cgroup2: unshare cgroupns by default regardless to API version

[AkihiroSuda]

- What I did
Fix #41071

cgroup2 mode sets cgroupns=private by default , but the default was overridden to host when API < 1.41.

- How to verify it

$ sudo ls -l /proc/1/ns/cgroup
lrwxrwxrwx 1 root root 0 Jun  5 18:04 /proc/1/ns/cgroup -> 'cgroup:[4026531835]'
$ DOCKER_API_VERSION=1.40 docker run --rm alpine ls -l /proc/1/ns/cgroup
lrwxrwxrwx    1 root     root             0 Jun  5 09:04 /proc/1/ns/cgroup -> cgroup:[4026532639]

- A picture of a cute animal (not mandatory but encouraged)
🐧

[thaJeztah]

ping @kolyshkin PTAL

[kolyshkin]

Can simplify it a lot by using cgroups.IsCgroup2UnifiedMode() in place

[AkihiroSuda]

@kolyshkin That package only compiles on Linux and cannot be imported in cmd/dockerd/daemon.go.

[AkihiroSuda]

@kolyshkin @thaJeztah @cpuguy83 PTAL

[cpuguy83]

Should this be in the router? If we are doing this regardless of API version, seems like the router doesn't need to know about v2.

[thaJeztah]

^ good point

[kolyshkin]

Should this be in the router? If we are doing this regardless of API version, seems like the router doesn't need to know about v2.

It's the router who resets the cgroupns=private (default for cgroupv2) setting for older clients. Chances are, older clients don't know/care about cgroupv2, so the reset should only be done for cgroupv1, thus the need for router to know whether its v1 or v2.

[kolyshkin]

LGTM

[cpuguy83]

I don't think we should contort the router to have system level information because we can't tell if a value passed from the router is a default value or not.

[kolyshkin]

I don't think we should contort the router to have system level information

So, you are suggesting we should perform the change somewhere else. Fine, but...

we can't tell if a value passed from the router is a default value or not

...this is exactly what the problem is. We do not know if a cgroupns value that comes from the router is default or not, so we don't know if we need to change it or not :-\

IOW, if you don't like the way how it's currently done, can you please propose an alternative way to do the same thing?

[cpuguy83]

Maybe not perfect for future (albeit highly unlikely to have changes around this case), but telling the router what the default should be seems cleaner.

I also opened #41129 to discuss how to handle this across the board because it is problematic in other places as well.

[AkihiroSuda]

Can we merge this PR and discuss the router design in #41129 ?

[cpuguy83]

I would rather not add extra compexity like this just to get the change in.
I think it's also a bit of a stretch to make this change to older API versions.

[justincormack]

Its not safe to run cgroupsv2 unnamespaced it appears, so I think we have to make this change for previous API versions.

[cpuguy83]

@justincormack I was curious about that. Good catch.

So we can implement this totally in the daemon and not touch the API side.

[AkihiroSuda]

not touch the API side.

API server has if hostConfig.CgroupnsMode.IsEmpty() { hostConfig.CgroupnsMode = container.CgroupnsMode("host") } , so this PR modifies API server to disable this block for cgroup v2

[kolyshkin]

LGTM

[thaJeztah]

LGTM

[cpuguy83]

LGTM

It'd be nice to rework this a bit, but we need this in.