Add validation for CGroup parents. Pass CGroups path into runc

Signed-off-by: Matthew Heon <matthew.heon@gmail.com>

Closes: #507
Approved by: baude

1 files changed, 19 insertions, 0 deletions

diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 4708e0c8f..f5d8e5704 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -3,6 +3,7 @@ package libpod
 import (
 	"context"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"time"
@@ -60,6 +61,24 @@ func (r *Runtime) NewContainer(ctx context.Context, rSpec *spec.Spec, options ..
 		ctr.config.Name = name
 	}
 
+	// Check CGroup parent sanity, and set it if it was not set
+	switch r.config.CgroupManager {
+	case CgroupfsCgroupsManager:
+		if ctr.config.CgroupParent == "" {
+			ctr.config.CgroupParent = CgroupfsDefaultCgroupParent
+		} else if strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") {
+			return nil, errors.Wrapf(ErrInvalidArg, "systemd slice received as cgroup parent when using cgroupfs")
+		}
+	case SystemdCgroupsManager:
+		if ctr.config.CgroupParent == "" {
+			ctr.config.CgroupParent = SystemdDefaultCgroupParent
+		} else if len(ctr.config.CgroupParent) < 6 || !strings.HasSuffix(path.Base(ctr.config.CgroupParent), ".slice") {
+			return nil, errors.Wrapf(ErrInvalidArg, "did not receive systemd slice as cgroup parent when using systemd to manage cgroups")
+		}
+	default:
+		return nil, errors.Wrapf(ErrInvalidArg, "unsupported CGroup manager: %s - cannot validate cgroup parent", r.config.CgroupManager)
+	}
+
 	// Set up storage for the container
 	if err := ctr.setupStorage(ctx); err != nil {
 		return nil, err