Overview of Issue
If you are using a newer systemd then your container will get stuck in ContainerCreating state on your provider with gVisor enabled.
Indication of Error
You may see the following Events in the logs upon use of kubectl describe pod
Warning FailedCreatePodSandBox 2m57s (x25 over 3m21s) kubeletFailed to create pod sandbox: rpc error: code = Unknown desc = failed tocreate containerd task: failed to create shim: OCI runtime create failed:creating container: cgroups V2 is not yet supported. Enable cgroups V1 and\retry: unknown Warning FailedCreatePodSandBox 0s (x13 over 12s) kubelet Failed tocreate pod sandbox: rpc error: code = Unknown desc = failed to createcontainerd task: failed to create shim: OCI runtime create failed: creatingcontainer: write/sys/fs/cgroup/kubepods/besteffort/pod7a38b06d-4c96-49ff-bc4a-3d8288892b3b/cgroup.procs: device or resource busy: unknownCause of Error
The new systemd 247.2-2 has switched to a new “unified” cgroup hierarchy (i.e. cgroup v2) which is not supported by gVisor.
Ubuntu version 21.10 is affected.
Support References
- systemd switches to the “unified” cgroup hierarchy documentation
- systemd-cgroup support in gVisor documentation
Workaround
Apply the following on each Kubernetes node in order to switch back to cgroup v1
echo 'GRUB_CMDLINE_LINUX=systemd.unified_cgroup_hierarchy=false' > /etc/default/grub.d/cgroup.cfgupdate-grubreboot
