cgroup2: enable cgroup namespace by default
For cgroup v1, we were unable to change the default because of compatibility issue. For cgroup v2, we should change the default right now because switching to cgroup v2 is already breaking change. See also containers/libpod#4363 containers/libpod#4374 Privileged containers also use cgroupns=private by default. https://github.com/containers/libpod/pull/4374#issuecomment-549776387 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda
parent
409bbdc321
commit
19baeaca26
|
|
@ -9,6 +9,7 @@ import (
|
|||
"github.com/docker/docker/opts"
|
||||
"github.com/docker/docker/rootless"
|
||||
units "github.com/docker/go-units"
|
||||
"github.com/opencontainers/runc/libcontainer/cgroups"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/spf13/pflag"
|
||||
)
|
||||
|
|
@ -64,6 +65,10 @@ func installConfigFlags(conf *config.Config, flags *pflag.FlagSet) error {
|
|||
// rootless needs to be explicitly specified for running "rootful" dockerd in rootless dockerd (#38702)
|
||||
// Note that defaultUserlandProxyPath and honorXDG are configured according to the value of rootless.RunningWithRootlessKit, not the value of --rootless.
|
||||
flags.BoolVar(&conf.Rootless, "rootless", rootless.RunningWithRootlessKit(), "Enable rootless mode; typically used with RootlessKit (experimental)")
|
||||
flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", config.DefaultCgroupNamespaceMode, `Default mode for containers cgroup namespace ("host" | "private")`)
|
||||
defaultCgroupNamespaceMode := "host"
|
||||
if cgroups.IsCgroup2UnifiedMode() {
|
||||
defaultCgroupNamespaceMode = "private"
|
||||
}
|
||||
flags.StringVar(&conf.CgroupNamespaceMode, "default-cgroupns-mode", defaultCgroupNamespaceMode, `Default mode for containers cgroup namespace ("host" | "private")`)
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@ import (
|
|||
)
|
||||
|
||||
const (
|
||||
// DefaultCgroupNamespaceMode is the default for a container's CgroupnsMode, if not set otherwise
|
||||
DefaultCgroupNamespaceMode = "host" // TODO: change to private
|
||||
// DefaultIpcMode is default for container's IpcMode, if not set otherwise
|
||||
DefaultIpcMode = "private"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -364,10 +364,15 @@ func (daemon *Daemon) adaptContainerSettings(hostConfig *containertypes.HostConf
|
|||
|
||||
// Set default cgroup namespace mode, if unset for container
|
||||
if hostConfig.CgroupnsMode.IsEmpty() {
|
||||
if hostConfig.Privileged {
|
||||
// for cgroup v2: unshare cgroupns even for privileged containers
|
||||
// https://github.com/containers/libpod/pull/4374#issuecomment-549776387
|
||||
if hostConfig.Privileged && !cgroups.IsCgroup2UnifiedMode() {
|
||||
hostConfig.CgroupnsMode = containertypes.CgroupnsMode("host")
|
||||
} else {
|
||||
m := config.DefaultCgroupNamespaceMode
|
||||
m := "host"
|
||||
if cgroups.IsCgroup2UnifiedMode() {
|
||||
m = "private"
|
||||
}
|
||||
if daemon.configStore != nil {
|
||||
m = daemon.configStore.CgroupNamespaceMode
|
||||
}
|
||||
|
|
@ -708,8 +713,8 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
|
|||
warnings = append(warnings, "Your kernel does not support cgroup namespaces. Cgroup namespace setting discarded.")
|
||||
}
|
||||
|
||||
if hostConfig.Privileged {
|
||||
return warnings, fmt.Errorf("privileged mode is incompatible with private cgroup namespaces. You must run the container in the host cgroup namespace when running privileged mode")
|
||||
if hostConfig.Privileged && !cgroups.IsCgroup2UnifiedMode() {
|
||||
return warnings, fmt.Errorf("privileged mode is incompatible with private cgroup namespaces on cgroup v1 host. You must run the container in the host cgroup namespace when running privileged mode")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -316,7 +316,9 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
|
|||
return fmt.Errorf("invalid cgroup namespace mode: %v", cgroupNsMode)
|
||||
}
|
||||
|
||||
if cgroupNsMode.IsPrivate() && !c.HostConfig.Privileged {
|
||||
// for cgroup v2: unshare cgroupns even for privileged containers
|
||||
// https://github.com/containers/libpod/pull/4374#issuecomment-549776387
|
||||
if cgroupNsMode.IsPrivate() && (cgroups.IsCgroup2UnifiedMode() || !c.HostConfig.Privileged) {
|
||||
nsCgroup := specs.LinuxNamespace{Type: "cgroup"}
|
||||
setNamespace(s, nsCgroup)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -115,7 +115,7 @@ func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
|
|||
skip.If(t, !requirement.CgroupNamespacesEnabled())
|
||||
|
||||
// Running with both privileged and cgroupns=private is not allowed
|
||||
errStr := "privileged mode is incompatible with private cgroup namespaces. You must run the container in the host cgroup namespace when running privileged mode"
|
||||
errStr := "privileged mode is incompatible with private cgroup namespaces on cgroup v1 host. You must run the container in the host cgroup namespace when running privileged mode"
|
||||
testCreateFailureWithCgroupNs(t, "private", errStr, container.WithPrivileged(true), container.WithCgroupnsMode("private"))
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue