Summary
On Docker Desktop Kubernetes, the container's cgroup path resolves to / (from /proc/self/cgroup returning 0::/). emitCgroupPath() in cmd/leash-entry/main.go:236 explicitly skips / as invalid, so /leash/cgroup-path is never written. Leashd then fails at startup with cgroup path required (set --cgroup) before reaching network configuration.
This is separate from the xt_cgroup kernel support issue fixed in #66 — even with that fix, leashd cannot start on Docker Desktop K8s because cgroup path validation fails first.
Affected code
cmd/leash-entry/main.go:236 — skips / as cgroup pathinternal/leashd/runtime.go:258-271 — requires valid cgroup path for BPF LSM enforcement
Environment
- Docker Desktop with Kubernetes enabled (macOS, LinuxKit kernel)
- Pod containers report
0::/ in /proc/self/cgroup
Context
Discovered while investigating #64. The iptables crash from #64 was fixed by #66, but the cgroup path discovery failure is a separate issue that prevents leashd from starting at all on K8s environments where cgroup paths aren't discoverable.
Leashd needs a valid cgroup path for BPF LSM (file open, exec, connect enforcement), not just for iptables. A fix likely requires either:
- supporting a degraded mode without BPF LSM when cgroup path is unavailable
- alternative cgroup path discovery for Kubernetes (e.g., from pod UID or container ID via
/sys/fs/cgroup enumeration)
Ref: #60, #64, #66
Summary
On Docker Desktop Kubernetes, the container's cgroup path resolves to
/(from/proc/self/cgroupreturning0::/).emitCgroupPath()incmd/leash-entry/main.go:236explicitly skips/as invalid, so/leash/cgroup-pathis never written. Leashd then fails at startup withcgroup path required (set --cgroup)before reaching network configuration.This is separate from the
xt_cgroupkernel support issue fixed in #66 — even with that fix, leashd cannot start on Docker Desktop K8s because cgroup path validation fails first.Affected code
cmd/leash-entry/main.go:236— skips/as cgroup pathinternal/leashd/runtime.go:258-271— requires valid cgroup path for BPF LSM enforcementEnvironment
0::/in/proc/self/cgroupContext
Discovered while investigating #64. The iptables crash from #64 was fixed by #66, but the cgroup path discovery failure is a separate issue that prevents leashd from starting at all on K8s environments where cgroup paths aren't discoverable.
Leashd needs a valid cgroup path for BPF LSM (file open, exec, connect enforcement), not just for iptables. A fix likely requires either:
/sys/fs/cgroupenumeration)Ref: #60, #64, #66