fix: Configure containerd runc plugin options with systemd cgroup driver (#493)

dlipovetsky · faiq · web-flow · commit 1704c72ad33f · 2022-10-06T11:32:27.000-04:00
* fix: Configure containerd runc plugin to use systemd cgroup driver konvoy-image-builder installs kubelet as a systemd service, and kubelet therefore uses the systemd cgroup driver. The container runtime must use the same cgroup driver. > Note: In v1.22, if the user is not setting the cgroupDriver field > under KubeletConfiguration, kubeadm will default it to systemd. > -- https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/ * Use runtime type 'io.containerd.runc.v2' The 'io.containerd.runc.v1' runtime type was deprecated in containerd 1.4, and does not support the systemd cgroup driver. * Use systemd cgroup driver with the nvidia runtime The option should work, because the nvidia runtime is just a repackaged runc runtime. * Use SystemdCgroup instead of systemd_cgroup Using snake case has no effect. Confirmed independently by both @faiq and @dlipovetsky. * Use "io.containerd.runc.v2" for nvidia container runtime Only "io.containerd.runc.v2" supports the SystemdCgroup option we need. I have seen multiple examples of this configuration in the wild, and since nvidia-container-runtime is a wrapper around runc, there should be no issues with using v2 of the containerd wrapper to runc. * fix: from poor merge * fix: allows cgroups v2 by default for flatcar Co-authored-by: Faiq <faiq@users.noreply.github.com> Co-authored-by: faiq <faiqrazarizvi@gmail.com>
diff --git a/ansible/roles/config/templates/config.toml.tmpl b/ansible/roles/config/templates/config.toml.tmpl
@@ -64,7 +64,6 @@ imports = ["/etc/containerd/conf.d/*.toml"]
     enable_selinux = false
     sandbox_image = "{{ pause_image }}"
     stats_collect_period = 10
-    systemd_cgroup = false
     enable_tls_streaming = false
     max_container_log_line_size = 16384
     disable_cgroup = false
@@ -88,10 +87,12 @@ imports = ["/etc/containerd/conf.d/*.toml"]
         privileged_without_host_devices = false
       [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
         [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
-          runtime_type = "io.containerd.runc.v1"
+          runtime_type = "io.containerd.runc.v2"
           runtime_engine = ""
           runtime_root = ""
           privileged_without_host_devices = false
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            SystemdCgroup = true
     [plugins."io.containerd.grpc.v1.cri".cni]
       bin_dir = "/opt/cni/bin"
       conf_dir = "/etc/cni/net.d"
diff --git a/ansible/roles/containerd/tasks/install-flatcar.yaml b/ansible/roles/containerd/tasks/install-flatcar.yaml
@@ -28,16 +28,3 @@
   copy:
     content: "export PATH=$PATH:/run/torcx/unpack/docker/bin/"
     dest: "/etc/profile.d/my_path.sh"
-
-- name: ensure cgroups v2 are disabled
-  command: grep -q systemd.unified_cgroup_hierarchy=0 /usr/share/oem/grub.cfg
-  changed_when: no
-  failed_when: false
-  register: cgroupsv2_check
-
-- name: cgroups setup
-  when:
-    - cgroupsv2_check.rc != 0
-  block:
-    - name: disable cgroups v2
-      command: sed -E -i 's/^(set linux_append=.*)"$/\1 systemd.unified_cgroup_hierarchy=0 systemd.legacy_systemd_cgroup_controller"/g' /usr/share/oem/grub.cfg
