Skip to content

oci: make sure cgroupns is enabled if supported#4003

Merged
tonistiigi merged 2 commits intomoby:masterfrom
tonistiigi:oci-cgroupns
Jul 10, 2023
Merged

oci: make sure cgroupns is enabled if supported#4003
tonistiigi merged 2 commits intomoby:masterfrom
tonistiigi:oci-cgroupns

Conversation

@tonistiigi
Copy link
Copy Markdown
Member

@tonistiigi tonistiigi commented Jul 7, 2023

This is not set by default by containerd default spec but needed for the cgroup mounts to be scoped to the ID by runc.

closes #3985

@tonistiigi
oci: make sure cgroupns is enabled if supported
c963649 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
AkihiroSuda
AkihiroSuda reviewed Jul 8, 2023
View reviewed changes
Comment thread executor/oci/spec_unix.go
return fmt.Sprintf("unix://%s", tracingSocketPath)
}

func cgroupNamespaceSupported() bool {
Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda Jul 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moby, containerd, etc. disables cgroup namespace on cgroup v1 regardless to kernel version/config.

Copy link
Copy Markdown
Member Author

@tonistiigi tonistiigi Jul 8, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this done? In Runc code I see it checks ns existence for both cgroup versions.

https://github.com/opencontainers/runc/blob/main/libcontainer/rootfs_linux.go#L268

Copy link
Copy Markdown
Member

@AkihiroSuda AkihiroSuda Jul 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/moby/moby/blob/c57097bcd461fcbc31f52b249c336f5c2e9732e8/daemon/daemon_unix.go#L345-L347

Copy link
Copy Markdown
Member Author

@tonistiigi tonistiigi Jul 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Iiuc this means privileged containers get host cgroups on v1? Is this what you mean and we should replicate it for --security=insecure. I don't quite see how it makes sense though to have different behaviour for privileged containers based on group versions.

Copy link
Copy Markdown
Member

@crazy-max crazy-max Jul 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also see these consts in moby https://github.com/moby/moby/blob/462d6ef826861fad021fb565c0481fb61d2db6bc/daemon/config/config_linux.go#L23-L27 now used in https://github.com/moby/moby/blob/462d6ef826861fad021fb565c0481fb61d2db6bc/daemon/config/config_linux.go#L189-L193. So if not v2 then always set host mode.

@tonistiigi
update cgroup parent test to work with cgroupns
45b3856 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi tonistiigi added this to the v0.12.0 milestone Jul 10, 2023
@tonistiigi tonistiigi merged commit f21a96c into moby:master Jul 10, 2023
@tonistiigi
Copy link
Copy Markdown
Member Author

tonistiigi commented Jul 10, 2023

@AkihiroSuda Merging for v0.12 rc2. Lmk if you think any follow-ups are needed.

@tiborvass
Copy link
Copy Markdown
Collaborator

tiborvass commented Jul 10, 2023

LGTM

@ljmf00 ljmf00 mentioned this pull request Aug 4, 2023
Closed
@onyxraven onyxraven mentioned this pull request Aug 11, 2023
Closed
5 tasks
@mook-as mook-as mentioned this pull request Oct 4, 2023
Merged
@jedevc jedevc mentioned this pull request Nov 13, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@crazy-max crazy-max crazy-max approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v0.12.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tonistiigi @tiborvass @crazy-max @AkihiroSuda