Treat EROFS in cgroups setup as skippable error

Currently cgroup setup ignores permissions errors. AFAIK this helps with rootless containers: if user have permissions to change cgroups, it will have them setup, otherwise rootless container will use parent process cgroups (as it was with rootless containers before cgroups support was introduced). If cgroup is mounted in read-only mode (e.g. inside Docker container), operations will return not permission error, but EROFS - this patch treats EROFS as skippable error in cgroups setup. Signed-off-by: Vladimir Rutsky <[email protected]>
opencontainers · Nov 21, 2017 · 05d4d1d · 05d4d1d
1 parent fb6ec65
commit 05d4d1d
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"sync"
+	"syscall"
 
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
@@ -100,6 +101,22 @@ type cgroupData struct {
 	pid       int
 }
 
+func isIgnorableError(err error) bool {
+	if os.IsPermission(err) {
+		return true
+	}
+
+	if perr, ok := err.(*os.PathError); ok {
+		switch perr.Err.(syscall.Errno) {
+		// Read-only file system.
+		case syscall.EROFS:
+			return true
+		}
+	}
+
+	return false
+}
+
 func (m *Manager) Apply(pid int) (err error) {
 	if m.Cgroups == nil {
 		return nil
@@ -145,7 +162,7 @@ func (m *Manager) Apply(pid int) (err error) {
 		m.Paths[sys.Name()] = p
 
 		if err := sys.Apply(d); err != nil {
-			if os.IsPermission(err) && m.Cgroups.Path == "" {
+			if isIgnorableError(err) && m.Cgroups.Path == "" {
 				// If we didn't set a cgroup path, then let's defer the error here
 				// until we know whether we have set limits or not.
 				// If we hadn't set limits, then it's ok that we couldn't join this cgroup, because