diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-10-30 08:44:37 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-11-05 17:29:01 +0100 |
commit | b8514ca6f39e58c623a34440f20debe9d0e8053f (patch) | |
tree | 94145f510cb7df7cdf9006c2b8bfcc4404c4a50a /pkg | |
parent | 17eadda68b868ab1dc8c455f4f537b78ad3962a5 (diff) | |
download | podman-b8514ca6f39e58c623a34440f20debe9d0e8053f.tar.gz podman-b8514ca6f39e58c623a34440f20debe9d0e8053f.tar.bz2 podman-b8514ca6f39e58c623a34440f20debe9d0e8053f.zip |
namespaces: by default create cgroupns on cgroups v2
change the default on cgroups v2 and create a new cgroup namespace.
When a cgroup namespace is used, processes inside the namespace are
only able to see cgroup paths relative to the cgroup namespace root
and not have full visibility on all the cgroups present on the
system.
The previous behaviour is maintained on a cgroups v1 host, where a
cgroup namespace is not created by default.
Closes: https://github.com/containers/libpod/issues/4363
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/namespaces/namespaces.go | 5 | ||||
-rw-r--r-- | pkg/spec/spec.go | 13 |
2 files changed, 18 insertions, 0 deletions
diff --git a/pkg/namespaces/namespaces.go b/pkg/namespaces/namespaces.go index 9d1033b93..78b55bb2a 100644 --- a/pkg/namespaces/namespaces.go +++ b/pkg/namespaces/namespaces.go @@ -25,6 +25,11 @@ func (n CgroupMode) IsHost() bool { return n == hostType } +// IsDefaultValue indicates whether the cgroup namespace has the default value. +func (n CgroupMode) IsDefaultValue() bool { + return n == "" +} + // IsNS indicates a cgroup namespace passed in by path (ns:<path>) func (n CgroupMode) IsNS() bool { return strings.HasPrefix(string(n), nsType) diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 86d701f7e..33e9ec076 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -631,6 +631,19 @@ func addIpcNS(config *CreateConfig, g *generate.Generator) error { func addCgroupNS(config *CreateConfig, g *generate.Generator) error { cgroupMode := config.CgroupMode + + if cgroupMode.IsDefaultValue() { + // If the value is not specified, default to "private" on cgroups v2 and "host" on cgroups v1. + unified, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return err + } + if unified { + cgroupMode = "private" + } else { + cgroupMode = "host" + } + } if cgroupMode.IsNS() { return g.AddOrReplaceLinuxNamespace(string(spec.CgroupNamespace), NS(string(cgroupMode))) } |