Add cgroup v2 support for container id detector

[XSAM]

Resolves #3501

The new container id detector tries to resolve the container id from the cgroup v1 file, if successful, the result is used. If v1 fails, then the detector falls back to the cgroup v2 file.

[codecov]

Codecov Report

❌ Patch coverage is 84.61538% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.1%. Comparing base (69e44a3) to head (5eaaa5c).
⚠️ Report is 2505 commits behind head on main.

Files with missing lines	Patch %	Lines
sdk/resource/container.go	80.0%	2 Missing and 1 partial ⚠️
sdk/resource/container_id_cgroup_v2.go	75.0%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #3508   +/-   ##
=====================================
  Coverage   78.0%   78.1%           
=====================================
  Files        164     166    +2     
  Lines      11815   11845   +30     
=====================================
+ Hits        9226    9252   +26     
- Misses      2393    2395    +2     
- Partials     196     198    +2     

Files with missing lines	Coverage Δ
sdk/resource/container_id_cgroup_v1.go	100.0% <100.0%> (ø)
sdk/resource/container.go	86.6% <80.0%> (-5.7%)	⬇️
sdk/resource/container_id_cgroup_v2.go	75.0% <75.0%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[MadVikingGod]

I found this doesn't work with podman. I tested it also with minikube docker, and found that I didn't get the proper containerID from V1, but the correct one from V2.

I made a gist of what I saw from /proc/self/cgroup and /proc/self/mointinfo https://gist.github.com/MadVikingGod/6ecba436717948c1a332c63f250f973e

[MadVikingGod]

This is very docker specific. I found with podman there is a different format for the container layers, and I am also checking containerd.

[svrnm]

The same is used in Java here (https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/ca8e7b1385d95517f28103d834aba960a0baa477/instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/CgroupV2ContainerIdExtractor.java#L27), so it would need to be fixed in both.

JavaScript is taking a different approach, I remember that we talked about containerd there and making it work:

https://github.com/open-telemetry/opentelemetry-java-instrumentation/blob/ca8e7b1385d95517f28103d834aba960a0baa477/instrumentation/resources/library/src/main/java/io/opentelemetry/instrumentation/resources/CgroupV2ContainerIdExtractor.java#L27

[svrnm]

cc @breedx-splk , @abhee11

[breedx-splk]

@svrnm Thanks for the heads-up. Looks like you pasted the same link twice, but it reads like the second one intended to link to a js discussion? Curious what the alt approach is...

[svrnm]

@breedx-splk thanks for calling out the wrong link, here's the JS one: https://github.com/open-telemetry/opentelemetry-js-contrib/blob/f0a93685cfb43543b7ca577dd370d56576b49e3f/detectors/node/opentelemetry-resource-detector-container/src/detectors/ContainerDetector.ts#L54

[MadVikingGod]

I don't think this is still the right way to capture this for V1.

When used with podman I'm capturing the userID of the pod, not a container or an empty string.

[XSAM]

I tested it also with minikube docker, and found that I didn't get the proper containerID from V1, but the correct one from V2.

I found a strange case where my minikube with Kubernetes v1.24.1 on Docker 20.10.17 does not expose the container id of the running container in the mountinfo file. Instead, it exposes the container id of the “pause” container.

1076 961 0:286 / / rw,relatime master:250 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/5D465AGLTKRGC5C6WYKS6HL4V2:/var/lib/docker/overlay2/l/TSSPM2QEYHI3WBSSGGKURHKT46:/var/lib/docker/overlay2/l/JR676YF42NBYUCOBKSN2ADZ4SN:/var/lib/docker/overlay2/l/MWHUAAOCGB6A6NDHB7XD3DO3BG:/var/lib/docker/overlay2/l/4ZYXIEUKFJJPC2JWW5MWLMTO5E:/var/lib/docker/overlay2/l/SUZ3KYKPSZ7N6DQJ2DH3Z6RSWD:/var/lib/docker/overlay2/l/45SS6JSP6LFRDWQO3X3QHLJ2YG,upperdir=/var/lib/docker/overlay2/376cc31f15c70b8881fd5df11c5e8fd95996dbb39c25476b969cba70cba8e8c8/diff,workdir=/var/lib/docker/overlay2/376cc31f15c70b8881fd5df11c5e8fd95996dbb39c25476b969cba70cba8e8c8/work
1077 1076 0:288 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
1078 1076 0:289 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
1079 1078 0:290 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
1080 1076 0:284 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
1081 1080 0:33 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw
1082 1078 0:280 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
1083 1078 254:1 /docker/volumes/minikube/_data/lib/kubelet/pods/3c0722a4-41c7-4901-9163-f4b57961fe77/containers/nginx/823ef551 /dev/termination-log rw,relatime - ext4 /dev/vda1 rw
1084 1076 254:1 /docker/volumes/minikube/_data/lib/docker/containers/f9f9c232fdd59b55d94aa546f40c071a21c224677d792d323b86ca94b868a1ef/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda1 rw
1085 1076 254:1 /docker/volumes/minikube/_data/lib/docker/containers/f9f9c232fdd59b55d94aa546f40c071a21c224677d792d323b86ca94b868a1ef/hostname /etc/hostname rw,relatime - ext4 /dev/vda1 rw
1086 1076 254:1 /docker/volumes/minikube/_data/lib/kubelet/pods/3c0722a4-41c7-4901-9163-f4b57961fe77/etc-hosts /etc/hosts rw,relatime - ext4 /dev/vda1 rw
1087 1078 0:279 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
1088 1076 0:276 / /run/secrets/kubernetes.io/serviceaccount ro,relatime - tmpfs tmpfs rw,size=10189984k
962 1077 0:288 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
963 1077 0:288 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
964 1077 0:288 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
965 1077 0:288 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
966 1077 0:288 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
967 1077 0:289 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
968 1077 0:289 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
969 1077 0:289 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
1002 1077 0:289 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
1003 1080 0:291 / /sys/firmware ro,relatime - tmpfs tmpfs ro

