summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
Diffstat (limited to 'pkg')
-rw-r--r--pkg/annotations/annotations.go8
-rw-r--r--pkg/cgroups/cgroups_supported.go62
-rw-r--r--pkg/cgroups/cgroups_unsupported.go6
-rw-r--r--pkg/spec/createconfig.go4
-rw-r--r--pkg/spec/spec.go12
5 files changed, 92 insertions, 0 deletions
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
index fe2591a0c..19b1029d1 100644
--- a/pkg/annotations/annotations.go
+++ b/pkg/annotations/annotations.go
@@ -102,6 +102,10 @@ const (
// CNIResult is the JSON string representation of the Result from CNI
CNIResult = "io.kubernetes.cri-o.CNIResult"
+
+ // ContainerManager is the annotation key for indicating the creator and
+ // manager of the container
+ ContainerManager = "io.container.manager"
)
// ContainerType values
@@ -112,3 +116,7 @@ const (
// ContainerTypeContainer represents a container running within a pod
ContainerTypeContainer = "container"
)
+
+// ContainerManagerLibpod indicates that libpod created and manages the
+// container
+const ContainerManagerLibpod = "libpod"
diff --git a/pkg/cgroups/cgroups_supported.go b/pkg/cgroups/cgroups_supported.go
index fcd44dfc8..2a36777d4 100644
--- a/pkg/cgroups/cgroups_supported.go
+++ b/pkg/cgroups/cgroups_supported.go
@@ -3,8 +3,15 @@
package cgroups
import (
+ "bufio"
+ "fmt"
+ "os"
+ "path/filepath"
+ "strings"
"sync"
"syscall"
+
+ "github.com/pkg/errors"
)
var (
@@ -25,3 +32,58 @@ func IsCgroup2UnifiedMode() (bool, error) {
})
return isUnified, isUnifiedErr
}
+
+// UserOwnsCurrentSystemdCgroup checks whether the current EUID owns the
+// current cgroup.
+func UserOwnsCurrentSystemdCgroup() (bool, error) {
+ uid := os.Geteuid()
+
+ cgroup2, err := IsCgroup2UnifiedMode()
+ if err != nil {
+ return false, err
+ }
+
+ f, err := os.Open("/proc/self/cgroup")
+ if err != nil {
+ return false, errors.Wrapf(err, "open file /proc/self/cgroup")
+ }
+ defer f.Close()
+
+ scanner := bufio.NewScanner(f)
+ for scanner.Scan() {
+ line := scanner.Text()
+ parts := strings.SplitN(line, ":", 3)
+
+ if len(parts) < 3 {
+ continue
+ }
+
+ var cgroupPath string
+
+ if cgroup2 {
+ cgroupPath = filepath.Join(cgroupRoot, parts[2])
+ } else {
+ if parts[1] != "name=systemd" {
+ continue
+ }
+ cgroupPath = filepath.Join(cgroupRoot, "systemd", parts[2])
+ }
+
+ st, err := os.Stat(cgroupPath)
+ if err != nil {
+ return false, err
+ }
+ s := st.Sys()
+ if s == nil {
+ return false, fmt.Errorf("error stat cgroup path %s", cgroupPath)
+ }
+
+ if int(s.(*syscall.Stat_t).Uid) != uid {
+ return false, nil
+ }
+ }
+ if err := scanner.Err(); err != nil {
+ return false, errors.Wrapf(err, "parsing file /proc/self/cgroup")
+ }
+ return true, nil
+}
diff --git a/pkg/cgroups/cgroups_unsupported.go b/pkg/cgroups/cgroups_unsupported.go
index 9dc196e42..cd140fbf3 100644
--- a/pkg/cgroups/cgroups_unsupported.go
+++ b/pkg/cgroups/cgroups_unsupported.go
@@ -6,3 +6,9 @@ package cgroups
func IsCgroup2UnifiedMode() (bool, error) {
return false, nil
}
+
+// UserOwnsCurrentSystemdCgroup checks whether the current EUID owns the
+// current cgroup.
+func UserOwnsCurrentSystemdCgroup() (bool, error) {
+ return false, nil
+}
diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go
index 3f70e5935..c17172016 100644
--- a/pkg/spec/createconfig.go
+++ b/pkg/spec/createconfig.go
@@ -64,6 +64,7 @@ type CreateConfig struct {
CidFile string
ConmonPidFile string
Cgroupns string
+ Cgroups string
CgroupParent string // cgroup-parent
Command []string // Full command that will be used
UserCommand []string // User-entered command (or image CMD)
@@ -206,6 +207,9 @@ func (c *CreateConfig) getContainerCreateOptions(runtime *libpod.Runtime, pod *l
logrus.Debugf("adding container to pod %s", c.Pod)
options = append(options, runtime.WithPod(pod))
}
+ if c.Cgroups == "disabled" {
+ options = append(options, libpod.WithNoCgroups())
+ }
if len(c.PortBindings) > 0 {
portBindings, err = c.CreatePortBindings()
if err != nil {
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 44bbda885..38f9c7306 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -396,6 +396,18 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM
}
}
+ switch config.Cgroups {
+ case "disabled":
+ if addedResources {
+ return nil, errors.New("cannot specify resource limits when cgroups are disabled is specified")
+ }
+ configSpec.Linux.Resources = &spec.LinuxResources{}
+ case "enabled", "":
+ // Do nothing
+ default:
+ return nil, errors.New("unrecognized option for cgroups; supported are 'default' and 'disabled'")
+ }
+
// Add annotations
if configSpec.Annotations == nil {
configSpec.Annotations = make(map[string]string)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-02-23 08:13:32 +0000