github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1415 from AkihiroSuda/cgroup2-privileged-no-unshare-cgroupns

Browse Source 
cgroup2: do not unshare cgroup namespace for privileged
This commit is contained in:
Mike Brown 2020-03-09 12:45:50 -05:00 committed by GitHub
commit 687469d3ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/server/container_create_unix.go
View File

@ -225,9 +225,10 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
customopts.WithAnnotation(annotations.SandboxID, sandboxID),
)
// cgroupns is used for hiding /sys/fs/cgroup from containers.
// For compatibility, cgroupns is not used when running in cgroup v1 mode.
// For compatibility, cgroupns is not used when running in cgroup v1 mode or in privileged.
// https://github.com/containers/libpod/issues/4363
if cgroups.Mode() == cgroups.Unified {
// https://github.com/kubernetes/enhancements/blob/0e409b47497e398b369c281074485c8de129694f/keps/sig-node/20191118-cgroups-v2.md#cgroup-namespace
if cgroups.Mode() == cgroups.Unified && !securityContext.GetPrivileged() {
specOpts = append(specOpts, oci.WithLinuxNamespace(
runtimespec.LinuxNamespace{
Type: runtimespec.CgroupNamespace,