Skip to content

Add cgroups v2 support for Jammy stemcells#468

Open
mkocher wants to merge 2 commits intocloudfoundry:ubuntu-jammyfrom
mkocher:jammy-cgroups-v2
Open

Add cgroups v2 support for Jammy stemcells#468
mkocher wants to merge 2 commits intocloudfoundry:ubuntu-jammyfrom
mkocher:jammy-cgroups-v2

Conversation

@mkocher
Copy link
Member

@mkocher mkocher commented Jan 28, 2026

This enables warden stemcells to function on hosts that are using cgroups v2, which is increasingly common. This should not have any effects on other infrastructures as the stemcell kernel will continue to be booted with cgroups v1.

@mkocher
Add cgroups v2 support for Jammy stemcells
2c6f904 
This enables warden stemcells to function on hosts that are using
cgroups v2, which is increasingly common. This should not have any
effects on other infrastructures as the stemcell kernel will continue to
be booted with cgroups v1.
Alphasite
Alphasite previously approved these changes Jan 28, 2026
View reviewed changes
@github-project-automation github-project-automation bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jan 28, 2026
@Alphasite
Copy link
Contributor

Alphasite commented Jan 28, 2026

I think this looks good to me. The main change is to use a cgroup v2 path instead of a v1 path when necessary?

aramprice
aramprice previously approved these changes Jan 28, 2026
View reviewed changes
Copy link
Member

@aramprice aramprice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change seems reasonable for contexts where a Jammy stemcell image is be running in a containerized context.

@rkoster
Copy link
Contributor

rkoster commented Jan 28, 2026
edited
Loading

Something similar would be needed here: https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/ubuntu-noble/stemcell_builder/stages/bosh_monit/assets/monit-nftables.nft#L9

So the question on my mind is why is this needed on a noble host, and why only when using the warden cpi. Because noble host with docker cpi is fine, with both noble and jammy stemcells. In other words shouldn't this be fixed on the garden noble compatibility side?

@aramprice
Copy link
Member

aramprice commented Jan 29, 2026

There is some concern about merging this since it doesn't appear that there are tests which validate the monit protection code.

We should either add, or document that there are tests which exercise the "happy path" protection of monit before changing this. No need to add tests for the containerized scenario so long as there is coverage for the "production " (aka VM deployment) case.

@mariash
Copy link
Member

mariash commented Jan 29, 2026

As @rkoster mentioned the nftables cgroup path blocks monit access for cgroups v2. But I am not sure this config can figure out current cgroup - https://github.com/cloudfoundry/bosh-linux-stemcell-builder/blob/ubuntu-noble/stemcell_builder/stages/bosh_monit/assets/monit-nftables.nft#L9

@rkoster rkoster mentioned this pull request Jan 30, 2026
Draft
@KauzClay @mkocher
Prevent systemd-binfmt from running in containers
2b27253 
When stemcells run as privileged containers (e.g., Docker CPI on Apple
Silicon), systemd-binfmt clears the host's binfmt_misc registrations,
including Rosetta, causing "exec format error" for x86_64 processes.

Add a drop-in override with ConditionVirtualization=!container to skip
the service in containers while preserving normal behavior on VMs.

Signed-off-by: Matthew Kocher <matthew.kocher@broadcom.com>
@KauzClay KauzClay dismissed stale reviews from aramprice and Alphasite via 2b27253 February 4, 2026 22:40
rkoster
rkoster requested changes Feb 5, 2026
View reviewed changes
Copy link
Contributor

@rkoster rkoster left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find!! But how is it jammy specific or related to cgroups v2

@github-project-automation github-project-automation bot moved this from Pending Merge | Prioritized to Waiting for Changes | Open for Contribution in Foundational Infrastructure Working Group Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rkoster rkoster rkoster requested changes

@aramprice aramprice aramprice left review comments

@Alphasite Alphasite Alphasite left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Waiting for Changes | Open for Contribution

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mkocher @Alphasite @rkoster @aramprice @mariash @KauzClay