From b8dc9a889f3d945bcd0f02f8ca34eb2e579e8b0e Mon Sep 17 00:00:00 2001 From: Konstantin Baranov Date: Tue, 15 Sep 2020 20:50:07 -0700 Subject: [PATCH 1/4] Use container ID as cgroup name if not provided Useful when you want to run multiple containers with the same config. And runc does that too. --- runsc/container/container.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/runsc/container/container.go b/runsc/container/container.go index 7ad09bf23..15c445754 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -311,6 +311,10 @@ func New(conf *boot.Config, args Args) (*Container, error) { if isRoot(args.Spec) { log.Debugf("Creating new sandbox for container %q", args.ID) + if args.Spec.Linux != nil && args.Spec.Linux.CgroupsPath == "" { + args.Spec.Linux.CgroupsPath = "/" + args.ID + } + // Create and join cgroup before processes are created to ensure they are // part of the cgroup from the start (and all their children processes). cg, err := cgroup.New(args.Spec) From 6321eccddce2b59976454799dcd25bc60ce5b0e8 Mon Sep 17 00:00:00 2001 From: Konstantin Baranov Date: Fri, 2 Oct 2020 14:37:55 -0700 Subject: [PATCH 2/4] Treat absent "linux" section is empty "cgroupsPath" too --- runsc/container/container.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/runsc/container/container.go b/runsc/container/container.go index 15c445754..21a01b5de 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -311,7 +311,10 @@ func New(conf *boot.Config, args Args) (*Container, error) { if isRoot(args.Spec) { log.Debugf("Creating new sandbox for container %q", args.ID) - if args.Spec.Linux != nil && args.Spec.Linux.CgroupsPath == "" { + if args.Spec.Linux == nil { + args.Spec.Linux = &specs.Linux{} + } + if args.Spec.Linux.CgroupsPath == "" { args.Spec.Linux.CgroupsPath = "/" + args.ID } From a2a27eedf44303a60f580e03be617124ce35bb17 Mon Sep 17 00:00:00 2001 From: Konstantin Baranov Date: Tue, 6 Oct 2020 15:34:02 -0700 Subject: [PATCH 3/4] Ignore errors in rootless and test modes --- runsc/container/container.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/runsc/container/container.go b/runsc/container/container.go index 21a01b5de..878432dbb 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -327,7 +327,16 @@ func New(conf *boot.Config, args Args) (*Container, error) { if cg != nil { // If there is cgroup config, install it before creating sandbox process. if err := cg.Install(args.Spec.Linux.Resources); err != nil { - return nil, fmt.Errorf("configuring cgroup: %v", err) + switch { + case errors.Is(err, syscall.EROFS) && conf.TestOnlyAllowRunAsCurrentUserWithoutChroot: + log.Warningf("Skipping cgroup configuration in test mode: %v", err) + cg = nil + case errors.Is(err, syscall.EACCES) && conf.Rootless: + log.Warningf("Skipping cgroup configuration in rootless mode: %v", err) + cg = nil + default: + return nil, fmt.Errorf("configuring cgroup: %v", err) + } } } if err := runInCgroup(cg, func() error { From d579ed85052dfba0579bd3286b6ae04210e4f975 Mon Sep 17 00:00:00 2001 From: Konstantin Baranov Date: Tue, 20 Oct 2020 20:03:04 -0700 Subject: [PATCH 4/4] Do not even try forcing cgroups in tests --- runsc/container/container.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/runsc/container/container.go b/runsc/container/container.go index 878432dbb..d44b27958 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -314,7 +314,8 @@ func New(conf *boot.Config, args Args) (*Container, error) { if args.Spec.Linux == nil { args.Spec.Linux = &specs.Linux{} } - if args.Spec.Linux.CgroupsPath == "" { + // Don't force the use of cgroups in tests because they lack permission to do so. + if args.Spec.Linux.CgroupsPath == "" && !conf.TestOnlyAllowRunAsCurrentUserWithoutChroot { args.Spec.Linux.CgroupsPath = "/" + args.ID } @@ -328,9 +329,6 @@ func New(conf *boot.Config, args Args) (*Container, error) { // If there is cgroup config, install it before creating sandbox process. if err := cg.Install(args.Spec.Linux.Resources); err != nil { switch { - case errors.Is(err, syscall.EROFS) && conf.TestOnlyAllowRunAsCurrentUserWithoutChroot: - log.Warningf("Skipping cgroup configuration in test mode: %v", err) - cg = nil case errors.Is(err, syscall.EACCES) && conf.Rootless: log.Warningf("Skipping cgroup configuration in rootless mode: %v", err) cg = nil