Enable cgroupsv2 rw mount via security-opt unmask #9536
Conversation
jmguzik
force-pushed
the
enable-cgroupsv2-sec-opts
branch
from
cfa716f to
0a645fa
Compare
| return ro | ||
| } | ||
|
|
||
| if unmask != nil && unmask[0] == "ALL" { |
There was a problem hiding this comment.
Currently if ALL then "rw". I am not sure if this is desired.
There was a problem hiding this comment.
I would say yes, And I think you should add
strings.ToUpper(unmask[0]) == "ALL"
There was a problem hiding this comment.
I don't think it's needed. This condition is described in BlockAccessToKernelFilesystems (line 154). I think that documentation indicates it should be ALL, not other variations.
jmguzik
force-pushed
the
enable-cgroupsv2-sec-opts
branch
6 times, most recently
from
99bfb93 to
b892f59
Compare
Signed-off-by: Jakub Guzik <[email protected]>
jmguzik
force-pushed
the
enable-cgroupsv2-sec-opts
branch
from
b892f59 to
d9cb135
Compare
|
/cc @rhatdan |
|
Don't worry about that one, it's not a blocking test. We can merge with it red. |
|
LGTM on my end |
|
@containers/podman-maintainers PTAL |
|
I swear I did this over the weekend, but can not find my patch, but your PR looks much nicer and has a nice tests. Thanks @jmguzik |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jmguzik, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
Actually @jmguzik I just remembered one of the changes I had done, was to add /sys/fs/cgroup to the podman run and podman create man pages. |
|
Yes, i will add it. |
Hope now its done. |
jmguzik
force-pushed
the
enable-cgroupsv2-sec-opts
branch
from
05b83a2 to
0a2bb71
Compare
|
LGTM |
|
/lgtm |
|
Restarted two flakes |
|
Flakes are not related to the change. It seems node 1 is failing. |
|
The F33 integration failure is consistent, not a flake. Not sure what's going on. |
The only change in the code was documentation (adding ** near /sys/fs/cgroup). Previously 3x times it passed without problems. Whatever this is, it's not related to the changes. |
|
This fail looks like an infrastructure problem. |
|
Hm. @cevich Any ideas? |
|
@jmguzik Recommendation: make a small change to a comment somewhere in the code (spelling fix or similar) and force push with that. Should be enough to cause CI to re-fire. |
@mheon yeh, I know that. Even the commit date is enough... but the question is: will it recreate the whole CI infra or just recreate jobs in-place? Anyway, I will try that... |
Signed-off-by: Jakub Guzik <[email protected]>
jmguzik
force-pushed
the
enable-cgroupsv2-sec-opts
branch
from
0a2bb71 to
81a3f8a
Compare
Likely good advice. I've seen that "missing binary" error before (under different conditions), it's caused by bad/broken/failed caching from the related "Build for XYZ" tasks. My experience is re-running them didn't help, so restarting the whole CI job is the right move. Please poke me if this happens again (it's a somewhat fragile area of our CI setup). |
|
@mheon in the end, you were right 👍 |
|
/lgtm |
openshift-ci-robot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
/fixes #8441
/Closes #8441
Introduces cgroupsv2 mounting for rootless and non privileged.
Fixes:
./bin/podman run --security-opt unmask=/sys/fs/cgroup alpine mkdir /sys/fs/cgroup/eee mkdir: can't create directory '/sys/fs/cgroup/eee': Read-only file systemPlease review the design. Things to consider:
I will write docs after the design review.