Stack trace of mount command shows File not found error

Question

When I run a program, I am getting a mount error:

[root@host ~]# ip vrf exec wan1 /usr/sbin/ssh root@1.2.3.4
Failed to mount cgroup2: No such file or directory

I know my kernel supports cgroup2:

[root@host network-scripts]# cat /proc/filesystems 
nodev   sysfs
nodev   rootfs
nodev   ramfs
nodev   bdev
nodev   proc
nodev   cpuset
nodev   cgroup
nodev   cgroup2
nodev   tmpfs
nodev   devtmpfs
nodev   configfs
nodev   debugfs
nodev   tracefs
nodev   securityfs
nodev   sockfs
nodev   dax
nodev   bpf
nodev   pipefs
nodev   hugetlbfs
nodev   devpts
nodev   autofs
nodev   pstore
nodev   efivarfs
nodev   mqueue
nodev   selinuxfs
        xfs
        vfat

Here is the trace of the failing mount:

[root@host tmp]# strace -e trace=mount ip vrf exec wan1 /usr/sbin/ssh root@1.2.3.4
mount("none", "/var/run/cgroup2", "cgroup2", 0, NULL) = -1 ENOENT (No such file or directory)
Failed to mount cgroup2: No such file or directory
+++ exited with 1 +++
[root@host tmp]# 

I have the empty directory present:

[root@host tmp]# ls -la /var/run/cgroup2
total 0
drwxr-xr-x.  2 root root  40 Jul 31 12:53 .
drwxr-xr-x. 27 root root 800 Jul 31 13:25 ..
[root@host tmp]# 

Any ideas why I am getting that error? I am running on Centos 7 with kernel 4.17.10-1

Thanks for any help

[root@host tmp]# strace ip vrf exec wan1 /usr/sbin/ssh root@1.2.3.4
execve("/usr/sbin/ip", ["ip", "vrf", "exec", "wan1", "/usr/sbin/ssh", "root@1.2.3.4"], [/* 25 vars */]) = 0
brk(NULL)                               = 0x1714000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa21313c000
access("/etc/ld.so.preload", R_OK)      = 0
open("/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
close(3)                                = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=32868, ...}) = 0
mmap(NULL, 32868, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fa213133000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\16\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=19776, ...}) = 0
mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa212d18000
mprotect(0x7fa212d1a000, 2097152, PROT_NONE) = 0
mmap(0x7fa212f1a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fa212f1a000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P%\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2173512, ...}) = 0
mmap(NULL, 3981792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fa21294b000
mprotect(0x7fa212b0e000, 2093056, PROT_NONE) = 0
mmap(0x7fa212d0d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c2000) = 0x7fa212d0d000
mmap(0x7fa212d13000, 16864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fa212d13000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa213132000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa213130000
arch_prctl(ARCH_SET_FS, 0x7fa213130740) = 0
mprotect(0x7fa212d0d000, 16384, PROT_READ) = 0
mprotect(0x7fa212f1a000, 4096, PROT_READ) = 0
mprotect(0x669000, 4096, PROT_READ)     = 0
mprotect(0x7fa21313d000, 4096, PROT_READ) = 0
munmap(0x7fa213133000, 32868)           = 0
socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [1048576], 4) = 0
setsockopt(3, SOL_NETLINK, 11, [1], 4)  = 0
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=1736, groups=00000000}, [12]) = 0
sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{",\0\0\0\22\0\1\0\347\305`[\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 44}], msg_controllen=0, msg_flags=0}, 0) = 44
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{NULL, 0}], msg_controllen=0, msg_flags=MSG_TRUNC}, MSG_PEEK|MSG_TRUNC) = 1316
brk(NULL)                               = 0x1714000
brk(0x1735000)                          = 0x1735000
brk(NULL)                               = 0x1735000
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"$\5\0\0\20\0\0\0\347\305`[\310\6\0\0\0\0\1\0\6\0\0\0\301\4\1\0\0\0\0\0"..., 1316}], msg_controllen=0, msg_flags=0}, 0) = 1316
open("/proc/mounts", O_RDONLY)          = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa21313b000
read(4, "sysfs /sys sysfs rw,seclabel,nos"..., 1024) = 1024
read(4, "0 0\ncgroup /sys/fs/cgroup/pids c"..., 1024) = 1024
read(4, "emd-1 /proc/sys/fs/binfmt_misc a"..., 1024) = 580
read(4, "", 1024)                       = 0
read(4, "", 1024)                       = 0
close(4)                                = 0
munmap(0x7fa21313b000, 4096)            = 0
stat("/var", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/var/run", {st_mode=S_IFDIR|0755, st_size=800, ...}) = 0
stat("/var/run/cgroup2", {st_mode=S_IFDIR|0755, st_size=40, ...}) = 0
mount("none", "/var/run/cgroup2", "cgroup2", 0, NULL) = -1 ENOENT (No such file or directory)
write(2, "Failed to mount cgroup2: No such"..., 51Failed to mount cgroup2:No such file or directory) = 51
exit_group(1)                           = ?
+++ exited with 1 +++

Answer 1

Depending on your systemd version, it could be a bug. Try running the command with UNIFIED_CGROUP_HIERARCHY=no prefixed, i.e.

[root@host ~]# UNIFIED_CGROUP_HIERARCHY=no ip vrf exec wan1 /usr/sbin/ssh root@1.2.3.4

This will cause systemd to fallback to hybrid or full legacy cgroup hierarchy. See https://www.freedesktop.org/software/systemd/man/systemd.html#systemd.unified_cgroup_hierarchy