Skip to content

fix: cgroup path issue#1998

Closed
lifubang wants to merge 2 commits intoopencontainers:mainfrom
lifubang:cgrouppath
Closed

fix: cgroup path issue#1998
lifubang wants to merge 2 commits intoopencontainers:mainfrom
lifubang:cgrouppath

Conversation

@lifubang
Copy link
Copy Markdown
Member

@lifubang lifubang commented Feb 27, 2019

At that time, if there is no user defined CgroupsPath, we use container's name as cgroup path.
It will cause cgroup rewrite by different containers with the same id in different root path.

For example:
container test in /run/runc

root@test:/opt/busybox# runc create test
root@test:/opt/busybox# runc list
ID          PID         STATUS      BUNDLE                                            CREATED                          OWNER
test        29438       created     /opt/busybox   2019-02-27T07:04:14.333865241Z   root
root@test:/opt/busybox# runc ps test
UID        PID  PPID  C STIME TTY          TIME CMD
root     29438     1  0 15:04 ?        00:00:00 runc init

container test in ./runc

root@test:/opt/busybox# runc --root ./runc create test
root@test:/opt/busybox# runc --root ./runc list
ID          PID         STATUS      BUNDLE                                            CREATED                          OWNER
test        29556       created     /opt/busybox   2019-02-27T07:04:31.913650184Z   root

Then cgroup content error

root@test:/opt/busybox# runc ps test
UID        PID  PPID  C STIME TTY          TIME CMD
root     29438     1  0 15:04 ?        00:00:00 runc init
root     29556     1  0 15:04 ?        00:00:00 runc init

And rootless container can't create successful.

test@test:~/busybox$ runc --root ./runc create test
container_linux.go:348: starting container process caused "process_linux.go:279: applying cgroup configuration for process caused \"failed to write 30288 to cgroup.procs: open /sys/fs/cgroup/cpuset/test/cgroup.procs: permission denied\""

Because this cgroup path has already created by root.

To fix this problem, we can append a suffix uuid string to the cgroup name.

Signed-off-by: lifubang lifubang@acmcoder.com

@lifubang
vendor google/uuid
dca0fba 
Signed-off-by: lifubang <lifubang@acmcoder.com>
@lifubang
append a suffix uuid string for cgroup name
3830c4c 
Signed-off-by: lifubang <lifubang@acmcoder.com>
@AkihiroSuda
Copy link
Copy Markdown
Member

AkihiroSuda commented Jun 1, 2020

At that time, if there is no user defined CgroupsPath, we use container's name as cgroup path.
It will cause cgroup rewrite by different containers with the same id in different root path.

Can we just document this behavior and call it a day?

cc @kolyshkin

@kolyshkin kolyshkin self-assigned this Feb 9, 2021
@kolyshkin
Copy link
Copy Markdown
Contributor

kolyshkin commented Dec 15, 2025

For quite some time we have implemented a policy to not use an existing cgroup which has processes (see #3223, 82bc89c, #3780). I think this is sufficient to solve the problem described here.

@kolyshkin kolyshkin closed this Dec 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kolyshkin kolyshkin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lifubang @AkihiroSuda @kolyshkin