Always use CLONE_INTO_CGROUP when supported (!6653) · Merge requests · GitLab.org / gitaly

Sami Hiltunen requested to merge smh-remove-clone-into-cgroup-ff into master Feb 01, 2024

This commit removes the ExecCommandDirectlyInCgroup feature flag. Gitaly now uses CLONE_INTO_CGROUP always when it is supported. Support requires Linux kernel >= v5.7 and cgroup v2.

Previously Gitaly was spawning commands first and then placing them into their target cgroup. This is racy as the command runs without limits before it is assigned to the target cgroup. If the command spawned a child process before being assigned into the target cgroup, the child process would remain in the original cgroup it inherited from the parent and not be moved with it. This has led to for example 'git pack-objects' processes leaking from the cgroups as 'git upload-pack' managed to spawn them before it was moved to the target cgroup by Gitaly.

CLONE_INTO_CGROUP launches the commands directly in the correct cgroups and thus eliminates the brief period the command is running without a cgroup correctly assigned.

Closes #5639 (closed)

Always use CLONE_INTO_CGROUP when supported

Merge request reports