fix cgroup resolving for cases where cgroup namespaces are used

cgroup/cgroup.go

@@ -16,6 +16,8 @@ import (
 var (
 	cgRoot = *flags.CgroupRoot
 
+	baseCgroupPath = ""
+
 	dockerIdRegexp      = regexp.MustCompile(`([a-z0-9]{64})`)
 	crioIdRegexp        = regexp.MustCompile(`crio-([a-z0-9]{64})`)
 	containerdIdRegexp  = regexp.MustCompile(`cri-containerd-([a-z0-9]{64})`)
@@ -95,10 +97,11 @@ func NewFromProcessCgroupFile(filePath string) (*Cgroup, error) {
 			continue
 		}
 		for _, cgType := range strings.Split(parts[1], ",") {
-			cg.subsystems[cgType] = parts[2]
+			cg.subsystems[cgType] = path.Join(baseCgroupPath, parts[2])
 		}
 	}
-	if cg.Id = cg.subsystems["cpu"]; cg.Id != "" {
+	if p := cg.subsystems["cpu"]; p != "" {
+		cg.Id = p
 		cg.Version = V1
 	} else {
 		cg.Id = cg.subsystems[""]
@@ -119,7 +122,7 @@ func containerByCgroup(path string) (ContainerType, string, error) {
 	if prefix == "user.slice" || prefix == "init.scope" {
 		return ContainerTypeStandaloneProcess, "", nil
 	}
-	if prefix == "docker" || (prefix == "system.slice" && strings.HasPrefix(parts[1], "docker")) {
+	if prefix == "docker" || (prefix == "system.slice" && strings.HasPrefix(parts[1], "docker-")) {
 		matches := dockerIdRegexp.FindStringSubmatch(path)
 		if matches == nil {
 			return ContainerTypeUnknown, "", fmt.Errorf("invalid docker cgroup %s", path)

cgroup/cgroup_linux.go

@@ -0,0 +1,40 @@
+package cgroup
+
+import (
+	"github.com/vishvananda/netns"
+	"golang.org/x/sys/unix"
+	"k8s.io/klog/v2"
+	"runtime"
+)
+
+func init() {
+	selfNs, err := netns.GetFromPath("/proc/self/ns/cgroup")
+	if err != nil {
+		klog.Exitln(err)
+	}
+	defer selfNs.Close()
+	hostNs, err := netns.GetFromPath("/proc/1/ns/cgroup")
+	if err != nil {
+		klog.Exitln(err)
+	}
+	defer hostNs.Close()
+	if selfNs.Equal(hostNs) {
+		return
+	}
+
+	runtime.LockOSThread()
+	defer runtime.UnlockOSThread()
+	if err := unix.Setns(int(hostNs), unix.CLONE_NEWCGROUP); err != nil {
+		klog.Exitln(err)
+	}
+
+	cg, err := NewFromProcessCgroupFile("/proc/self/cgroup")
+	if err != nil {
+		klog.Exitln(err)
+	}
+	baseCgroupPath = cg.Id
+
+	if err := unix.Setns(int(selfNs), unix.CLONE_NEWCGROUP); err != nil {
+		klog.Exitln(err)
+	}
+}

cgroup/cgroup_test.go

@@ -9,26 +9,26 @@ import (
 func TestNewFromProcessCgroupFile(t *testing.T) {
 	cg, err := NewFromProcessCgroupFile(path.Join("fixtures/proc/100/cgroup"))
 	assert.Nil(t, err)
-	assert.Equal(t, "/system.slice/ssh.service", cg.Id)
+	assert.Equal(t, "/system.slice/docker.service", cg.Id)
 	assert.Equal(t, V1, cg.Version)
-	assert.Equal(t, "/system.slice/ssh.service", cg.ContainerId)
+	assert.Equal(t, "/system.slice/docker.service", cg.ContainerId)
 	assert.Equal(t, ContainerTypeSystemdService, cg.ContainerType)
 
 	assert.Equal(t,
 		map[string]string{
-			"blkio":        "/system.slice/ssh.service",
-			"cpu":          "/system.slice/ssh.service",
-			"cpuacct":      "/system.slice/ssh.service",
+			"blkio":        "/system.slice/docker.service",
+			"cpu":          "/system.slice/docker.service",
+			"cpuacct":      "/system.slice/docker.service",
 			"cpuset":       "/",
-			"devices":      "/system.slice/ssh.service",
+			"devices":      "/system.slice/docker.service",
 			"freezer":      "/",
 			"hugetlb":      "/",
-			"memory":       "/system.slice/ssh.service",
-			"name=systemd": "/system.slice/ssh.service",
+			"memory":       "/system.slice/docker.service",
+			"name=systemd": "/system.slice/docker.service",
 			"net_cls":      "/",
 			"net_prio":     "/",
 			"perf_event":   "/",
-			"pids":         "/system.slice/ssh.service",
+			"pids":         "/system.slice/docker.service",
 		},
 		cg.subsystems,
 	)
@@ -54,6 +54,10 @@ func TestNewFromProcessCgroupFile(t *testing.T) {
 	assert.Equal(t, "73051af271105c07e1f493b34856a77e665e3b0b4fc72f76c807dfbffeb881bd", cg.ContainerId)
 	assert.Equal(t, ContainerTypeDocker, cg.ContainerType)
 
+	baseCgroupPath = "/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-podc83d0428_58af_41eb_8dba_b9e6eddffe7b.slice/docker-0e612005fd07e7f47e2cd07df99a2b4e909446814d71d0b5e4efc7159dd51252.scope"
+	defer func() {
+		baseCgroupPath = ""
+	}()
 	cg, err = NewFromProcessCgroupFile(path.Join("fixtures/proc/500/cgroup"))
 	assert.Nil(t, err)
 	assert.Equal(t, V2, cg.Version)

cgroup/fixtures/proc/100/cgroup

@@ -1,11 +1,11 @@
 11:perf_event:/
-10:devices:/system.slice/ssh.service
+10:devices:/system.slice/docker.service
 9:freezer:/
 8:cpuset:/
-7:cpu,cpuacct:/system.slice/ssh.service
-6:blkio:/system.slice/ssh.service
-5:memory:/system.slice/ssh.service
+7:cpu,cpuacct:/system.slice/docker.service
+6:blkio:/system.slice/docker.service
+5:memory:/system.slice/docker.service
 4:hugetlb:/
 3:net_cls,net_prio:/
-2:pids:/system.slice/ssh.service
-1:name=systemd:/system.slice/ssh.service
+2:pids:/system.slice/docker.service
+1:name=systemd:/system.slice/docker.service

cgroup/fixtures/proc/500/cgroup

@@ -1 +1 @@
-0::/system.slice/docker-ba7b10d15d16e10e3de7a2dcd408a3d971169ae303f46cfad4c5453c6326fee2.scope
+0::/../../../../system.slice/docker-ba7b10d15d16e10e3de7a2dcd408a3d971169ae303f46cfad4c5453c6326fee2.scope