Dockerfile: move into separate group when running under cgroupsv2

Per the comments in containers/podman#14884 there is basically no way to run podman nested in the container in a cgroups v2 environment (e.g. Ubuntu Jammy) with the processes in the same context the container starts in. One option is to run systemd in the container, which puts things in separate slices, etc. This is unappealing. This takes what I think is the simplest approach which is to check if we're under cgroups v2 and move everything into a new group before nodepool-builder starts. The referenced change tests this by running the containerfile elements on Jammy. Neded-By: https://review.opendev.org/c/openstack/diskimage-builder/+/849274 Change-Id: Ie663d01d77e17f560a92887cba1e2c86b421b24d
westphahl · Aug 2, 2022 · 6c59182 · 6c59182
1 parent bd6f610
commit 6c59182
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -138,6 +138,13 @@ RUN \
   apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+# NOTE(ianw) 2022-08-02 : move this into its own cgroup on cgroupsv2
+# hosts for nested podman calls to work; see comments in
+#  https://github.com/containers/podman/issues/14884
 CMD _DAEMON_FLAG=${DEBUG:+-d} && \
     _DAEMON_FLAG=${_DAEMON_FLAG:--f} && \
+    if [ -e /sys/fs/cgroup/cgroup.controllers ]; then \
+      sudo mkdir /sys/fs/cgroup/nodepool && \
+      for p in `cat /sys/fs/cgroup/cgroup.procs`; do echo $p | sudo tee /sys/fs/cgroup/nodepool/cgroup.procs || true; done \
+    fi; \
     /usr/local/bin/nodepool-builder ${_DAEMON_FLAG}