feat: match cgroups between host system and container

This change ensures cgroup consistency between the Bottlerocket host system and the admin container, preventing resource management conflicts.  The implementation synchronizes cgroup configurations between the host and admin container.

Signed-off-by: Maher Homsi <[email protected]>

Author: maherthomsi

Dockerfile

@@ -65,11 +65,6 @@ ARG IMAGE_VERSION
 RUN test -n "$IMAGE_VERSION"
 LABEL "org.opencontainers.image.version"="$IMAGE_VERSION"
 
-# Install the custom systemd build in the same transaction as all original
-# packages to save space. For example, openssh-server pulls in systemd. This
-# dependency is best satisfied by the downstream build. Reinstalling it later
-# would result in also carrying around the original systemd in the final image
-# where it would remain forever hidden and unused in a lower layer.
 RUN dnf update -y \
     && dnf install -y \
         crypto-policies-scripts \

start_admin.sh

@@ -247,6 +247,15 @@ for key_alg in "${key_algorithms[@]}"; do
   fi
 done
 
+readonly host_cgroup="/.bottlerocket/rootfs/sys/fs/cgroup"
+
+cgroup_fstype=$(findmnt -n -o FSTYPE "${host_cgroup}" || true)
+if [[ "${cgroup_fstype}" == tmpfs ]]; then
+  # Host uses cgroup v1, so use cgroup v1 in container too
+  ln -sf "${host_cgroup}" /sys/fs/cgroup
+  log "cgroup v1 enabled in admin container to match host"
+fi
+
 install_proxy_profile
 
 enable_systemd_services
@@ -255,32 +264,7 @@ enable_systemd_services
 
 systemd_options=()
 
-# cgroup v2 compatibility crimes: systemd 219 in the admin container only
-# supports cgroup v1.
-if [[ $(findmnt -n -o FSTYPE /sys/fs/cgroup) = cgroup2 ]]; then
-    # Mount an extra cgroup v1 hierarchy for use by systemd in the admin
-    # container. Vanilla systemd is hard-wired to look for it at /sys/fs/cgroup
-    # but that path is already taken by the host's proper cgroup hierarchy.
-    # Mounting a cgroup v1 hierarchy here might confuse the host and the systemd
-    # documentation advises against manually interfering with anything in that
-    # path. Therefore, mount the extra hierarchy elsewhere and tell systemd in
-    # the admin container where to look. Requirements:
-    #
-    #   1. The base must be a mount point.
-    #   2. The base must contain another mounted cgroup file system named "systemd".
-    #
-    # In either case there is no need to populate the file systems with any
-    # actual cgroup controllers, since the host is expected to manage processes.
-    readonly cgroup_base=/.bottlerocket/admin-container-cgroup
-    mkdir -p "${cgroup_base}"
-    mount -t tmpfs -o nosuid,nodev,noexec tmpfs "${cgroup_base}"
-    mkdir -p "${cgroup_base}"/systemd
-    mount -o remount,ro "${cgroup_base}"
-    mount -t cgroup -o none,name=systemd cgroup "${cgroup_base}"/systemd
-    systemd_options+=( --cgroup-base "${cgroup_base}" )
-fi
-
 # Persuade systemd that it's OK to run as a user manager.
 export XDG_RUNTIME_DIR="/run/user/${UID}"
 mkdir -p /run/systemd/system "${XDG_RUNTIME_DIR}"
-exec /usr/lib/systemd/systemd "${systemd_options[@]}" --user --unit=admin.target
+exec /usr/lib/systemd/systemd "${systemd_options[@]}" --user --unit=admin.target