add CONFIG_CGROUP_BPF to required kernel config

[pacoxu]

References:

• support cgroup2 containerd/containerd#3799 (comment)
• https://man7.org/linux/man-pages/man7/cgroups.7.html
• https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v2.rst
• https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v1/

Fixes #36

/cc @KentaTada @neolit123

[k8s-ci-robot]

@pacoxu: GitHub didn't allow me to request PR reviews from the following users: KentaTada.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

References:

• support cgroup2 containerd/containerd#3799 (comment)
• https://man7.org/linux/man-pages/man7/cgroups.7.html
• https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v2.rst
• https://www.kernel.org/doc/Documentation/admin-guide/cgroup-v1/

Fixes #36

/cc @KentaTada @neolit123

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pacoxu]

As cgroup v1 is in maintenance mode but not removed, we should not remove the cgroup v1 related kernel config out.

However, should we show different message for CONFIG_CGROUP_BPF missing?
Or should we check if the user is in cgroup v1 or v2 at this point to decide which check policy to use?

[neolit123]

in #36 @KentaTada mentioned that we need to read another file to verify cgroupv2.

Unlike in v1, the kernel config alone cannot determine whether the required v2 features are enabled.

[pacoxu]

in #36 @KentaTada mentioned that we need to read another file to verify cgroupv2.

It seems that we need to check in different ways for cgroup v1 and cgroup v2.

For instance,

• cgroup v2: check /sys/fs/cgroup/init.scope/cgroup.freeze
• cgroup v1: check CONFIG_CGROUP_FREEZER.

/hold

[pacoxu]

	// /proc/cgroups is meaningless for v2
	// https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#deprecated-v1-core-features
	if IsCgroup2UnifiedMode() {
		// "pseudo" controllers do not appear in /sys/fs/cgroup/cgroup.controllers.
		// - devices: implemented in kernel 4.15
		// - freezer: implemented in kernel 5.2
		// We assume these are always available, as it is hard to detect availability.
		pseudo := []string{"devices", "freezer"}
		data, err := ReadFile("/sys/fs/cgroup", "cgroup.controllers")
		if err != nil {
			return nil, err
		}
		subsystems := append(pseudo, strings.Fields(data)...)
		return subsystems, nil
	}

Runc code https://github.com/kubernetes/kubernetes/blob/e404a28fae6946483c5de0e9f4b4adf6e6f63f3b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go#L100-L114

[pacoxu]

system-validators/validators/cgroup_validator_linux.go

Lines 141 to 156 in c4cf635

	func (c *CgroupsValidator) getCgroupV2Subsystems() ([]string, error) {
	// Some controllers are implicitly enabled by the kernel.
	// Those controllers do not appear in /sys/fs/cgroup/cgroup.controllers.
	// https://github.com/torvalds/linux/blob/v5.3/kernel/cgroup/cgroup.c#L433-L434
	// We assume these are always available, as it is hard to detect availability.
	// So, we hardcode the following as "pseudo" controllers.
	// - devices: implemented in kernel 4.15
	// - freezer: implemented in kernel 5.2
	pseudo := []string{"devices", "freezer"}
	data, err := ioutil.ReadFile(filepath.Join(unifiedMountpoint, "cgroup.controllers"))
	if err != nil {
	return nil, err
	}
	subsystems := append(pseudo, strings.Fields(string(data))...)
	return subsystems, nil
	}

	pseudo := []string{"devices", "freezer"}

We currently use the similar logic here and add freezer as default.

system-validators/validators/types_unix.go

Lines 69 to 70 in c4cf635

	Cgroups: []string{"cpu", "cpuacct", "cpuset", "devices", "freezer", "memory", "pids"},
	CgroupsOptional: []string{

This checks the cgroup sub controllers.

[neolit123]

aligning with RUNC seems good to me.

what about these comments about freeze vs freezer?
#36 (comment)

[pacoxu]

/unhold
For cgroup v1 cleanup, we should not do it now.

what about these comments about freeze vs freezer?
#36 (comment)

Updated.

[neolit123]

/lgtm
/approve
/hold

@KentaTada could you please have a look too?

[neolit123]

For cgroup v1 cleanup, we should not do it now.

could you explain why?

[pacoxu]

For cgroup v1 cleanup, we should not do it now.

could you explain why?

Basically two reasons IMO:

1. Kubernetes 1.31: Moving cgroup v1 Support into Maintenance Mode, not deprecated.
2. Most OS distrbutions keeps the cgroup v1 related kernel config as is, and I think this may be for backward compatibility.

[neolit123]

For cgroup v1 cleanup, we should not do it now.

could you explain why?

Basically two reasons IMO:

1. Kubernetes 1.31: Moving cgroup v1 Support into Maintenance Mode, not deprecated.
2. Most OS distrbutions keeps the cgroup v1 related kernel config as is, and I think this may be for backward compatibility.

ok, got it. you mean that we should not cleanup cgroups v1 because they are still widely used.

i tried finding @KentaTada 's slack to give him a ping but couldn't.
let's wait until end of next week maybe and if he does not reply we can go merge this PR as it is.

[KentaTada]

@KentaTada could you please have a look too?

I'll take a look at this pr by the first half of the next week.

[pacoxu]

I updated the PR accordingly and the only unresolved comment is https://github.com/kubernetes/system-validators/pull/41/files#r1800338762.

• I am not sure how to confirm about the default mount point if we cannot get the mount info correctly.

[KentaTada]

@pacoxu
Thank you for improving this feature.
It looks good to me.

[pacoxu]

@pacoxu
Thank you for improving this feature.
It looks good to me.

Thanks for your detailed review and comments.
Wait for @neolit123 to double check if anything is missing.

[pacoxu]

I refactor the logic to just parse /proc/mounts to get the first cgroup path.

• and I add a simple test for getUnifiedMountpoint( ).

BTW, the /proc/self/mountinfo file format is a little complex and I removed that part.

[neolit123]

this is much better @pacoxu !
mostly requesting minor fixes for text / comments in multiple places.

and only one Q about the file parser.

[neolit123]

is it ok to just do this?

Suggested change

	if len(cgroupV1MountPoint) == 0 {
	cgroupV1MountPoint = fields[1]
	}
	cgroupV1MountPoint = fields[1]

i.e. always update the var if more cgroups v1 mount points are found or should we only catch the first one?
(i don't know the format)

[pacoxu]

[root@10-29-14-249 ~]# cat /proc/mounts | grep cgroup
tmpfs /sys/fs/cgroup tmpfs ro,seclabel,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,seclabel,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,seclabel,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,seclabel,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,seclabel,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,seclabel,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,seclabel,nosuid,nodev,noexec,relatime,net_prio,net_cls 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,seclabel,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,seclabel,nosuid,nodev,noexec,relatime,pids 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,seclabel,nosuid,nodev,noexec,relatime,freezer 0 0

For cgroup v1, this is an example. I prefer to get the first one.

[neolit123]

/lgtm
/approve

should i create a new release after this?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, pacoxu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [neolit123]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pacoxu]

should i create a new release after this?

Yes, as we have no todo items for v1.32.

[neolit123]

unrelated fix, please LGTM

• README.md: change the ML for SIG CL #42

will cut a release after it merges and send PR for k/k.

[pacoxu]

/unhold
Thanks @KentaTada @neolit123 for your reviewing.

[neolit123]

i will also rename the branch of this repo to main