diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-05-06 09:39:03 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-06 09:39:03 -0400 |
| commit | 176ae99187de9068670dac1fb3ec30e11cd3dd93 (patch) | |
| tree | b1cb4cd71bf7ea541f3336ee2a79d83eacdb22c2 /libpod/container_internal_linux.go | |
| parent | 5fa31e10e364e57f7bdc4bb00f483b7f6a631ee0 (diff) | |
| parent | 27ac750c7d949fc5922c4a11bf3e8e4606dd2a04 (diff) | |
| download | podman-176ae99187de9068670dac1fb3ec30e11cd3dd93.tar.gz podman-176ae99187de9068670dac1fb3ec30e11cd3dd93.tar.bz2 podman-176ae99187de9068670dac1fb3ec30e11cd3dd93.zip | |
Merge pull request #10234 from giuseppe/fix-cgroupfs-pod
cgroup: fix rootless --cgroup-parent with pods
Diffstat (limited to 'libpod/container_internal_linux.go')
| -rw-r--r-- | libpod/container_internal_linux.go | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index f87e845cb..f0608e2b2 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -2216,6 +2216,17 @@ func (c *Container) generatePasswdAndGroup() (string, string, error) { return passwdPath, groupPath, nil } +func isRootlessCgroupSet(cgroup string) bool { + // old versions of podman were setting the CgroupParent to CgroupfsDefaultCgroupParent + // by default. Avoid breaking these versions and check whether the cgroup parent is + // set to the default and in this case enable the old behavior. It should not be a real + // problem because the default CgroupParent is usually owned by root so rootless users + // cannot access it. + // This check might be lifted in a future version of Podman. + // Check both that the cgroup or its parent is set to the default value (used by pods). + return cgroup != CgroupfsDefaultCgroupParent && filepath.Dir(cgroup) != CgroupfsDefaultCgroupParent +} + // Get cgroup path in a format suitable for the OCI spec func (c *Container) getOCICgroupPath() (string, error) { unified, err := cgroups.IsCgroup2UnifiedMode() @@ -2227,13 +2238,7 @@ func (c *Container) getOCICgroupPath() (string, error) { case c.config.NoCgroups: return "", nil case (rootless.IsRootless() && (cgroupManager == config.CgroupfsCgroupsManager || !unified)): - if c.config.CgroupParent == CgroupfsDefaultCgroupParent { - // old versions of podman were setting the CgroupParent to CgroupfsDefaultCgroupParent - // by default. Avoid breaking these versions and check whether the cgroup parent is - // set to the default and in this case enable the old behavior. It should not be a real - // problem because the default CgroupParent is usually owned by root so rootless users - // cannot access it. - // This check might be lifted in a future version of Podman. + if !isRootlessCgroupSet(c.config.CgroupParent) { return "", nil } return c.config.CgroupParent, nil |