github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #11151 from k8s-infra-cherrypick-robot/cherry-pick-11104-to-release/2.0

Browse Source 
[release/2.0] internal/cri: should not apply IoOwner options if it's not user namespace
This commit is contained in:
Derek McGowan 2024-12-12 11:05:10 -08:00 committed by GitHub
commit 8c6dd50d91
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
internal/cri/server/container_start_linux.go
View File

@ -31,11 +31,19 @@ func updateContainerIOOwner(ctx context.Context, cntr containerd.Container, conf
return nil, nil
}
// FIXME(fuweid): Ideally, the pipe owner should be aligned with process owner.
// No matter what user namespace container uses, it should work well. However,
// it breaks the sig-node conformance case - [when querying /stats/summary should report resource usage through the stats api].
// FIXME(fuweid):
//
// For builtin runc runtime, the pipe owner should be aligned with process
// owner. No matter what user namespace container uses, it should work
// well.
//
// However, gVisor runtime doesn't support runc.Options and no idea why
// adding options could breaks the sig-node conformance case [when querying /stats/summary should report resource usage through the stats api].
// In order to keep compatible, the change should apply to user namespace only.
if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetUsernsOptions() == nil {
//
// REF: https://github.com/containerd/containerd/issues/11091
usernsOpts := config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetUsernsOptions()
if usernsOpts == nil || usernsOpts.Mode == runtime.NamespaceMode_NODE {
return nil, nil
}