Docker is unable to start a container when I have a CGroup slice that is isolated or rooted, meaning not using the default set of CPUs from CGroup tree /.
Ubuntu LTS 22.04 (kernel 6.1.77-rt24)
Docker 26.1.1-ubuntu
Steps to reproduce
- Set the property
cgroup-parenttodocker.sliceindaemon.json - create the group
docker.slicein/sys/fs/cgroupwithmkdir - set
cpuset.cpusofdocker.sliceto, e.g.,1withecho 1 > cpuset.cpus - set
cpuset.cpus.partitiontorootwithecho "root" > cpuset.cpus.partition
Now if you start a container it will fail with the following message:
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: unable to start unit "docker-50846d2827cdd0ae7375c04f18eca690b0523a882b4bc3d605b42222a762a777.scope" (properties [{Name:Description Value:"libcontainer container 50846d2827cdd0ae7375c04f18eca690b0523a882b4bc3d605b42222a762a777"} {Name:Slice Value:"docker.slice"} {Name:Delegate Value:true} {Name:PIDs Value:@au [40038]} {Name:MemoryAccounting Value:true} {Name:CPUAccounting Value:true} {Name:IOAccounting Value:true} {Name:TasksAccounting Value:true} {Name:DefaultDependencies Value:false}]): error creating systemd unit `docker-50846d2827cdd0ae7375c04f18eca690b0523a882b4bc3d605b42222a762a777.scope`: got `failed`: unknown
You’ll notice that cpuset.cpus now contains an empty value, and due to the root partition setting, the effective number of CPUs is invalid and processes can’t be assigned.
My guess is that Docker tries to set the effective value of cpuset.cpus.effective from / tree to the container or subgroup if there is no container started yet. But this will fail with root as CPUs must be exclusive and not match any from / or its other children.
See issue of my original project repo for updates
Thanks for any feedback