diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2018-10-15 15:42:12 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2018-10-15 16:19:11 -0400 |
commit | 57a8c2e5e844ee403c9a703c621780de7c7343f0 (patch) | |
tree | 20a2acfd315cdfcc1f472c18508cd53b1dfedc47 /libpod/container_internal_linux.go | |
parent | 2bc9a3c4bbaade50264b1dbf348d1521cdd8d8b5 (diff) | |
download | podman-57a8c2e5e844ee403c9a703c621780de7c7343f0.tar.gz podman-57a8c2e5e844ee403c9a703c621780de7c7343f0.tar.bz2 podman-57a8c2e5e844ee403c9a703c621780de7c7343f0.zip |
Mount proper cgroup for systemd to manage inside of the container.
We are still requiring oci-systemd-hook to be installed in order to run
systemd within a container. This patch properly mounts
/sys/fs/cgroup/systemd/libpod_parent/libpod-UUID on /sys/fs/cgroup/systemd inside of container.
Since we need the UUID of the container, we needed to move Systemd to be a config option of the
container.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'libpod/container_internal_linux.go')
-rw-r--r-- | libpod/container_internal_linux.go | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 0353124dd..05604246f 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -188,6 +188,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } } + if c.config.Systemd { + c.setupSystemd(g.Mounts(), g) + } + // Look up and add groups the user belongs to, if a group wasn't directly specified if !rootless.IsRootless() && !strings.Contains(c.config.User, ":") { groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Config.Process.User.UID)) @@ -294,6 +298,43 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { return g.Config, nil } +// systemd expects to have /run, /run/lock and /tmp on tmpfs +// It also expects to be able to write to /sys/fs/cgroup/systemd and /var/log/journal +func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) { + options := []string{"rw", "rprivate", "noexec", "nosuid", "nodev"} + for _, dest := range []string{"/run", "/run/lock"} { + if MountExists(mounts, dest) { + continue + } + tmpfsMnt := spec.Mount{ + Destination: dest, + Type: "tmpfs", + Source: "tmpfs", + Options: append(options, "tmpcopyup", "size=65536k"), + } + g.AddMount(tmpfsMnt) + } + for _, dest := range []string{"/tmp", "/var/log/journal"} { + if MountExists(mounts, dest) { + continue + } + tmpfsMnt := spec.Mount{ + Destination: dest, + Type: "tmpfs", + Source: "tmpfs", + Options: append(options, "tmpcopyup"), + } + g.AddMount(tmpfsMnt) + } + systemdMnt := spec.Mount{ + Destination: "/sys/fs/cgroup/systemd", + Type: "bind", + Source: fmt.Sprintf("/sys/fs/cgroup/systemd%s/libpod-%s", CgroupfsDefaultCgroupParent, c.ID()), + Options: []string{"bind", "private"}, + } + g.AddMount(systemdMnt) +} + // Add an existing container's namespace to the spec func (c *Container) addNamespaceContainer(g *generate.Generator, ns LinuxNS, ctr string, specNS string) error { nsCtr, err := c.runtime.state.Container(ctr) |