From 71740399e05bbaf64616f10f67573d91ff3e7f28 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 9 Jan 2020 14:58:30 +0900 Subject: [PATCH] cgroup2: unshare cgroup namespace for containers In cgroup v1 container implementations, cgroupns is not used by default because it was not available in the kernel until kernel 4.6 (May 2016), and the default behavior will not change on cgroup v1 environments, because changing the default will break compatibility and surprise users. For cgroup v2, implementations are going to unshare cgroupns by default so as to hide /sys/fs/cgroup from containers. * Discussion: https://github.com/containers/libpod/issues/4363 * Podman PR (merged): https://github.com/containers/libpod/pull/4374 * Moby PR: https://github.com/moby/moby/pull/40174 This PR enables cgroupns for containers, but pod sandboxes are untouched because probably there is no need to do. Signed-off-by: Akihiro Suda --- pkg/server/container_create_unix.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkg/server/container_create_unix.go b/pkg/server/container_create_unix.go index 2793c21f2..6b5de7528 100644 --- a/pkg/server/container_create_unix.go +++ b/pkg/server/container_create_unix.go @@ -22,6 +22,7 @@ import ( "strconv" "strings" + "github.com/containerd/cgroups" "github.com/containerd/containerd/contrib/apparmor" "github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/oci" @@ -223,7 +224,15 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3 customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer), customopts.WithAnnotation(annotations.SandboxID, sandboxID), ) - + // cgroupns is used for hiding /sys/fs/cgroup from containers. + // For compatibility, cgroupns is not used when running in cgroup v1 mode. + // https://github.com/containers/libpod/issues/4363 + if cgroups.Mode() == cgroups.Unified { + specOpts = append(specOpts, oci.WithLinuxNamespace( + runtimespec.LinuxNamespace{ + Type: runtimespec.CgroupNamespace, + })) + } return runtimeSpec(id, specOpts...) }