kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

support --privileged --cgroupns=private on cgroup v1

Browse source 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2020-04-21 23:06:44 +09:00
parent ba8129b28a
commit 33ee7941d4
3 changed files with 3 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

4
daemon/daemon_unix.go
View file

@ -711,10 +711,6 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
if !sysInfo.CgroupNamespaces { if !sysInfo.CgroupNamespaces {
warnings = append(warnings, "Your kernel does not support cgroup namespaces. Cgroup namespace setting discarded.") warnings = append(warnings, "Your kernel does not support cgroup namespaces. Cgroup namespace setting discarded.")
} }
if hostConfig.Privileged && !cgroups.IsCgroup2UnifiedMode() {
return warnings, fmt.Errorf("privileged mode is incompatible with private cgroup namespaces on cgroup v1 host. You must run the container in the host cgroup namespace when running privileged mode")
}
} }
return warnings, nil return warnings, nil

5
daemon/oci_linux.go
View file

@ -339,10 +339,7 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
if !cgroupNsMode.Valid() { if !cgroupNsMode.Valid() {
return fmt.Errorf("invalid cgroup namespace mode: %v", cgroupNsMode) return fmt.Errorf("invalid cgroup namespace mode: %v", cgroupNsMode)
} }
if cgroupNsMode.IsPrivate() {
// for cgroup v2: unshare cgroupns even for privileged containers
// https://github.com/containers/libpod/pull/4374#issuecomment-549776387
if cgroupNsMode.IsPrivate() && (cgroups.IsCgroup2UnifiedMode() || !c.HostConfig.Privileged) {
nsCgroup := specs.LinuxNamespace{Type: "cgroup"} nsCgroup := specs.LinuxNamespace{Type: "cgroup"}
setNamespace(s, nsCgroup) setNamespace(s, nsCgroup)
} }

5
integration/container/run_cgroupns_linux_test.go
View file

@ -114,9 +114,8 @@ func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
skip.If(t, testEnv.IsRemoteDaemon()) skip.If(t, testEnv.IsRemoteDaemon())
skip.If(t, !requirement.CgroupNamespacesEnabled()) skip.If(t, !requirement.CgroupNamespacesEnabled())
// Running with both privileged and cgroupns=private is not allowed containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithPrivileged(true), container.WithCgroupnsMode("private"))
errStr := "privileged mode is incompatible with private cgroup namespaces on cgroup v1 host. You must run the container in the host cgroup namespace when running privileged mode" assert.Assert(t, daemonCgroup != containerCgroup)
testCreateFailureWithCgroupNs(t, "private", errStr, container.WithPrivileged(true), container.WithCgroupnsMode("private"))
} }
func TestCgroupNamespacesRunInvalidMode(t *testing.T) { func TestCgroupNamespacesRunInvalidMode(t *testing.T) {