Unified {
+			_, err := CreateCgroupV2(c, rt.State().Platform().Mode().InContainer())
+			if err != nil {
+				return err
 			}
 		} else {
-			cg, err := cgroup1.New(cgroup1.StaticPath(c.name), &specs.LinuxResources{})
+			cg, err := cgroup1.New(cgroup1.StaticPath(c), &specs.LinuxResources{})
 			if err != nil {
 				return fmt.Errorf("failed to create cgroup: %w", err)
 			}
 
-			if c.name == constants.CgroupInit {
+			if c == constants.CgroupInit {
 				if err := cg.Add(cgroup1.Process{
 					Pid: os.Getpid(),
 				}); err != nil {
diff --git a/internal/app/machined/pkg/system/runner/containerd/containerd.go b/internal/app/machined/pkg/system/runner/containerd/containerd.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"strings"
 	"syscall"
 	"time"
 
@@ -20,6 +21,8 @@ import (
 	"github.com/containerd/containerd/v2/pkg/oci"
 	"github.com/containerd/errdefs"
 
+	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/startup"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/events"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner"
 	"github.com/siderolabs/talos/internal/pkg/cgroup"
@@ -168,6 +171,21 @@ func (c *containerdRunner) Run(eventSink events.Recorder) error {
 		return fmt.Errorf("error creating log: %w", err)
 	}
 
+	cg, err := startup.CreateCgroupV2(c.opts.CgroupPath, runtime.ModeContainer.InContainer())
+	if err != nil {
+		return fmt.Errorf("error creating cgroup: %w", err)
+	}
+
+	// If the task is not cleaned up by containerd or another error
+	// happens during the lifecycle, remove the cgroup before exiting
+	// if one still exists
+	defer func() {
+		err := cg.Delete()
+		if err != nil && !strings.Contains(err.Error(), "no such file or directory") {
+			eventSink(events.StateStopping, "Failed to remove cgroup for %s, %s", c, err)
+		}
+	}()
+
 	defer logW.Close() //nolint:errcheck
 
 	var w io.Writer = logW
diff --git a/internal/app/machined/pkg/system/runner/process/process.go b/internal/app/machined/pkg/system/runner/process/process.go
@@ -27,6 +27,7 @@ import (
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform"
+	"github.com/siderolabs/talos/internal/app/machined/pkg/startup"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/events"
 	"github.com/siderolabs/talos/internal/app/machined/pkg/system/runner"
 	"github.com/siderolabs/talos/internal/pkg/cgroup"
@@ -413,7 +414,20 @@ func setSchedulingPolicy(p *processRunner, pid int, schedulingPolicy uint) error
 	return nil
 }
 
+//nolint:gocyclo
 func (p *processRunner) run(eventSink events.Recorder) error {
+	cg, err := startup.CreateCgroupV2(p.opts.CgroupPath, runtime.ModeContainer.InContainer())
+	if err != nil {
+		return fmt.Errorf("error creating cgroup: %w", err)
+	}
+
+	defer func() {
+		err := cg.Delete()
+		if err != nil {
+			eventSink(events.StateStopping, "Failed to remove cgroup for %s, %s", p, err)
+		}
+	}()
+
 	cmdWrapper, err := p.build()
 	if err != nil {
 		return fmt.Errorf("error building command: %w", err)
