Merge pull request #11151 from k8s-infra-cherrypick-robot/cherry-pick…

…-11104-to-release/2.0 [release/2.0] internal/cri: should not apply IoOwner options if it's not user namespace
containerd · Dec 12, 2024 · 8c6dd50 · 8c6dd50
2 parents e9004f0 + 018d836
commit 8c6dd50
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/internal/cri/server/container_start_linux.go b/internal/cri/server/container_start_linux.go
@@ -31,11 +31,19 @@ func updateContainerIOOwner(ctx context.Context, cntr containerd.Container, conf
 		return nil, nil
 	}
 
-	// FIXME(fuweid): Ideally, the pipe owner should be aligned with process owner.
-	// No matter what user namespace container uses, it should work well. However,
-	// it breaks the sig-node conformance case - [when querying /stats/summary should report resource usage through the stats api].
+	// FIXME(fuweid):
+	//
+	// For builtin runc runtime, the pipe owner should be aligned with process
+	// owner. No matter what user namespace container uses, it should work
+	// well.
+	//
+	// However, gVisor runtime doesn't support runc.Options and no idea why
+	// adding options could breaks the sig-node conformance case [when querying /stats/summary should report resource usage through the stats api].
 	// In order to keep compatible, the change should apply to user namespace only.
-	if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetUsernsOptions() == nil {
+	//
+	// REF: https://github.com/containerd/containerd/issues/11091
+	usernsOpts := config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetUsernsOptions()
+	if usernsOpts == nil || usernsOpts.Mode == runtime.NamespaceMode_NODE {
 		return nil, nil
 	}