From bd51410b8d16093e9c397b1e620baa08e910890c Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 30 Jun 2022 14:36:53 +0200
Subject: service: do not run under the root cgroup

at startup, when running on a cgroup v2 system, check if the current
process is running in the root cgroup and move it to a sub-cgroup,
otherwise Podman is not able to create cgroups and move processes
there.

Closes: https://github.com/containers/podman/issues/14573

[NO NEW TESTS NEEDED] it needs nested podman

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 cmd/podman/system/service_abi.go | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'cmd/podman')

diff --git a/cmd/podman/system/service_abi.go b/cmd/podman/system/service_abi.go
index 7cb1b8084..70b8952bd 100644
--- a/cmd/podman/system/service_abi.go
+++ b/cmd/podman/system/service_abi.go
@@ -10,11 +10,13 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/containers/common/pkg/cgroups"
 	"github.com/containers/podman/v4/cmd/podman/registry"
 	api "github.com/containers/podman/v4/pkg/api/server"
 	"github.com/containers/podman/v4/pkg/domain/entities"
 	"github.com/containers/podman/v4/pkg/domain/infra"
 	"github.com/containers/podman/v4/pkg/servicereaper"
+	"github.com/containers/podman/v4/utils"
 	"github.com/coreos/go-systemd/v22/activation"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -22,6 +24,26 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+// maybeMoveToSubCgroup moves the current process in a sub cgroup when
+// it is running in the root cgroup on a system that uses cgroupv2.
+func maybeMoveToSubCgroup() error {
+	unifiedMode, err := cgroups.IsCgroup2UnifiedMode()
+	if err != nil {
+		return err
+	}
+	if !unifiedMode {
+		return nil
+	}
+	cgroup, err := utils.GetOwnCgroup()
+	if err != nil {
+		return err
+	}
+	if cgroup == "/" {
+		return utils.MoveUnderCgroupSubtree("init")
+	}
+	return nil
+}
+
 func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities.ServiceOptions) error {
 	var (
 		listener net.Listener
@@ -103,6 +125,10 @@ func restService(flags *pflag.FlagSet, cfg *entities.PodmanConfig, opts entities
 		return err
 	}
 
+	if err := maybeMoveToSubCgroup(); err != nil {
+		return err
+	}
+
 	servicereaper.Start()
 	infra.StartWatcher(libpodRuntime)
 	server, err := api.NewServerWithSettings(libpodRuntime, listener, opts)
-- 
cgit v1.2.3-54-g00ecf