In this case, f9f9c232fdd59b55d94aa546f40c071a21c224677d792d323b86ca94b868a1ef is not the container id of the running container. It belongs to the “pause” container. The actual container id is dbc9afa6e436346503ed45b871cc993528f1caf98adea47fb3f88186d05c28fb, which is not present in the file.

---

@MadVikingGod What was your environment to get those mountinfo with container id?

[MadVikingGod]

@MadVikingGod What was your environment to get those mountinfo with container id?

I started minikube with a different --container-runtime=[docker, cri-o, containerd].

minikube start -p cri-o --container-runtime=cri-o
...
minikube -p cri-o kubectl ...

From what I've seen I don't know if there is a reliable way to get the containerID from within the context of the running container. It does seem like docker might do it this way, but that doesn't look like it's guaranteed between versions, and different runtimes do things differently.

[XSAM]

A concrete example of reproducing the incorrect container id in the cgroup v2 file in k8s

Environment

OS: macOS 14.4.1 (ARM)
Minikube: 1.32.0
Docker Desktop: 4.31.0
k8s: v1.28.3

Steps

• minikube start --kubernetes-version=v1.28.3
• kubectl run busybox --image=busybox --restart=Never -- sleep 36000
• Get container id by running kubectl get pod busybox -o jsonpath='{.status.containerStatuses[0].containerID}'

Result:

docker://0f3deade416514b65143bdb917f86c290bf21b176d70d8ad8c4992469fdb28e6

• Go to container kubectl exec -it busybox -- sh
• Show mountinfo file by running cat /proc/self/mountinfo

Result

659 450 0:183 / / rw,relatime master:88 - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/WFCW3YCYXTLSCCRLVDCRRKQE3E:/var/lib/docker/overlay2/l/WRMUNELZQOJ7BBEPXC2KEU7G4E,upperdir=/var/lib/docker/overlay2/6b1f50d489100ae1318b0836f13655273e471a92367a3f0d95d61d9e828d45f2/diff,workdir=/var/lib/docker/overlay2/6b1f50d489100ae1318b0836f13655273e471a92367a3f0d95d61d9e828d45f2/work
660 659 0:185 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
661 659 0:186 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
662 661 0:187 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
663 659 0:181 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
664 663 0:31 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw
665 661 0:177 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
666 661 254:1 /docker/volumes/minikube/_data/lib/kubelet/pods/09a1493b-4967-46bd-a697-bbbdc98338f3/containers/busybox/cc228158 /dev/termination-log rw,relatime - ext4 /dev/vda1 rw,discard
667 659 254:1 /docker/volumes/minikube/_data/lib/docker/containers/6e9c5487ea0568fb016195e49935b7878926e7fda655e9b6a81d387d52c65a5a/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda1 rw,discard
668 659 254:1 /docker/volumes/minikube/_data/lib/docker/containers/6e9c5487ea0568fb016195e49935b7878926e7fda655e9b6a81d387d52c65a5a/hostname /etc/hostname rw,relatime - ext4 /dev/vda1 rw,discard
669 659 254:1 /docker/volumes/minikube/_data/lib/kubelet/pods/09a1493b-4967-46bd-a697-bbbdc98338f3/etc-hosts /etc/hosts rw,relatime - ext4 /dev/vda1 rw,discard
670 661 0:176 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
671 659 0:173 / /var/run/secrets/kubernetes.io/serviceaccount ro,relatime - tmpfs tmpfs rw,size=10179180k
451 660 0:185 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
452 660 0:185 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
453 660 0:185 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
454 660 0:185 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
455 660 0:185 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
456 660 0:186 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
462 660 0:186 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
542 660 0:186 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
543 663 0:188 / /sys/firmware ro,relatime - tmpfs tmpfs ro

The id on the mountinfo is 6e9c5487ea0568fb016195e49935b7878926e7fda655e9b6a81d387d52c65a5a.

