[dind] Enable cgroups v2 nesting

See: https://github.com/moby/moby/blob/65cfcc2/hack/dind#L59 See: https://github.com/earthly/earthly/blob/08b0d1f/buildkitd/dockerd-wrapper.sh#L63 Fixes: #1854
dstackai · Oct 17, 2024 · c735527 · c735527
1 parent b3d6a0f
commit c735527
Showing 1 changed file with 50 additions and 24 deletions.
diff --git a/docker/dind/start-dockerd b/docker/dind/start-dockerd
@@ -1,32 +1,58 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-mkdir /mnt/_tmp
-if ! mount -t tmpfs none /mnt/_tmp 2> /dev/null; then
-    echo 'docker privileged mode required'
+check_privileged_mode_or_die() {
+    mkdir /mnt/_tmp
+    if ! mount -t tmpfs none /mnt/_tmp 2> /dev/null; then
+        echo 'docker privileged mode required'
+        rm -r /mnt/_tmp
+        exit 101
+    fi
+    umount /mnt/_tmp
     rm -r /mnt/_tmp
-    exit 101
-fi
-umount /mnt/_tmp
-rm -r /mnt/_tmp
+}
 
-if ! supervisorctl status > /dev/null; then
-    supervisord -c /etc/supervisord.conf
-    action='started'
-else
-    supervisorctl restart dockerd > /dev/null
-    action='restarted'
-fi
+start_restart_dockerd() {
+    if ! supervisorctl status > /dev/null; then
+        supervisord -c /etc/supervisord.conf
+        echo 'started'
+    else
+        supervisorctl restart dockerd > /dev/null
+        echo 'restarted'
+    fi
+}
 
-for _i in {1..10}; do
-    if supervisorctl tail dockerd | grep -q 'API listen on'; then
-        echo "dockerd ${action}"
-        exit 0
+move_processes_to_nested_cgroup() {
+    # detect cgroups v2
+    if [[ -f /sys/fs/cgroup/cgroup.controllers ]]; then
+        local group=/sys/fs/cgroup/dind
+        mkdir -p ${group}
+        xargs -rn1 < /sys/fs/cgroup/cgroup.procs > ${group}/cgroup.procs || true
     fi
-    sleep 1
-done
+}
 
-supervisorctl stop dockerd > /dev/null
-echo 'failed to start dockerd:'
-supervisorctl tail dockerd
-exit 102
+wait_dockerd_started() {
+    for _i in {1..10}; do
+        if supervisorctl tail dockerd | grep -q 'API listen on'; then
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}
+
+show_dockerd_log_and_die() {
+    supervisorctl stop dockerd > /dev/null
+    echo 'failed to start dockerd:'
+    supervisorctl tail dockerd
+    exit 102
+}
+
+
+check_privileged_mode_or_die
+event=$(start_restart_dockerd)
+if ! wait_dockerd_started; then
+    show_dockerd_log_and_die
+fi
+move_processes_to_nested_cgroup
+echo "dockerd ${event}"