Skip to content

Commit 4a388e1

Browse files
tonistiigitonistiigi
authored
Merge pull request #6368 from marxarelli/review/unshare-cgroupns-entrypoint
dockerfile: run buildkitd within a cgroup namespace for cgroup v2
2 parents dbc169e + 93f176a commit 4a388e1

3 files changed

Lines changed: 34 additions & 2 deletions

File tree

Dockerfile

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,7 @@ FROM scratch AS release
221221
COPY --link --from=releaser /out/ /
222222

223223
FROM alpine:${ALPINE_VERSION} AS buildkit-export-alpine
224-
RUN apk add --no-cache fuse3 git openssh openssl pigz xz iptables ip6tables \
224+
RUN apk add --no-cache fuse3 git openssh openssl pigz xz iptables ip6tables util-linux-misc \
225225
&& ln -s fusermount3 /usr/bin/fusermount
226226
COPY --link examples/buildctl-daemonless/buildctl-daemonless.sh /usr/bin/
227227
VOLUME /var/lib/buildkit
@@ -398,7 +398,9 @@ EOT
398398
FROM buildkit-export AS buildkit-linux
399399
COPY --link --from=binaries / /usr/bin/
400400
ENV BUILDKIT_SETUP_CGROUPV2_ROOT=1
401-
ENTRYPOINT ["buildkitd"]
401+
COPY --link hack/buildkitd-entrypoint /usr/bin/buildkitd-entrypoint
402+
COPY --link hack/with-cgroupfs-remount /usr/bin/with-cgroupfs-remount
403+
ENTRYPOINT ["/usr/bin/buildkitd-entrypoint"]
402404

403405
FROM buildkit-linux AS buildkit-linux-debug
404406
COPY --link --from=dlv /out/dlv /usr/bin/dlv

hack/buildkitd-entrypoint

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
#!/bin/sh
2+
#
3+
# For cgroup v2, ensure buildkitd has a namespaced view of /sys/fs/cgroup by
4+
# running in a new cgroup and mount namespace and remounting /sys/fs/cgroup.
5+
# Assume we are already in our own cgroup ns if the current cgroup path is
6+
# "/".
7+
#
8+
# Note this is a workaround for the lack of cgroupns control in the Kubernetes
9+
# API. If KEP-5714 is adopted, this can eventually be removed.
10+
#
11+
# See https://github.com/kubernetes/enhancements/issues/5714
12+
13+
set -e
14+
15+
if [ -e /sys/fs/cgroup/cgroup.controllers ]; then
16+
if [ "$(cut -d: -f3 /proc/self/cgroup)" != "/" ]; then
17+
echo creating cgroup namespace >&2
18+
exec /usr/bin/unshare --cgroup --mount /usr/bin/with-cgroupfs-remount /usr/bin/buildkitd "$@"
19+
fi
20+
fi
21+
22+
exec /usr/bin/buildkitd "$@"

hack/with-cgroupfs-remount

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/bin/sh
2+
set -e
3+
4+
options="$(awk '$2 == "/sys/fs/cgroup" { print $4 }' /proc/self/mounts)"
5+
umount /sys/fs/cgroup
6+
mount -t cgroup2 -o "$options" cgroup2 /sys/fs/cgroup
7+
8+
exec "$@"

0 commit comments

Comments
 (0)