diff --git a/enterprise/server/cmd/executor/executor_linux.go b/enterprise/server/cmd/executor/executor_linux.go index 8af31d651b3..6ab9b7c2e27 100644 --- a/enterprise/server/cmd/executor/executor_linux.go +++ b/enterprise/server/cmd/executor/executor_linux.go @@ -79,6 +79,12 @@ func setupCgroups() (string, error) { } log.Infof("Set up task cgroup at %s", taskCgroupPath) + // Enable the same controllers for the child cgroups that were enabled + // for the starting cgroup. + if err := cgroup.DelegateControllers(filepath.Join(cgroup.RootPath, startingCgroup)); err != nil { + return "", fmt.Errorf("inherit subtree control: %w", err) + } + taskCgroupRelpath := filepath.Join(startingCgroup, taskCgroupName) return taskCgroupRelpath, nil } diff --git a/enterprise/server/remote_execution/cgroup/cgroup.go b/enterprise/server/remote_execution/cgroup/cgroup.go index 790444bf0ba..b8adfda7575 100644 --- a/enterprise/server/remote_execution/cgroup/cgroup.go +++ b/enterprise/server/remote_execution/cgroup/cgroup.go @@ -81,7 +81,7 @@ func Setup(ctx context.Context, path string, s *scpb.CgroupSettings, blockDevice if len(m) == 0 { return nil } - enabledControllers, err := ParentEnabledControllers(path) + enabledControllers, err := EnabledControllers(path) if err != nil { return fmt.Errorf("read enabled controllers: %w", err) } @@ -99,10 +99,10 @@ func Setup(ctx context.Context, path string, s *scpb.CgroupSettings, blockDevice return nil } -// ParentEnabledControllers returns the cgroup controllers that are enabled for -// the parent cgroup of a given cgroup. -func ParentEnabledControllers(path string) (map[string]bool, error) { - b, err := os.ReadFile(filepath.Join(path, "..", "cgroup.subtree_control")) +// EnabledControllers returns the controllers enabled for the cgroup at the +// given absolute path. +func EnabledControllers(path string) (map[string]bool, error) { + b, err := os.ReadFile(filepath.Join(path, "cgroup.controllers")) if err != nil { return nil, err } @@ -133,6 +133,20 @@ func WriteSubtreeControl(path string, settings map[string]bool) error { return os.WriteFile(filepath.Join(path, "cgroup.subtree_control"), b, 0) } +// DelegateControllers reads the currently enabled controllers for the given +// cgroup absolute path and makes those controllers available to child cgroups +// by writing to the "cgroup.subtree_control" file. +func DelegateControllers(path string) error { + controllers, err := EnabledControllers(path) + if err != nil { + return fmt.Errorf("read enabled controllers for %q: %w", path, err) + } + if err := WriteSubtreeControl(path, controllers); err != nil { + return fmt.Errorf("write cgroup.subtree_control for %q: %w", path, err) + } + return nil +} + func settingsMap(s *scpb.CgroupSettings, blockDevice *block_io.Device) (map[string]string, error) { m := map[string]string{} if s == nil { diff --git a/enterprise/server/remote_execution/containers/ociruntime/ociruntime.go b/enterprise/server/remote_execution/containers/ociruntime/ociruntime.go index 295ec05bab1..9b412b5e6a9 100644 --- a/enterprise/server/remote_execution/containers/ociruntime/ociruntime.go +++ b/enterprise/server/remote_execution/containers/ociruntime/ociruntime.go @@ -695,16 +695,10 @@ func (c *ociContainer) setupCgroup(ctx context.Context) error { if err := os.MkdirAll(path, 0755); err != nil { return fmt.Errorf("create cgroup: %w", err) } - // Before setting up the container cgroup we need to enable subtree - // controllers on the parent cgroup. For now we inherit the enabled - // controllers from the parent of the parent. - parentPath := filepath.Dir(path) - controllers, err := cgroup.ParentEnabledControllers(parentPath) - if err != nil { - return fmt.Errorf("read enabled controllers for parent of %q: %w", parentPath, err) - } - if err := cgroup.WriteSubtreeControl(parentPath, controllers); err != nil { - return fmt.Errorf("write cgroup.subtree_control for %q: %w", parentPath, err) + // Propagate enabled controllers to the child cgroup before performing + // cgroup setup. + if err := cgroup.DelegateControllers(filepath.Dir(path)); err != nil { + return fmt.Errorf("delegate controllers: %w", err) } if err := cgroup.Setup(ctx, path, c.cgroupSettings, c.blockDevice); err != nil { return fmt.Errorf("configure cgroup: %w", err)