kholmanskikh
commented
1 year ago The issue is reproducible with runc taken from the main git branch.
Open kholmanskikh opened 1 year ago
kholmanskikh
commented
1 year ago The issue is reproducible with runc taken from the main git branch.
kolyshkin
commented
1 year ago @kholmanskikh can you please check and confirm/deny that this is because of nsdelegate option to cgroupv2 mount?
kholmanskikh
commented
11 months ago The issue is also reproducible when the cgroup2 is mounted without the nsdelegate option:
alpine:~$ mount|grep cgroup
none on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime)
alpine:~$ docker run --rm -it -d alpine
2babd8f8f743beea96d6f2fba02de19036e0f734d8c1d249ac694b8ad501f0e6
alpine:~$ docker top 2babd8f8f743beea96d6f2fba02de19036e0f734d8c1d249ac694b8ad501f0e6
Error response from daemon: runc did not terminate successfully: exit status 1: unable to get all container pids: read /sys/fs/cgroup/docker/2babd8f8f743beea96d6f2fba02de19036e0f734d8c1d249ac694b8ad501f0e6/cgroup.procs: operation not supported
: unknown
alpine:~$ 
ncopa
commented
11 months ago related downstream issues:
It also fails to start containers with --memory option:
$ docker run --rm -it --memory 2G alpine
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: cannot enter cgroupv2 "/sys/fs/cgroup/docker" with domain controllers -- it is in domain threaded mode: unknown.In this case I have a daemon.json:
{
"storage-driver": "overlay2",
"cgroup-parent": "/docker"
}EDIT: but if I use:
{
"cgroup-parent": "/dockerContainers"
}It actually works.
ncopa
commented
11 months ago Could it be that runc sets docker/cgroup.type to domain threaded?
If I restart the docker daemon, it will initially be domain, but after first run container it changes to domain threaded:
ncopa-desktop:~$ doas /etc/init.d/docker start
* Starting Docker Daemon ... [ ok ]
ncopa-desktop:~$ cat /sys/fs/cgroup/docker/cgroup.type
domain
ncopa-desktop:~$ docker run --rm alpine echo hello
hello
ncopa-desktop:~$ cat /sys/fs/cgroup/docker/cgroup.type
domain threadedWhy does it end up with setting cgroup type as domain threaded?
ncopa
commented
11 months ago 
tbayart
commented
10 months ago Hi, i have the same issue under Portainer. I installer Alpine linux x64 and when i want to look at container stats in Portainer, i get the following error
"runc did not terminate successfully: exit status 1: unable to get all container pids: read /sys/fs/cgroup/docker/c7fe07c5253dba763ce8fde71945c3a5ac32998ae50dc1345dba7cffd6fab5fa/cgroup.procs: operation not supported: unknown"
I have many containers running fine for a while now but i'm unable to get stats
Description
docker topandrunc psfail with:when the system has cgroup2 mounted as:
and this does not happen when cgroup v1 is mounted (in addition to, or instead of cgroup v2).
The issue was found on Alpine Edge with packages:
Alpine uses openrc, which allows to specify the cgroup mount strategy in
/etc/rc.conf:and the issue mentioned above is observed when rc_cgroup_mode is unified:
and is not observed when it's legacy:
or hybrid:
Steps to reproduce the issue
docker run -it --rm <any container>docker top <container id>orrunc --root /run/docker/runtime-runc/moby ps <container id>Describe the results you received and expected
The command should display a list of processes in the container.
What version of runc are you using?
runc version 1.1.9 commit: 82f18fe0e44a59034f3e1f45e475fa5636e539aa spec: 1.0.2-dev go: go1.21.3 libseccomp: 2.5.4
Host OS information
NAME="Alpine Linux" ID=alpine VERSION_ID=3.19_alpha20230901 PRETTY_NAME="Alpine Linux edge" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
Host kernel information
Linux alpine 6.1.59-0-lts #1-Alpine SMP PREEMPT_DYNAMIC Fri, 20 Oct 2023 06:24:46 +0000 x86_64 Linux