github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #1371 from AkihiroSuda/cgroup2-unshare-cgroupns

Browse Source 
cgroup2: unshare cgroup namespace for containers
This commit is contained in:
Lantao Liu 2020-01-14 10:08:14 -08:00 committed by GitHub
commit b2804c0693
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/server/container_create_unix.go
View File

@ -22,6 +22,7 @@ import (
"strconv" "strconv"
"strings" "strings"
"github.com/containerd/cgroups"
"github.com/containerd/containerd/contrib/apparmor" "github.com/containerd/containerd/contrib/apparmor"
"github.com/containerd/containerd/contrib/seccomp" "github.com/containerd/containerd/contrib/seccomp"
"github.com/containerd/containerd/oci" "github.com/containerd/containerd/oci"
@ -223,7 +224,15 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer), customopts.WithAnnotation(annotations.ContainerType, annotations.ContainerTypeContainer),
customopts.WithAnnotation(annotations.SandboxID, sandboxID), customopts.WithAnnotation(annotations.SandboxID, sandboxID),
) )
// cgroupns is used for hiding /sys/fs/cgroup from containers.
// For compatibility, cgroupns is not used when running in cgroup v1 mode.
// https://github.com/containers/libpod/issues/4363
if cgroups.Mode() == cgroups.Unified {
specOpts = append(specOpts, oci.WithLinuxNamespace(
runtimespec.LinuxNamespace{
Type: runtimespec.CgroupNamespace,
}))
}
return runtimeSpec(id, specOpts...) return runtimeSpec(id, specOpts...)
} }