• Show /proc/self/cgroup

Result

0::/

• Log into the minikube environment and inspect the 6e9c5487ea0568fb016195e49935b7878926e7fda655e9b6a81d387d52c65a5a.
  • minikube ssh
  • docker inspect --format='{{.Name}} {{.Config.Image}}' 6e9c5487ea0568fb016195e49935b7878926e7fda655e9b6a81d387d52c65a5a

Result

/k8s_POD_busybox_default_09a1493b-4967-46bd-a697-bbbdc98338f3_0 registry.k8s.io/pause:3.9

Summary

The container id 0f3deade416514b65143bdb917f86c290bf21b176d70d8ad8c4992469fdb28e6 is not shown in any cgroup file. The id 6e9c5487ea0568fb016195e49935b7878926e7fda655e9b6a81d387d52c65a5a from the cgroup file is the "pause" container in k8s.

[Ezetowers]

Hi @XSAM. We are using crio as container runtime and I can confirm that the approach used here also does not work for crio. The current logic added in ths PR obtains the pod ID instead of the container ID, since the container does not seem to be present in in /proc/self/mountinfo. Here is an example of what we see when we deploy a pod with two containers, where it can be seen that the ID obtained references the pod ID when crictl is used:

[root@cif-9562-nginx-example-0 /]# cat /proc/self/cgroup
0::/
[root@cif-9562-nginx-example-0 /]# cat /proc/self/mountinfo
...
6830 6821 0:25 /containers/storage/overlay-containers/b56bfad2248fc26c511c65c2580b0f684e364ecd67ebf2c23111b1acd0d5b556/userdata/resolv.conf /etc/resolv.conf rw,nosuid,nodev,noexec master:13 - tmpfs tmpfs rw,seclabel,size=316994704k,nr_inodes=819200,mode=755,inode64
6831 6821 0:25 /containers/storage/overlay-containers/b56bfad2248fc26c511c65c2580b0f684e364ecd67ebf2c23111b1acd0d5b556/userdata/hostname /etc/hostname rw master:13 - tmpfs tmpfs rw,seclabel,size=316994704k,nr_inodes=819200,mode=755,inode64
6832 6821 0:25 /containers/storage/overlay-containers/b56bfad2248fc26c511c65c2580b0f684e364ecd67ebf2c23111b1acd0d5b556/userdata/.containerenv /run/.containerenv rw master:13 - tmpfs tmpfs rw,seclabel,size=316994704k,nr_inodes=819200,mode=755,inode64
6833 6821 252:1 /kubelet/pods/1feef843-d4fb-43f0-9ee1-b937bd3e5266/etc-hosts /etc/hosts rw,relatime - xfs /dev/mapper/container-runtime rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,sunit=1024,swidth=2048,prjquota
6834 6824 252:1 /kubelet/pods/1feef843-d4fb-43f0-9ee1-b937bd3e5266/containers/container2/3c0945d7 /dev/termination-log rw,relatime - xfs /dev/mapper/container-runtime rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,sunit=1024,swidth=2048,prjquota
6835 6821 0:1789 / /run/secrets/kubernetes.io/serviceaccount ro,relatime - tmpfs tmpfs rw,seclabel,size=33554432k,inode64
...

[root@yul1-r15-u27 ~]# crictl pods | grep -i b56bfad224
b56bfad2248fc       3 hours ago         Ready               cif-9562-nginx-example-0                               infra                   0                   (default)

[root@yul1-r15-u27 ~]# crictl ps | grep -i b56bfad224
da9ba05b2ff24       nodejs20-jdk11-ol8@sha256:14c33d7aa11c9e1df379c5e9b6663ea2c0f955caf732c20ea717f0a4a695b140             3 hours ago         Running             container2              0                   b56bfad2248fc       cif-9562-nginx-example-0                 infra
a4d7d745215f4       nodejs18-jdk11-ol8@sha256:952fccba71c096590f91d9e24f145209b1ddb48ace26f1a5766e56938739eda3             3 hours ago         Running             container1              0                   b56bfad2248fc       cif-9562-nginx-example-0                 infra

Environment

OS: Oracle Linux 9 (Kernel UEK7)
K8S: v1.33.5
Container Engine: Crio 1.33.4

[pellared]

Closing as stale