From d9cb135b6423da5cb16bca82e9c2b5d322dec8a9 Mon Sep 17 00:00:00 2001 From: Jakub Guzik Date: Sun, 28 Feb 2021 13:14:11 +0100 Subject: Enable cgroupsv2 rw mount via security-opt unmask Signed-off-by: Jakub Guzik --- pkg/specgen/generate/oci.go | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'pkg') diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 23a9ce831..eb4dbc944 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -2,12 +2,14 @@ package generate import ( "context" + "path" "strings" "github.com/containers/common/pkg/config" "github.com/containers/podman/v3/libpod" "github.com/containers/podman/v3/libpod/define" "github.com/containers/podman/v3/libpod/image" + "github.com/containers/podman/v3/pkg/cgroups" "github.com/containers/podman/v3/pkg/rootless" "github.com/containers/podman/v3/pkg/specgen" spec "github.com/opencontainers/runtime-spec/specs-go" @@ -157,8 +159,32 @@ func canMountSys(isRootless, isNewUserns bool, s *specgen.SpecGenerator) bool { return true } +func getCGroupPermissons(unmask []string) string { + ro := "ro" + rw := "rw" + cgroup := "/sys/fs/cgroup" + + cgroupv2, _ := cgroups.IsCgroup2UnifiedMode() + if !cgroupv2 { + return ro + } + + if unmask != nil && unmask[0] == "ALL" { + return rw + } + + for _, p := range unmask { + if path.Clean(p) == cgroup { + return rw + } + } + return ro +} + +// SpecGenToOCI returns the base configuration for the container. func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runtime, rtc *config.Config, newImage *image.Image, mounts []spec.Mount, pod *libpod.Pod, finalCmd []string) (*spec.Spec, error) { - cgroupPerm := "ro" + cgroupPerm := getCGroupPermissons(s.Unmask) + g, err := generate.New("linux") if err != nil { return nil, err -- cgit v1.2.3-54-g00ecf