fix: remove cgroup v2 preflight check

[theFong]

Summary

• Remove the cgroup v2 / cgroupns=host preflight check from onboarding — this issue has been fixed on the OpenShell side
• Delete bin/lib/preflight.js and test/preflight.test.js
• Remove the cgroup check block and import from bin/lib/onboard.js

Per @drew feedback: the cgroup fix is handled upstream, so NemoClaw doesn't need to check for it.

[coderabbitai]

📝 Walkthrough

Walkthrough

This change removes the cgroup v2 and Docker cgroupns validation logic from the onboarding system. The preflight.js module containing cgroup detection and daemon.json parsing is deleted entirely, along with its integration in onboard.js and corresponding test suite.

Changes

Cohort / File(s)	Summary
Preflight Module Deletion bin/lib/preflight.js	Entire module deleted, eliminating cgroup v2 detection (isCgroupV2), daemon.json reading (readDaemonJson), and cgroup configuration validation (checkCgroupConfig) functions and their exports.
Onboarding Integration bin/lib/onboard.js	Removed import of checkCgroupConfig from preflight; removed the entire cgroup v2 + Docker cgroupns validation block including console.error messages and process.exit(1) handling.
Test Suite Cleanup test/preflight.test.js	Entire test file deleted, eliminating unit tests for cgroup detection, daemon.json parsing, and cgroup configuration validation scenarios.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hopping past the cgroup checks we go,
No more daemon.json strings to slow,
Preflight fades like morning dew,
Simpler onboarding, fresh and new! 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'fix: remove cgroup v2 preflight check' accurately describes the main change: removing the cgroup v2 preflight validation logic from the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the tone of the review comments and chat replies.

Configure the tone_instructions setting to customize the tone of the review comments and chat replies. For example, you can set the tone to Act like a strict teacher, Act like a pirate and more.

[jacobtomlinson]

PR looks good thanks!

How do we enforce folks have a newer openshell? Otherwise they will just run into the old bug if we remove this. We should add a preflight check for openshell version.

[drew]

PR looks good thanks!

How do we enforce folks have a newer openshell? Otherwise they will just run into the old bug if we remove this. We should add a preflight check for openshell version.

Checking Nemoclaw users are running the latest OpenShell would be awesome. That's good blanket guidance for basically any OpenShell type error 😄

[ericksoa]

LGTM — upstream fix confirmed by Brev team.

Needs to also remove or update setup-spark references — if cgroup is handled upstream, setup-spark.sh and its CLI command are dead code.

[ericksoa]

Going to update to version check on this PR

[jacobtomlinson]

I think we still need a version check on openshell as part of this PR.

[ericksoa]

LGTM — removing the check to force upgrades to openshell v0.0.8+. Still needs setup-spark cleanup per my earlier comment, or we can do that in a follow-up.

If we decide to add the version check, we can reopen 258 :)

[drew]

Heads up — #280 was filed ~2 hours after this merged. The reporter is on a DGX Spark with openshell 0.0.10-dev.1 and hit the exact cgroup v2 / cgroupns failure this check was catching. Looks like the upstream fix hasn't shipped to all OpenShell versions yet.

What makes you say that @brianwtaylor? I don't see anything related to cgroups in that issue. We should ask for openshell doctor logs before making a final assesment.

[brianwtaylor]

@drew totally fair. got a little ahead when I noticed the reporter also on a spark. openshell logs is the right call, i can explore a bit

[drew]

No worries. Here is the upstream fix in OpenShell for your reference, NVIDIA/OpenShell#329. We have tested this fix on a Spark. Would also be useful to get the output of `openshell doctor check`​ and maybe `docker info`​ as well.

[brianwtaylor]

Thanks for linking #329 — that confirmed the timeline.

So I went and reproduced it. Pulled "default-cgroupns-mode": "host" from
daemon.json on a second DGX Spark (Ubuntu 24.04, cgroup v2, OpenShell 0.0.6),
ran nemoclaw onboard, got the identical namespace timeout. Gateway container
logs:

E cgroup_manager_linux.go:406 "Unhandled Error"
err="cgroup manager.Set failed: openat2 /sys/fs/cgroup/kubepods/pids.max: no
such file or directory"

E kubelet.go:1745 "Failed to start ContainerManager"
err="failed to initialize top level QOS containers: error validating root
container [kubepods] :
cgroup ["kubepods"] has some missing controllers: cpu, cpuset, hugetlb,
memory, pids"

The reporter's on openshell 0.0.10-dev.1+g13f13c2 — a dev snapshot from the
devel channel (cut March 5). Your cgroup fix
(NVIDIA/OpenShell#329) shipped in v0.0.8 on March 17,
so their build predates it despite the version number looking newer. Upgrading
to v0.0.10 should resolve it — I've pointed them there in
#280.

If you think it's worth the guardrail I can put something together.

tldr: just update openshell

-brian

[brianwtaylor]

Thanks for the link to #329 — that's exactly the fix the reporter's dev build is missing.

Here's the output from reproduction on my Spark (with cgroupns-mode: host removed from daemon.json):

openshell doctor check:

Checking system prerequisites...

  Docker ............. ok (version 29.1.3)
  DOCKER_HOST ........ (not set, using default socket)

All checks passed.

Notably, doctor check passes clean — it doesn't inspect cgroup config.

docker info (relevant bits):

Cgroup Driver: systemd
Cgroup Version: 2
Operating System: Ubuntu 24.04.4 LTS
Architecture: aarch64
Kernel Version: 6.17.0-1008-nvidia

cgroup v2 confirmed, which is the trigger — k3s inside the gateway container can't find v1 cgroup paths without cgroupns=host.