From 84675dd6b39942d02e6f4590932480ae4b03bd13 Mon Sep 17 00:00:00 2001 From: Drew Newberry Date: Sun, 15 Mar 2026 14:24:29 -0700 Subject: [PATCH] fix(bootstrap): use host cgroup namespace for gateway container Docker Desktop 29.x defaults to private cgroupns which prevents k3s kubelet from accessing cgroup v2 controllers (cpu, cpuset, memory, pids, hugetlb). This causes ContainerManager to fail during startup. Explicitly set cgroupns_mode to host, which is backwards compatible with all Docker versions and matches what k3s-in-Docker tooling (k3d) requires. --- crates/openshell-bootstrap/src/docker.rs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crates/openshell-bootstrap/src/docker.rs b/crates/openshell-bootstrap/src/docker.rs index 1cb62b7b..ffde393f 100644 --- a/crates/openshell-bootstrap/src/docker.rs +++ b/crates/openshell-bootstrap/src/docker.rs @@ -10,8 +10,8 @@ use bollard::API_DEFAULT_VERSION; use bollard::Docker; use bollard::errors::Error as BollardError; use bollard::models::{ - ContainerCreateBody, DeviceRequest, HostConfig, NetworkCreateRequest, NetworkDisconnectRequest, - PortBinding, VolumeCreateRequest, + ContainerCreateBody, DeviceRequest, HostConfig, HostConfigCgroupnsModeEnum, + NetworkCreateRequest, NetworkDisconnectRequest, PortBinding, VolumeCreateRequest, }; use bollard::query_parameters::{ CreateContainerOptions, CreateImageOptions, InspectContainerOptions, InspectNetworkOptions, @@ -523,6 +523,11 @@ pub async fn ensure_container( let mut host_config = HostConfig { privileged: Some(true), + // Use host cgroup namespace so k3s kubelet can manage cgroup controllers + // (cpu, cpuset, memory, pids, etc.) required for pod QoS. With cgroup v2 + // and a private cgroupns, the controllers are not delegated into the + // container's namespace, causing kubelet ContainerManager to fail. + cgroupns_mode: Some(HostConfigCgroupnsModeEnum::HOST), port_bindings: Some(port_bindings), binds: Some(vec![format!("{}:/var/lib/rancher/k3s", volume_name(name))]), network_mode: Some(network_name(name)),