linux: Enter specified cgroup namespace #781
Conversation
src/libcrun/linux.c
Outdated
| #if CLONE_NEWCGROUP | ||
| /* cgroup will be unshared later. Once the process is in the correct cgroup. */ | ||
| init_status.all_namespaces &= ~CLONE_NEWCGROUP; | ||
| init_status.namespaces_to_unshare &= ~CLONE_NEWCGROUP; |
There was a problem hiding this comment.
Does namespaces_to_unshare contains namespaces specified without path ? I am still a bit confused about this.
There was a problem hiding this comment.
Tests are failing for: when uts namespace is specified by a path.
|
thanks for opening a PR! I am afraid this will break the existing semantic of What do you think about the following patch: diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
index 4b5877c..4fab400 100644
--- a/src/libcrun/linux.c
+++ b/src/libcrun/linux.c
@@ -93,6 +93,10 @@ struct private_data_s
namespaces are available. */
int unshare_flags;
+#if CLONE_NEWCGROUP
+ int unshare_cgroupns;
+#endif
+
char *host_notify_socket_path;
char *container_notify_socket_path;
bool mount_dev_from_host;
@@ -2409,7 +2413,7 @@ int
libcrun_container_enter_cgroup_ns (libcrun_container_t *container, libcrun_error_t *err)
{
#if CLONE_NEWCGROUP
- if (get_private_data (container)->unshare_flags & CLONE_NEWCGROUP)
+ if (get_private_data (container)->unshare_cgroupns)
{
int ret = unshare (CLONE_NEWCGROUP);
if (UNLIKELY (ret < 0))
@@ -3695,6 +3699,7 @@ libcrun_run_linux_container (libcrun_container_t *container, container_entrypoin
#if CLONE_NEWCGROUP
/* cgroup will be unshared later. Once the process is in the correct cgroup. */
init_status.all_namespaces &= ~CLONE_NEWCGROUP;
+ get_private_data (container)->unshare_cgroupns = init_status.namespaces_to_unshare & CLONE_NEWCGROUP;
#endif
ret = socketpair (AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC, 0, sync_socket);If it works for you, feel free to amend it to your PR |
|
@hshiina had a chance to look at the previous comment? Does it work for you? |
|
Thank you for the comments. |
hshiina
force-pushed
the
cgroup-namespace
branch
from
9053ebe to
2560bf5
Compare
hshiina
changed the title
|
Few podman tests failed. Here is log for failing tests: https://pipelines.actions.githubusercontent.com/56Rt2BWasAPLMci7RjWOc3a8eqT1606w1ZCvbZFjm2aLGpq16A/_apis/pipelines/1/runs/2110/signedlogcontent/8?urlExpires=2021-11-18T10%3A43%3A55.0911194Z&urlSigningMethod=HMACV1&urlSignature=reeH%2B5Kvr8ly7KTXan5XglDidoAnrLh%2BJsREOlLiwbg%3D I am restarting to confirm if they are flakes however they don't look like flakes as of now. |
|
It seems that a fedora-minimal image with ID In the test log (https://github.com/containers/crun/runs/4250222257?check_suite_focus=true#step:7:2375): On my laptop: |
|
Could you please add another commit that updates podman to "main" instead of the current version we are using now? |
|
I posted #784. |
|
CI must be fine now. Could you please rebase this PR? |
Add another flag to see if `path` is specified with cgroup `type` in a runtime spec for determining whether a new cgroup namespace is necessary or not. Signed-off-by: Hironori Shiina <[email protected]>
hshiina
force-pushed
the
cgroup-namespace
branch
from
2560bf5 to
ef37d51
Compare
3 participants
Add another flag to see if
pathis specified with cgrouptypein aruntime spec for determining whether a new cgroup namespace is necessary
or not.
Signed-off-by: Hironori Shiina [email protected]