Error when starting cadvisor to monitor rootless docker containers (permission denied on other users' /sys/fs/cgroup/user.slice) #3728
Description
When running cadvisor (tested with v0.53.0) to monitor rootless docker containers (rootless docker daemon managed via a systemd user scope service), cadvisor fails to start if any user other than the user managing rootless docker is logged into the server. This appears to be a permissions error on the other user's /sys/fs/cgroup/user.slice directory.
$ uname -r
5.15.0-153-generic
$ ./cadvisor --version
cAdvisor version v0.53.0 (unknown)
$ ./cadvisor --port 9999 --docker unix://${XDG_RUNTIME_DIR}/docker.sock --docker_only
...
I0915 15:58:25.847272 491485 factory.go:103] Registering Raw factory
I0915 15:58:25.847342 491485 manager.go:1199] Started watching for new ooms in manager
W0915 15:58:25.847967 491485 manager.go:306] Could not configure a source for OOM detection, disabling OOM events: open /dev/kmsg: operation not permitted
I0915 15:58:25.848259 491485 manager.go:319] Starting recovery of all containers
F0915 15:58:25.848552 491485 cadvisor.go:173] Failed to start manager: open /sys/fs/cgroup/user.slice/user-52980.slice/[email protected]/app.slice: permission denied
I have not found any execution options to prevent cadvisor from attempting to access these other user cgroup dirs. Ideally we want to use cadvisor to only report metrics on the rootless docker containers, and not attempt to report on activities of other user cgroups (or host level metrics for that matter).
Execution environment is security hardened, which may be affecting cadvisor's ability to access other user cgroup directories. However, it seems to be unintended/undesired behavior; cadvisor should be able to be executed in a single user context without expectation of access to other user data.
Thanks!