From bd51410b8d16093e9c397b1e620baa08e910890c Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 30 Jun 2022 14:36:53 +0200 Subject: service: do not run under the root cgroup at startup, when running on a cgroup v2 system, check if the current process is running in the root cgroup and move it to a sub-cgroup, otherwise Podman is not able to create cgroups and move processes there. Closes: https://github.com/containers/podman/issues/14573 [NO NEW TESTS NEEDED] it needs nested podman Signed-off-by: Giuseppe Scrivano --- cmd/podman/system/service_abi.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go index 7cb1b8084..70b8952bd 100644 --- a/cmd/podman/system/service_abi.go +++ b/cmd/podman/system/service_abi.go @@ -10,11 +10,13 @@ import ( "os" "path/filepath" + "github.com/containers/common/pkg/cgroups" "github.com/containers/podman/v4/cmd/podman/registry" api "github.com/containers/podman/v4/pkg/api/server" "github.com/containers/podman/v4/pkg/domain/entities" "github.com/containers/podman/v4/pkg/domain/infra" "github.com/containers/podman/v4/pkg/servicereaper" + "github.com/containers/podman/v4/utils" "github.com/coreos/go-systemd/v22/activation" "github.com/pkg/errors" "github.com/sirupsen/logrus" @@ -22,6 +24,26 @@ import ( "golang.org/x/sys/unix" ) +// maybeMoveToSubCgroup moves the current process in a sub cgroup when +// it is running in the root cgroup on a system that uses cgroupv2. +func maybeMoveToSubCgroup() error { + unifiedMode, err := cgroups.IsCgroup2UnifiedMode() + if err != nil { + return err + } + if !unifiedMode { + return nil + } + cgroup, err := utils.GetOwnCgroup() + if err != nil { + return err + } + if cgroup == "/" { + return utils.MoveUnderCgroupSubtree("init") + } + return nil +} + func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities.ServiceOptions) error { var ( listener net.Listener @@ -103,6 +125,10 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities return err } + if err := maybeMoveToSubCgroup(); err != nil { + return err + } + servicereaper.Start() infra.StartWatcher(libpodRuntime) server, err := api.NewServerWithSettings(libpodRuntime, listener, opts) -- cgit v1.2.3-54-g00ecf