Skip to content

Commit a458ca6

Browse files
authored
fix(bootstrap): use host cgroup namespace for gateway container (#329)
Docker Desktop 29.x defaults to private cgroupns which prevents k3s kubelet from accessing cgroup v2 controllers (cpu, cpuset, memory, pids, hugetlb). This causes ContainerManager to fail during startup. Explicitly set cgroupns_mode to host, which is backwards compatible with all Docker versions and matches what k3s-in-Docker tooling (k3d) requires.
1 parent 5b70865 commit a458ca6

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

crates/openshell-bootstrap/src/docker.rs

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ use bollard::API_DEFAULT_VERSION;
88
use bollard::Docker;
99
use bollard::errors::Error as BollardError;
1010
use bollard::models::{
11-
ContainerCreateBody, DeviceRequest, HostConfig, NetworkCreateRequest, NetworkDisconnectRequest,
12-
PortBinding, VolumeCreateRequest,
11+
ContainerCreateBody, DeviceRequest, HostConfig, HostConfigCgroupnsModeEnum,
12+
NetworkCreateRequest, NetworkDisconnectRequest, PortBinding, VolumeCreateRequest,
1313
};
1414
use bollard::query_parameters::{
1515
CreateContainerOptions, CreateImageOptions, InspectContainerOptions, InspectNetworkOptions,
@@ -524,6 +524,11 @@ pub async fn ensure_container(
524524

525525
let mut host_config = HostConfig {
526526
privileged: Some(true),
527+
// Use host cgroup namespace so k3s kubelet can manage cgroup controllers
528+
// (cpu, cpuset, memory, pids, etc.) required for pod QoS. With cgroup v2
529+
// and a private cgroupns, the controllers are not delegated into the
530+
// container's namespace, causing kubelet ContainerManager to fail.
531+
cgroupns_mode: Some(HostConfigCgroupnsModeEnum::HOST),
527532
port_bindings: Some(port_bindings),
528533
binds: Some(vec![format!("{}:/var/lib/rancher/k3s", volume_name(name))]),
529534
network_mode: Some(network_name(name)),

0 commit comments

Comments
 (0)