github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

cgroup2: do not unshare cgroup namespace for privileged

Browse Source 
Conforms to the latest KEP:
0e409b4749/keps/sig-node/20191118-cgroups-v2.md (cgroup-namespace)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2020-03-09 01:49:04 +09:00
parent 1a00c06886
commit fa72e2f693
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/server/container_create_unix.go
View File

@ -225,9 +225,10 @@ func (c *criService) containerSpec(id string, sandboxID string, sandboxPid uint3
customopts.WithAnnotation(annotations.SandboxID, sandboxID), customopts.WithAnnotation(annotations.SandboxID, sandboxID),
) )
// cgroupns is used for hiding /sys/fs/cgroup from containers. // cgroupns is used for hiding /sys/fs/cgroup from containers.
// For compatibility, cgroupns is not used when running in cgroup v1 mode. // For compatibility, cgroupns is not used when running in cgroup v1 mode or in privileged.
// https://github.com/containers/libpod/issues/4363 // https://github.com/containers/libpod/issues/4363
if cgroups.Mode() == cgroups.Unified { // https://github.com/kubernetes/enhancements/blob/0e409b47497e398b369c281074485c8de129694f/keps/sig-node/20191118-cgroups-v2.md#cgroup-namespace
if cgroups.Mode() == cgroups.Unified && !securityContext.GetPrivileged() {
specOpts = append(specOpts, oci.WithLinuxNamespace( specOpts = append(specOpts, oci.WithLinuxNamespace(
runtimespec.LinuxNamespace{ runtimespec.LinuxNamespace{
Type: runtimespec.CgroupNamespace, Type: runtimespec.CgroupNamespace,