Explain why we need a separate cgroup

docker/dind/start-dockerd

@@ -22,8 +22,15 @@ start_restart_dockerd() {
     fi
 }
 
-move_processes_to_nested_cgroup() {
-    # detect cgroups v2
+move_processes_to_separate_cgroup() {
+    # Move processes to a separate cgroup to prevent the root cgroup from becoming
+    # threaded -- "Once you have a threaded controller you can not create cgroups
+    # below it that reference non-threaded controllers like the memory controller".
+    # Fixes "cannot enter cgroupv2 "/sys/fs/cgroup/docker" with domain controllers --
+    # it is in threaded mode" when starting containers with resource constraints,
+    # see https://github.com/dstackai/dstack/issues/1854
+    # Based on https://github.com/moby/moby/blob/65cfcc2/hack/dind#L59 and
+    # https://github.com/earthly/earthly/blob/08b0d1f/buildkitd/dockerd-wrapper.sh#L63
     if [[ -f /sys/fs/cgroup/cgroup.controllers ]]; then
         local group=/sys/fs/cgroup/dind
         mkdir -p ${group}
@@ -54,5 +61,5 @@ event=$(start_restart_dockerd)
 if ! wait_dockerd_started; then
     show_dockerd_log_and_die
 fi
-move_processes_to_nested_cgroup
+move_processes_to_separate_cgroup
 echo "dockerd ${event}"