diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2022-06-30 14:36:53 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2022-06-30 14:51:18 +0200 |
commit | bd51410b8d16093e9c397b1e620baa08e910890c (patch) | |
tree | 62f30a98549026623489e2c9d1313ff943778464 | |
parent | 5c39797624793be5d7bfd143a0a35d357840214d (diff) | |
download | podman-bd51410b8d16093e9c397b1e620baa08e910890c.tar.gz podman-bd51410b8d16093e9c397b1e620baa08e910890c.tar.bz2 podman-bd51410b8d16093e9c397b1e620baa08e910890c.zip |
service: do not run under the root cgroup
at startup, when running on a cgroup v2 system, check if the current
process is running in the root cgroup and move it to a sub-cgroup,
otherwise Podman is not able to create cgroups and move processes
there.
Closes: https://github.com/containers/podman/issues/14573
[NO NEW TESTS NEEDED] it needs nested podman
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | cmd/podman/system/service_abi.go | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index 7cb1b8084..70b8952bd 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -10,11 +10,13 @@ import ( "os" "path/filepath" + "github.com/containers/common/pkg/cgroups" "github.com/containers/podman/v4/cmd/podman/registry" api "github.com/containers/podman/v4/pkg/api/server" "github.com/containers/podman/v4/pkg/domain/entities" "github.com/containers/podman/v4/pkg/domain/infra" "github.com/containers/podman/v4/pkg/servicereaper" + "github.com/containers/podman/v4/utils" "github.com/coreos/go-systemd/v22/activation" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -22,6 +24,26 @@ import ( "golang.org/x/sys/unix" ) +// maybeMoveToSubCgroup moves the current process in a sub cgroup when +// it is running in the root cgroup on a system that uses cgroupv2. +func maybeMoveToSubCgroup() error { + unifiedMode, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return err + } + if !unifiedMode { + return nil + } + cgroup, err := utils.GetOwnCgroup() + if err != nil { + return err + } + if cgroup == "/" { + return utils.MoveUnderCgroupSubtree("init") + } + return nil +} + func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities.ServiceOptions) error { var ( listener net.Listener @@ -103,6 +125,10 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities return err } + if err := maybeMoveToSubCgroup(); err != nil { + return err + } + servicereaper.Start() infra.StartWatcher(libpodRuntime) server, err := api.NewServerWithSettings(libpodRuntime, listener, opts) |