From ef642fe8900fb1ee1daae6501bbd6bae3aa50d3a Mon Sep 17 00:00:00 2001 From: Champ-Goblem Date: Wed, 28 May 2025 16:39:01 +0100 Subject: [PATCH] runtime: fix cgroupv2 deletion when sandbox_cgroup_only=false Currently, when a new sandbox resource controller is created with cgroupsv2 and sandbox_cgroup_only is disabled, the cgroup management falls back to cgroupfs. During deletion, `IsSystemdCgroup` checks if the path contains `:` and tries to delete the cgroup via systemd. However, the cgroup was originally set up via cgroupfs and this process fails with `lstat /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/....scope: no such file or directory`. This patch updates the deletion logic to take in to account the sandbox_cgroup_only=false option and in this case uses the cgroupfs delete. Fixes: #11036 Signed-off-by: Champ-Goblem --- src/runtime/pkg/resourcecontrol/cgroups.go | 20 +++++++++++--------- src/runtime/virtcontainers/sandbox.go | 10 ++++++---- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/src/runtime/pkg/resourcecontrol/cgroups.go b/src/runtime/pkg/resourcecontrol/cgroups.go index 42006f4949..0c6976709a 100644 --- a/src/runtime/pkg/resourcecontrol/cgroups.go +++ b/src/runtime/pkg/resourcecontrol/cgroups.go @@ -41,10 +41,11 @@ func RenameCgroupPath(path string) (string, error) { } type LinuxCgroup struct { - cgroup interface{} - path string - cpusets *specs.LinuxCPU - devices []specs.LinuxDeviceCgroup + cgroup interface{} + path string + cpusets *specs.LinuxCPU + devices []specs.LinuxDeviceCgroup + sandboxCgroupOnly bool sync.Mutex } @@ -226,7 +227,7 @@ func NewSandboxResourceController(path string, resources *specs.LinuxResources, }, nil } -func LoadResourceController(path string) (ResourceController, error) { +func LoadResourceController(path string, sandboxCgroupOnly bool) (ResourceController, error) { var err error var cgroup interface{} @@ -242,7 +243,7 @@ func LoadResourceController(path string) (ResourceController, error) { return nil, err } } else if cgroups.Mode() == cgroups.Unified { - if IsSystemdCgroup(path) { + if IsSystemdCgroup(path) && sandboxCgroupOnly { slice, unit, err := getSliceAndUnit(path) if err != nil { return nil, err @@ -262,8 +263,9 @@ func LoadResourceController(path string) (ResourceController, error) { } return &LinuxCgroup{ - path: path, - cgroup: cgroup, + sandboxCgroupOnly: sandboxCgroupOnly, + path: path, + cgroup: cgroup, }, nil } @@ -276,7 +278,7 @@ func (c *LinuxCgroup) Delete() error { case cgroups.Cgroup: return cg.Delete() case *cgroupsv2.Manager: - if IsSystemdCgroup(c.ID()) { + if IsSystemdCgroup(c.ID()) && c.sandboxCgroupOnly { if err := cg.DeleteSystemd(); err != nil { return err } diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go index 049ab084a2..01a466bb47 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -2540,14 +2540,16 @@ func (s *Sandbox) resourceControllerDelete() error { return nil } - sandboxController, err := resCtrl.LoadResourceController(s.state.SandboxCgroupPath) + sandboxController, err := resCtrl.LoadResourceController(s.state.SandboxCgroupPath, s.config.SandboxCgroupOnly) if err != nil { return err } resCtrlParent := sandboxController.Parent() - if err := sandboxController.MoveTo(resCtrlParent); err != nil { - return err + if resCtrlParent != "." { + if err := sandboxController.MoveTo(resCtrlParent); err != nil { + return err + } } if err := sandboxController.Delete(); err != nil { @@ -2555,7 +2557,7 @@ func (s *Sandbox) resourceControllerDelete() error { } if s.state.OverheadCgroupPath != "" { - overheadController, err := resCtrl.LoadResourceController(s.state.OverheadCgroupPath) + overheadController, err := resCtrl.LoadResourceController(s.state.OverheadCgroupPath, s.config.SandboxCgroupOnly) if err != nil { return err }